I seem to have this working fairly well and it seems to work when I look at stats and put high loads on the network sites.
Here is part of my config at the main site where it has a 50Mb download and 25 Mb upload limit set by the ISP.
access-list tcp-trafffic extended permit tcp any any
access-list tg-nonvoice-out extended permit ip any 10.42.0.0 255.255.0.0
access-list tg-nonvoice-out extended permit ip any 172.22.0.0 255.255.0.0
access-list tg-nonvoice-in extended permit ip 10.42.0.0 255.255.0.0
access-list tg-nonvoice-in extended permit ip 172.22.0.0 255.255.0.0
match dscp ef
match tunnel-group DefaultL2lGroup
match access-list tcp-traffic
match access-list tg-nonvoice-out
match access-list tg-nonvoice-in
police output 19000000
police input 44000000
police output 300000
police input 300000
police output 2700000
police input 2700000
service-policy qos interface outside
I have tried to restrict output max to 19M+300K+2.7M = 22Mbps
input max to 44M+300K+2.7M = 47Mbps.
I am doing this to allow another 3Mbps free on both out and inbounds. I do not want to overrun the ISP limits since they would trash whatever they want.
This is at the main site connecting multiple remote sites. The tunnels build on this ASA dynamically and all fall under the tunnel-group DefaulL2LGroup. EF traffic really only flows out over the tunnels so the mtach tunnel-group line is redundant in reality. If I remove it I see the same results. I left it in anyway.
Also there is very little traffic other than data and voice flowing over the encrypted tunnels. Therefore any tcp-traffic is usually already matched by the TG-NonVoice-XX classes which precedes the TCP-Traffic class in the policy-map.
Here is my main question. I have QOS set on the 3750 switch interface that the ASA voip inside interface uses (separate vlans on the ASA inside interfaces for voice and data - I did not trunk them for obvious reasons). Therefore the 3750 trusts the EF packets that the ASA brings in from the tunnels. However the voice packets inbound are not placed into any LLQ according to what I read since the priority setting is only for outbound packets. The concern I have is with inbound packets with the EF bit set. Will they match the TG-Voice class I have created even though they are inbound?? If they do can I assume there will be NO polcinig placed on them since they matched the first class-map in the policy-map and therefore they are not subject to any following class-map matches. What I want is to never have inbound packets with EF policied since I do not want the ASA to drop any of these. I need to know if they will match the TG-Voice class and simply have nothing done to them other than simply passed through the interface. I theoretically have allocated 3Mbps to them at all times, even if all my remote sites are trying to flood my main site ASA with data packets. I believe this 3Mbps will handle all voip traffic even if all calls are active.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :