VOIP QoS over L2L VPN on a ASA5505

Unanswered Question
Jan 18th, 2012

I have 4 remote sites that are using a ASA as thir firewall / router. I'm setting up a full mesh VPN between all the sites. One of the sites have a UC500 and the other sites access that UC over the VPN tunnels. I would like to set up some basic QoS for the VOIP traffic

Lets say a remote site has 10mb down / 1mb up and I use the following config

ASA(config)# priority-queue outside

ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group (VPN 2L2 TUNNLE NAME BACK TO UC)
ASA(config-cmap)# match dscp ef

ASA(config-cmap)# policy-map priority-policy
ASA(config-pmap)# class TG1-voice-class
ASA(config-pmap-c)# priority

ASA(config-pmap-c)# policy-map shape-priority-policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# shape average 900000
ASA(config-pmap-c)# service-policy priority-policy

ASA(config-pmap-c)# service-policy shape-priority-policy interface outside

To me this would only limt the VPN to 900kb with 100kn reserved for VOIP but non VPN traffic would not be shapped

I would like to limit all traffic with some reserced space for VOIP and then give it priorty.

Second question:

The site that has the UC will have multiple vpn tunnles coming in from the remote sites. How will I do QoS with voice traffic on that site?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3.7 (3 ratings)
jgeorge@dynamic... Wed, 01/18/2012 - 14:25

Thanks for the link but that is where I got my config that I posted above...

The artical didn't answer my questions so I posted here.

ajay chauhan Thu, 01/19/2012 - 06:25

OK let me try to explain -

Here two service-policies are configured one is matching VPN voip traffic and another one is global .Inside global policy you have configured

shape average 900000  < This is for match class-default all the traffic which is not matching in any specific class will be matched here. Just in case of congestion remaining BW will be guaranteed for voice.

Thanks

Ajay

jgeorge@dynamic... Thu, 01/19/2012 - 11:59

Thanks that makes some more sense. I still have the second question though, could you help with that?

"

The site that has the UC will have multiple vpn tunnles coming in from the remote sites. How will I do QoS with voice traffic on that site?

"

ajay chauhan Thu, 01/19/2012 - 12:53

Hi Jason,

You can call multiple calss-map under same policy-map. Here it will be little tricky to allocate the required bandwidth.

So you need to adjust bandwidth for  traffic shape.

Thanks

Ajay

jgeorge@dynamic... Thu, 01/19/2012 - 15:27

How should I do that though?

Lets say the site with the UC has 5MB connection UP.

I want to reserve at least 200Kbps for each sites VPN voice traffice

jgeorge@dynamic... Wed, 02/01/2012 - 12:00

Maybe I should ask the question this way.

I have 5 Site to Site VPN tunnels. I want to apply the QoS to all 5 tunnels to limit the speed to %85 and reserver %15 for VOIP.

With my example above I am able to do this if I have one tunnle but not sure how to make it work with more then one tunnel.

I was thinking I could use a match statment that uses a ACL to match all LAN traffic that would be going to the other remote sites but I get the following error:

ERROR: Multiple match commands are not supported except for the 'match tunnel-group or default-inspect-traffic' command.

ajay chauhan Wed, 02/01/2012 - 12:34

I would say you should calculate total BW required for VOIP and based on that configure shape . Ofcourse you wont like to drop voice calls. QOS will only work when there is congestion else all free to go.

jgeorge@dynamic... Wed, 02/01/2012 - 12:46

How do you apply this type of QoS when there is more the one tunnel in place?

Do I need to make 5 policy maps such as (only made 2 as an example)

class-map TG1-voice-class

match tunnel-group AAA

match dscp ef

class-map TG2-voice-class

match tunnel-group BBB

match dscp ef

policy-map priority-policy

class TG1-voice-class

priority

policy-map shape-priority-policy

class class-default

shape average 14256000

service-policy priority-policy

policy-map priority-policy

class TG2-voice-class

priority

policy-map shape-priority-policy

class class-default

shape average 14256000

service-policy priority-policy

service-policy shape-priority-policy interface outside

So this will limit the upload speed to 14256000 and allow the rest of the BW to VOIP?

ajay chauhan Wed, 02/01/2012 - 22:04

create multiple class-map like-

class-map TG2-voice-class

match tunnel-group BBB

match dscp ef

call all of them under-

policy-map priority-policy

Thanks

Ajay

Actions

Login or Register to take actions

This Discussion

Posted January 18, 2012 at 12:00 PM
Stats:
Replies:11 Avg. Rating:3.66667
Views:3034 Votes:0
Shares:0
Tags: asa_5500, vpn, qos, l2l
+
Categories: ASA
+

Related Content

Discussions Leaderboard