11-05-2010 01:48 PM - edited 03-11-2019 12:05 PM
I am trying to configure my QoS policies on both ASA 5505 and 5510. I havent moved passed the first ASA yet which is a 5505. Below is the show ver and the copy of the config I am using.
Topology - Each ASA has multiple site to site vpns coming into it and I want to run QoS across all the vpns. My sample config is for the first vpn. For the other vpns I would just add additional class maps to the policy map named QOS-Voice. I wanted to create a single policy map but I am unable to because you cant shape and set priority in the same policy map I found out. I moved on to create to policy maps and wanted to "nest" them together and apply as a single service-policy to the interface but its not working. How can I apply both of these policies maps to the outside interface?
access-list Sig-to-NFlorida extended permit udp CLW-NETWORKS 255.255.0.0 TPA-NETWORKS 255.255.0.0 eq sip
access-list Sig-to-NFlorida extended permit udp CLW-NETWORKS 255.255.0.0 TPA-NETWORKS 255.255.0.0 eq 5061
access-list Sig-from-NFlorida extended permit udp TPA-NETWORKS 255.255.0.0 CLW-NETWORKS 255.255.0.0 eq sip
access-list Sig-from-NFlorida extended permit udp TPA-NETWORKS 255.255.0.0 CLW-NETWORKS 255.255.0.0 eq 5061
priority-queue OUTSIDE
tx-ring-limit 16
class-map Sig-to-NFlorida
match access-list Sig-to-NFlorida
class-map Sig-from-NFlorida
match access-list Sig-from-NFlorida
class-map inspection_default
match default-inspection-traffic
class-map Voice-traffic-NFlorida
match dscp ef
match tunnel-group x.x.x.x
policy-map Qos-Outside
class class-default
shape average 10000000
policy-map QOS-Voice
class Voice-traffic-NFlorida
priority
class Sig-to-NFlorida
police output 50000
class Sig-from-NFlorida
police input 50000
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
UMA-ASA-CLW up 3 days 12 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 8843.e120.245a, irq 11
1: Ext: Ethernet0/0 : address is 8843.e120.2452, irq 255
2: Ext: Ethernet0/1 : address is 8843.e120.2453, irq 255
3: Ext: Ethernet0/2 : address is 8843.e120.2454, irq 255
4: Ext: Ethernet0/3 : address is 8843.e120.2455, irq 255
5: Ext: Ethernet0/4 : address is 8843.e120.2456, irq 255
6: Ext: Ethernet0/5 : address is 8843.e120.2457, irq 255
7: Ext: Ethernet0/6 : address is 8843.e120.2458, irq 255
8: Ext: Ethernet0/7 : address is 8843.e120.2459, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
11-05-2010 02:55 PM
You can't apply 2 policy maps to 1 service policy to an interface. You can only apply 1 per interface.
You would need to move your default class map to be in the same policy map, and apply that policy map to the interface.
From your example, it will be as follows:
policy-map QOS-Voice
class Voice-traffic-NFlorida
priority
class Sig-to-NFlorida
police output 50000
class Sig-from-NFlorida
police input 50000
class class-default
shape average 10000000
service-policy QOS-Voice interface outside
Hope that helps.
11-08-2010 06:09 AM
You cannot apply both a priority queue and a
shaping command in the same policy map which is why I currently have two policy maps. Any other suggestions?
11-08-2010 11:11 AM
You cannot configure traffic shaping and standard priority queueing for the same interface; only hierarchical priority queueing is allowed. For example, if you configure standard priority queueing for the global policy, and then configure traffic shaping for a specific interface, the feature you configured last is rejected because the global policy overlaps the interface policy.
So the only way way I see this happening is applying the policy that has shaping on the outside interface and the policy that polices on the inside interface that sees the packets hitting it going outbound and policing there.
I hope it helps.
PK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: