Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

QOS over VPN with ASA

                   I seem to have this working fairly well and it seems to work when I look at stats and put high loads on the network sites.

Here is part of my config  at the main site where it has a 50Mb download and 25 Mb upload limit set by the ISP.

access-list tcp-trafffic extended permit tcp any any

access-list tg-nonvoice-out extended permit ip any

access-list tg-nonvoice-out extended permit ip any

access-list tg-nonvoice-in extended permit ip

access-list tg-nonvoice-in extended permit ip

priority-queue outside

tx-ring-limit 40

class-map TG-Voice

  match dscp ef

  match tunnel-group DefaultL2lGroup

class-map TCP-Traffic

   match access-list tcp-traffic

class-map TG-NonVoice-Out

  match access-list tg-nonvoice-out

class-map TG-NonVoice-In

  match access-list tg-nonvoice-in

policy-map qos

class TG-Voce


class TG-NonVoice-Out

police output 19000000

class TG-NonVoice-In

police input 44000000

class TCP-Traffic

police output 300000

police input 300000

class class-default

police output 2700000

police input 2700000

service-policy qos interface outside

I have tried to restrict output max to 19M+300K+2.7M = 22Mbps

input max to 44M+300K+2.7M = 47Mbps.

I am doing  this to allow another 3Mbps free on both out and inbounds. I do not want to overrun the ISP limits since they would trash whatever they want.

This is at the main site connecting multiple remote sites. The tunnels build on this ASA dynamically and all fall under the tunnel-group DefaulL2LGroup. EF traffic  really only flows out over the tunnels so the mtach tunnel-group line is redundant in reality. If I remove it I see the same results. I left it in anyway.

Also there is very little traffic other than data and voice flowing over the encrypted tunnels. Therefore any tcp-traffic is usually already matched by the TG-NonVoice-XX classes which precedes the TCP-Traffic class in the policy-map.

Here is my main question. I have QOS set on the 3750 switch interface that the ASA voip inside interface uses (separate vlans on the ASA inside interfaces for voice and data - I did not trunk them for obvious reasons). Therefore the 3750 trusts the EF packets that the ASA brings in from the tunnels. However the voice packets inbound are not placed into any LLQ according to what I read since the priority setting is only for outbound packets. The concern I have is with inbound packets with the EF bit set. Will they match the TG-Voice class I have created even though they are inbound?? If they do can I assume there will be NO polcinig placed on them since they matched the first class-map in the policy-map and therefore they are not subject to any following class-map matches. What I want is to never have inbound packets with EF policied since I do not want the ASA to drop any of these. I need to know if they will match the TG-Voice class and simply have nothing done to them other than simply passed through the interface. I theoretically have allocated 3Mbps to them at all times, even if all my remote sites are trying to flood my main site ASA with data packets. I believe this 3Mbps will handle all voip traffic even if all calls are active.

Anyone see what I am asking?

Everyone's tags (3)
CreatePlease to create content