I set up a full mesh LAN-to-LAN VPN for a client with 4 sites. Each site has an ASA 5505 running 8.2(5). Site-to-site VoIP traffic runs in the VPN tunnels, as well as traffic to/from a file-server located at the main site. There are two back-up servers, one at the main site and one at a remote site. The main site has 2 bonded T1s and the other three sites have a single T1.
How should I go about setting up my QoS?
My top requirement is that VoIP traffic will never be pushed out of the way for data traffic. My secondary consideration is to give more preference to file-server traffic than to web traffic and to make back-up traffic the least important. I'm currently researching to see if the VoIP provider is DSCP marking EF on the VoIP traffic, but I am going to assume they are for now. I know the IP of the file-server and back-up servers.
Based on my first readings, I'm thinking I need a hierarchical priority que.
SD has 16 VoIP phones in active use. I want to guarantee each phone 64000bps, meaning 1024000bps guaranteed(prioritized) for VoIP traffic. With the remainder of bandwidth at SD (3000000-1024000) 1976000bps, I want to shape near as possible to 32% for Filemaker traffic, 8% for Crashplan traffic, and 60% for other/web.
Is this config valid? Will it suit my needs?
ip access-list extended OUTBOUND-FILEMAKER-TRAFFIC-ACL permit tcp host 192.168.0.9 any eq 5033
ip access-list extended OUTBOUND-CRASHPLAN-TRAFFIC-ACL permit tcp host 192.168.0.9 any eq 4242
ip access-list extended SD-CV-VOIP-ACL permit ip host 192.168.0.7 host 192.168.1.7
ip access-list extended SD-ST-VOIP-ACL permit ip host 192.168.0.7 host 192.168.2.7
ip access-list extended SD-OC-VOIP-ACL permit ip host 192.168.0.7 host 192.168.3.7
There is something (maybe obviously) wrong with the above configuration. I will not be able to use the access-lists I wanted to use to match the traffic for the classes. First, it is not allowed to match access-lists (at least it wasn't on the ASA5505 8.2(5) I was using), and second the access-lists would never get hit on the outside interface because the traffic is all encapsulated in the IPSec packets. So the client needs to install DSCP marking capable LAN switches.
Until that time we will prioritized VoIP traffic, since we know it is DSCP EF marked. We will take a position of prioritizing 20% of total bandwidth since it approximates the needs pretty well. With 3000000bps total bandwidth at SD, 20% prioritization means 600000bps. This translates into prioritizing about 15 calls using 40000bps for each call (codec being used is G729).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...