cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
558
Views
0
Helpful
7
Replies

Site2site VPN QoS question

xzjleo2005
Level 1
Level 1

Hi

We have site2site VPN with ASA 8.03 and I configured the QoS on ASA outside interface. But there is no traffic mapping the QoS, here is my QoS setting and show service-policy output. In the output, there is no traffic mapping the class-map ERP. Anyone knows if the QoS can work with site2site IPSec VPN tunnel or any ideas about this issue?

Thanks, Leo

----------------------------------

class-map ERP

match access-list ERP

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map ERP

class ERP

priority

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

policy-map ALL-TRAFFIC-OUTSIDE

class class-default

shape average 3000000

service-policy ERP

!

service-policy global_policy global

service-policy ALL-TRAFFIC-OUTSIDE interface outside

-------------------------------------

AP801N0010-ASA# sh service-policy

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns preset_dns_map, packet 65499, drop 0, reset-drop 0

Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0

Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0

Inspect: netbios, packet 83629, drop 0, reset-drop 0

Inspect: rsh, packet 16, drop 0, reset-drop 0

Inspect: rtsp, packet 15, drop 0, reset-drop 0

Inspect: skinny , packet 15, drop 0, reset-drop 0

Inspect: esmtp _default_esmtp_map, packet 23656, drop 0, reset-drop 0

Inspect: sqlnet, packet 15, drop 0, reset-drop 0

Inspect: sunrpc, packet 15, drop 0, reset-drop 0

Inspect: tftp, packet 0, drop 0, reset-drop 0

Inspect: sip , packet 0, drop 0, reset-drop 0

Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Interface outside:

Service-policy: ALL-TRAFFIC-OUTSIDE

Class-map: class-default

shape (average) cir 3000000, bc 12000, be 12000

(pkts output/bytes output) 3743871/2900711920

(total drops/no-buffer drops) 381/0

Service-policy: ERP

Class-map: ERP

priority

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

Class-map: class-default

Default Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/381/0

(pkts output/bytes output) 3744009/2900909640

7 Replies 7

andrew.prince
Level 10
Level 10

post the acl ERP

Here you are

access-list ERP extended permit ip host 192.168.17.4 any

access-list ERP extended permit ip host 192.168.9.2 any

access-list ERP extended permit ip host 192.168.17.170 any

access-list ERP extended permit ip host 192.168.17.171 any

access-list ERP extended permit ip host 192.168.17.172 any

access-list ERP extended permit ip host 192.168.17.173 any

access-list ERP extended permit ip host 192.168.17.174 any

What is your IP subnet on the inside interface?

Thanks for the reply, but when I changed the QoS configuration, I can see there are the traffic can hit the QoS policy. Following the my old and new configuration, anyone knows what's the difference between them? My connection is 3M BDSL circuit, my goal is to priority the ERP traffic, so which configuration is better for my situation?

Thanks. Leo

-----------------------------------------

old config:

class-map ERP

match access-list ERP

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map ERP

class ERP

priority

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

policy-map ALL-TRAFFIC-OUTSIDE

class class-default

shape average 3000000

service-policy ERP

!

service-policy global_policy global

service-policy ALL-TRAFFIC-OUTSIDE interface outside

-----------------------------------------

new config:

class-map ERP

match access-list ERP

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map ERP

class ERP

priority

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

policy-map ALL-TRAFFIC-OUTSIDE

class ERP

priority

class class-default

police output 3072000

!

service-policy global_policy global

service-policy ALL-TRAFFIC-OUTSIDE interface outside

You are policing to a certain amount - but you are not defining a priority bw for your important traffic.

What exactly are you trying to do or stop?

What I want to do is prioritize the ERP traffic in our 3M link, I don't care how much bandwidth it need, just want to give priority to this kind of traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: