Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5505 with BTnet SIP - Policing and Priority Queing settings

From my own research I've put together this config for an ASA 5505 (9.0) to prioritse SIP and police IP traffic for the BT SIP  service over BTnet

All comments welcome. As I understand it, you prioritise outgoing SIP/RTP traffic on the "outside" interface and police ip traffic on the "inside" interface?

 

BTnet SIP service with the following topology

 

Part 1 of 2 :

Set up Priority Queing for outgoing SIP and RTP traffic

 

! Enable a priority queue on the outside interface
priority-queue outside

! Create rtp object-group

object-group service rtp udp

port-object range 49152 65535

 

! ACL for SIP and RTP From dmz

access-list VoIP-Traffic-OUT extended permit tcp 192.168.0.0 255.255.255.0 host 85.119.63.4 eq sip

access-list VoIP-Traffic-OUT extended permit udp 192.168.0.0 255.255.255.0 host 85.119.63.4 object-group rtp 

! Class Map - Match the ACL
class-map Voice-OUT
match access-list VoIP-Traffic-OUT
exit

!create a class map to identify the traffic for which you want to perform priority queuing.
policy-map PRIORITY-POLICY
class Voice-OUT
priority

! Identify all traffic for traffic shaping; you can only use the class-default class map, which is defined as match any, because the security appliance requires all traffic to be matched for traffic shaping.

policy-map QOS-TRAFFIC-OUT        

 class class-default                                

  shape average 10000000      

!(10Mbps Upload)              

 

service-policy PRIORITY-POLICY    

!
! Apply the shaping policy to the outside interface
service-policy QOS-TRAFFIC-OUT interface outside

! Show Commands :

ASA#show service-policy priority

ASA#show service-policy shape

ASA#show service-policy policy

 

Part 2 of 2 :

Configure traffic policing for incoming and outgoing ip traffic to the Data LAN (Inside interface)

 

! Traffic Policing – incoming and outgoing – per interface

access-list DataLAN extended permit ip 172.23.127.0 255.255.255.0 any

access-list DataLAN extended permit ip any 172.23.127.0 255.255.255.0

 

class-map DataLAN

Description Data LAN Traffic

match access-list DataLAN

 

policy-map Police-LAN

class LAN

police output 20000000

police input 10000000

    

Service-policy Police-LAN interface inside

 

*in this case,

Output = “Download”

Input = “Upload”

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Hi,I think the configuration

Hi,

I think the configuration seems to be good.

The only thing which is incorrect is this:-

Output = "Upload"

Input = “Download”

Thanks and Regards,

Vibhor Amrodia

Cisco Employee

Hi Ian,On the Inside

Hi Ian,

On the Inside interface it would be the same that you pointed out. :)

My concern is that why are we trying to limit the Intra interface traffic as well for the policing ? As you have the destination as "any" in the Class map ACL.

I think you might think of denying the traffic from this ACL to the internal Interfaces (for Ex:- DMZ) and police the rest of the traffic.

You are already policing the traffic closest to the source which is recommended.

Thanks and Regards,

Vibhor Amrodia

3 REPLIES
Cisco Employee

Hi,I think the configuration

Hi,

I think the configuration seems to be good.

The only thing which is incorrect is this:-

Output = "Upload"

Input = “Download”

Thanks and Regards,

Vibhor Amrodia

Community Member

Hi VibhorAre you sure that's

Hi Vibhor

Are you sure that's right?

On the "Inside" interface, surely 'Download' will be the output,?

http://youtu.be/Xb2A3Xekp7Q?t=2m48s

 

Kind regards

Ian.

Cisco Employee

Hi Ian,On the Inside

Hi Ian,

On the Inside interface it would be the same that you pointed out. :)

My concern is that why are we trying to limit the Intra interface traffic as well for the policing ? As you have the destination as "any" in the Class map ACL.

I think you might think of denying the traffic from this ACL to the internal Interfaces (for Ex:- DMZ) and police the rest of the traffic.

You are already policing the traffic closest to the source which is recommended.

Thanks and Regards,

Vibhor Amrodia

407
Views
0
Helpful
3
Replies
CreatePlease to create content