Hi, I would like do use Priority Queuing for voice on the OUTSIDE interface. As far as I know the QOS meganism only kicks in when there is congestion on the interface. But my ASA 5505 is connected to a 80mbps down and 10 mbps up cable modem. How can I tell the ASA that it is not connected to an interface with 100/100 mbps bandwidth?
On a router I would use the bandwidth command, but this is not available on the ASA as far as I know.
I've just tried to configure like you said, but for some reason no traffic is matching classes other than class-default.
service-policy OUTSIDE_PM interface OUTSIDE
policy-map OUTSIDE_PM class class-default shape average 4504000 service-policy SHAPED_OUTSIDE_PM
policy-map SHAPED_OUTSIDE_PM class VOICE_CM priority class LLQ_ACL_CM priority class IKE_ACL_CM priority class class-default
class-map VOICE_CM match dscp cs3 af31 ef class-map IKE_ACL_CM match access-list IKE_ACL class-map LLQ_ACL_CM match access-list LLQ_ACL
access-list IKE_ACL line 1 extended permit udp any eq isakmp any
access-list IKE_ACL line 2 extended permit udp any any eq isakmp
access-list LLQ_ACL line 1 extended permit udp any eq 9987 any
I'm trying to achieve the following:
Shape the whole output to 4.500.000 bits / sec
Prioritize outgoing voicetraffic + voicecontrol to a priority queue within the shaper
DSCP values have been verified using wireshare and the ASA capture feature.
The match statement should match regular outgoing voice, but also the outgoing voice via VPN connections. I think the last thing happens by default since according to the manual the ASA uses QOS Pre-classification by default.
Prioritize outgoing traffic according to the LLQ_ACL
Inside my DMZ network i'm also running a Teamspeak server on UDP port 9987. This port has been PAT'ed through the asa from the OUTSIDE to the DMZ.
Since the packets are being send from DMZ UDP port 9987 to clients with a random high port number, I've set the ACL accordingly.
Prioritize outgoing VPN Control / IKE traffic.
This one speaks for itself. There are two VPN connections running.
I let this configuration running for a while, then I did a "show service-policy int OUTSIDE" and it turned out that only the class class-default had any matches:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :