Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA QoS - two policy maps one service policy to interface?

I am trying to configure my QoS policies on both ASA 5505 and 5510. I havent moved passed the first ASA yet which is a 5505. Below is the show ver and the copy of the config I am using.

Topology - Each ASA has multiple site to site vpns coming into it and I want to run QoS across all the vpns. My sample config is for the first vpn. For the other vpns I would just add additional class maps to the policy map named QOS-Voice.  I wanted to create a single policy map but I am unable to because you cant shape and set priority in the same policy map I found out. I moved on to create to policy maps and wanted to "nest" them together and apply as a single service-policy to the interface but its not working. How can I apply both of these policies maps to the outside interface?

access-list Sig-to-NFlorida extended permit udp CLW-NETWORKS 255.255.0.0 TPA-NETWORKS 255.255.0.0 eq sip
access-list Sig-to-NFlorida extended permit udp CLW-NETWORKS 255.255.0.0 TPA-NETWORKS 255.255.0.0 eq 5061
access-list Sig-from-NFlorida extended permit udp TPA-NETWORKS 255.255.0.0 CLW-NETWORKS 255.255.0.0 eq sip
access-list Sig-from-NFlorida extended permit udp TPA-NETWORKS 255.255.0.0 CLW-NETWORKS 255.255.0.0 eq 5061

priority-queue OUTSIDE
  tx-ring-limit 16

class-map Sig-to-NFlorida
match access-list Sig-to-NFlorida
class-map Sig-from-NFlorida
match access-list Sig-from-NFlorida
class-map inspection_default
match default-inspection-traffic
class-map Voice-traffic-NFlorida
match dscp ef
match tunnel-group x.x.x.x

policy-map Qos-Outside
class class-default
  shape average 10000000


policy-map QOS-Voice
class Voice-traffic-NFlorida
  priority
class Sig-to-NFlorida
  police output 50000
class Sig-from-NFlorida
  police input 50000

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

UMA-ASA-CLW up 3 days 12 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0    : address is 8843.e120.245a, irq 11
1: Ext: Ethernet0/0         : address is 8843.e120.2452, irq 255
2: Ext: Ethernet0/1         : address is 8843.e120.2453, irq 255
3: Ext: Ethernet0/2         : address is 8843.e120.2454, irq 255
4: Ext: Ethernet0/3         : address is 8843.e120.2455, irq 255
5: Ext: Ethernet0/4         : address is 8843.e120.2456, irq 255
6: Ext: Ethernet0/5         : address is 8843.e120.2457, irq 255
7: Ext: Ethernet0/6         : address is 8843.e120.2458, irq 255
8: Ext: Ethernet0/7         : address is 8843.e120.2459, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8        
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
SSL VPN Peers                  : 2        
Total VPN Peers                : 10       
Dual ISPs                      : Disabled 
VLAN Trunk Ports               : 0        
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled 
AnyConnect for Cisco VPN Phone : Disabled 
AnyConnect Essentials          : Disabled 
Advanced Endpoint Assessment   : Disabled 
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled

This platform has a Base license.

3 REPLIES
Cisco Employee

Re: ASA QoS - two policy maps one service policy to interface?

You can't apply 2 policy maps to 1 service policy to an interface. You can only apply 1 per interface.

You would need to move your default class map to be in the same policy map, and apply that policy map to the interface.

From your example, it will be as follows:

policy-map QOS-Voice
class Voice-traffic-NFlorida
  priority
class Sig-to-NFlorida
  police output 50000
class Sig-from-NFlorida
  police input 50000

class class-default
  shape average 10000000

service-policy QOS-Voice interface outside

Hope that helps.

New Member

Re: ASA QoS - two policy maps one service policy to interface?

You cannot apply both a priority queue and a

shaping command in the same policy map which is why I currently have two policy maps. Any other suggestions?

Cisco Employee

Re: ASA QoS - two policy maps one service policy to interface?

You cannot configure traffic shaping and standard priority queueing for the same interface; only hierarchical priority queueing is allowed. For example, if you configure standard priority queueing for the global policy, and then configure traffic shaping for a specific interface, the feature you configured last is rejected because the global policy overlaps the interface policy.

So the only way way I see this happening is applying the policy that has shaping on the outside interface and the policy that polices on the inside interface that sees the packets hitting it going outbound and policing there.

I hope it helps.

PK

1078
Views
0
Helpful
3
Replies
CreatePlease to create content