Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1167
Views
0
Helpful
7
Replies

QoS over VPN with ASAs plus throttling all outside interface traffic?

Go to solution
RHITCHCOCK
Level 1
Level 1

‎03-29-2010 01:45 PM - edited ‎03-04-2019 07:57 AM

I have a main site with an ASA 5510 and three additional sites with ASA 5505s.  All sites are connected to the Internet on a Fiber network and are guaranteed 10Mbit to each other.  VPNs link all sites together, but most traffic is to and from the main site.  Both data and VoIP traffic are on the same VPN and (unfortunately) VoIP phones are not completely segmented on each local LAN.

We are experiencing problems with VoIP calls (all VoIP communication comes to the phone system at the main site for all calls).  Drops in conversation, etc.  This was obviously bandwidth-related - I can recreate the problem at any time just by downloading a file at the main site from a website we get very fast downloads from.

I used the information here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

to set up QoS over the VPN to one site for testing purposes (I made the configuration changes for the tunnels on the 5510 at the main site and the 5505 at the test site).  It seems to work well for strictly VPN traffic - if I push a large file over the WAN to the test site (say with a nice fast SCP client) my conversation with someone there stays clear.

But the problem remains if I download a file from the Internet at the main site and get fast download speed.  I can watch the utilization on the outside interface spike on the 5510 in ASDM, and if If I'm on the phone with the test remote site during the download, their conversation cuts out (which makes sense, since that is incoming to my outside interface.  They can hear me just fine, since I'm not using much upload at the time.)

I assume this is because the only QoS that's being done is being done over the VPN.  I tried adding a police input line to the policy applied to the outside interface (there is already a policy output command on it) and I get an error:

ERROR: Input policing cannot be done on a flow destination basis

So, if I need to throttle bandwidth on the outside interface so that it doesn't interfere with VoIP traffic going over my VPNs, what's the best way to go about it?  Can I create a new policy that limits http and ftp traffic specifically on the outside interface?  Is there a way to add input policing to the policy I have, by using something other than match flow ip destination-address?

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10
In response to RHITCHCOCK

‎03-31-2010 03:33 AM

Try amending your policy from:

class-map Voice
match dscp ef
class-map inspection_default
match default-inspection-traffic
class-map Data
match flow ip destination-address
match tunnel-group x.x.x.x

to

class-map Voice
match dscp ef
match tunnel-group x.x.x.x
class-map Internet
match access-list limit-internet
!
policy-map Policy-Internet-QoS
class Voice
  priority
class Internet
  police input <> 1500
  police output <> 1500
!
service-policy Policy-Internet-QoS interface outside
!
access-list limit-internet extended permit tcp any eq www any
access-list limit-internet extended permit tcp any eq https any
access-list limit-internet extended permit tcp any eq ftp any

View solution in original post

0 Helpful
7 Replies 7

Go to solution
andrew.prince
Level 10
Level 10

‎03-30-2010 09:20 AM

Move your current policy from the outside interface to your inside interface (and change the direction) , then write another policy for the outside interface for the inbound traffic - excluding the IPSEC.

HTH>

Andrew.

0 Helpful

Go to solution
RHITCHCOCK
Level 1
Level 1
In response to andrew.prince

‎03-30-2010 12:14 PM

I can apply it to the inside interface - but can I change the direction?  When I tried to change it to police input previously it gave me that error in my first post.  Do I need to change what the class-map matches?  Maybe I misunderstand you.  Here's what I have currently:

class-map Voice
match dscp ef
class-map inspection_default
match default-inspection-traffic
class-map Data
match flow ip destination-address
match tunnel-group x.x.x.x

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to RHITCHCOCK

‎03-30-2010 02:01 PM

You stated in your first post "I tried adding a police input line to the policy applied to the outside interface (there is already a policy output command on it) and I get an error"

I suggested "Move your current policy from the outside interface to your inside interface (and change the direction)" we are talking about seperate interfaces???

Use an existing ACL that defines the interesting VPN traffic, then match the policy on that on the inside interface.

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to RHITCHCOCK

‎03-31-2010 03:33 AM

Try amending your policy from:

class-map Voice
match dscp ef
class-map inspection_default
match default-inspection-traffic
class-map Data
match flow ip destination-address
match tunnel-group x.x.x.x

to

class-map Voice
match dscp ef
match tunnel-group x.x.x.x
class-map Internet
match access-list limit-internet
!
policy-map Policy-Internet-QoS
class Voice
  priority
class Internet
  police input <> 1500
  police output <> 1500
!
service-policy Policy-Internet-QoS interface outside
!
access-list limit-internet extended permit tcp any eq www any
access-list limit-internet extended permit tcp any eq https any
access-list limit-internet extended permit tcp any eq ftp any

0 Helpful

Go to solution
RHITCHCOCK
Level 1
Level 1
In response to andrew.prince

‎03-31-2010 06:35 AM

That looks good, Andrew, thank you.  I'll try implementing these changes in the next day or so to test and I'll return to report results and give you proper credit.  Thanks again!

0 Helpful

Go to solution
RHITCHCOCK
Level 1
Level 1
In response to andrew.prince

‎04-02-2010 08:08 AM

By jove, sir, I believe you've got it.  My testing shows that seems to have done the trick.  I'll do some more tuning of the actual bit number, but by setting that to a particular number I've been able to have clear VoIP while observing a throttled http download.  Perfect!

Thank you very much for your help!

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to RHITCHCOCK

‎04-02-2010 09:43 AM

np - glad to help.

Andrew.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card