Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

QoS policy on VPN tunnels

Grettings!

I set up a full mesh LAN-to-LAN VPN for a client with 4 sites.  Each site has an ASA 5505 running 8.2(5).   Site-to-site VoIP traffic runs in the VPN tunnels, as well as traffic to/from a file-server located at the main site.  There are two back-up servers, one at the main site and one at a remote site.  The main site has 2 bonded T1s and the other three sites have a single T1.

How should I go about setting up my QoS? 

My top requirement is that VoIP traffic will never be pushed out of the way for data traffic.  My secondary consideration is to give more preference to file-server traffic than to web traffic and to make back-up traffic the least important.  I'm currently researching to see if the VoIP provider is DSCP marking EF on the VoIP traffic, but I am going to assume they are for now.  I know the IP of the file-server and back-up servers.

Based on my first readings, I'm thinking I need a hierarchical priority que.

Thanks

4 REPLIES
New Member

Re: QoS policy on VPN tunnels

SD has 16 VoIP phones in active use.  I want to guarantee each phone 64000bps, meaning 1024000bps guaranteed(prioritized) for VoIP traffic.  With the remainder of bandwidth at SD (3000000-1024000) 1976000bps, I want to shape near as possible to 32% for Filemaker traffic, 8% for Crashplan traffic, and 60% for other/web.

Is this config valid?  Will it suit my needs?

ip access-list extended OUTBOUND-FILEMAKER-TRAFFIC-ACL permit tcp host 192.168.0.9 any eq 5033

ip access-list extended OUTBOUND-CRASHPLAN-TRAFFIC-ACL permit tcp host 192.168.0.9 any eq 4242

ip access-list extended SD-CV-VOIP-ACL permit ip host 192.168.0.7 host 192.168.1.7

ip access-list extended SD-ST-VOIP-ACL permit ip host 192.168.0.7 host 192.168.2.7

ip access-list extended SD-OC-VOIP-ACL permit ip host 192.168.0.7 host 192.168.3.7

priority-queue outside

class-map SD-CV-VOIP-CLASS

   match tunnel-group 2.2.2.2

   match dscp ef

   (or match access-list SD-CV-VOIP-ACL)

class-map SD-ST-VOIP-CLASS

   match tunnel-group 3.3.3.3

   match dscp ef

   (or match access-list SD-ST-VOIP-ACL)

class-map SD-OC-VOIP-CLASS

   match tunnel-group 4.4.4.4

   match dscp ef

   (or match access-list SD-OC-VOIP-ACL)

class-map FILEMAKER-CLASS

   match access-list OUTBOUND-FILEMAKER-TRAFFIC-ACL

class-map CRASHPLAN-CLASS

   match access-list OUTBOUND-CRASHPLAN-TRAFFIC-ACL

policy-map VOIP-PRIORITY-MAP

   class SD-CV-VOIP-CLASS

      priority

   class SD-ST-VOIP-CLASS

      priority

   class SD-OC-VOIP-CLASS

      priority

policy-map INTERFACE-TOTAL-POLICY-MAP

   service-policy VOIP-PRIORITY-MAP

   class FILEMAKER-CLASS

      shape average 632000

   class CRASHPLAN-CLASS

      shape average 152000

   class class-default

      shape average 1184000

service-policy INTERFACE-TOTAL-POLICY-MAP interface outside


New Member

Re: QoS policy on VPN tunnels

There is something (maybe obviously) wrong with the above configuration.  I will not be able to use the access-lists I wanted to use to match the traffic for the classes.  First, it is not allowed to match access-lists (at least it wasn't on the ASA5505 8.2(5) I was using), and second the access-lists would never get hit on the outside interface because the traffic is all encapsulated in the IPSec packets.  So the client needs to install DSCP marking capable LAN switches.

Until that time we will prioritized VoIP traffic, since we know it is DSCP EF marked.  We will take a position of prioritizing 20% of total bandwidth since it approximates the needs pretty well.  With 3000000bps total bandwidth at SD, 20% prioritization means 600000bps.  This translates into prioritizing about 15 calls using 40000bps for each call (codec being used is G729).

Here is the config:

priority-queue outside

class-map SD-CV-VOIP-CLASS

   match tunnel-group 2.2.2.2

   match dscp ef

class-map SD-ST-VOIP-CLASS

   match tunnel-group 3.3.3.3

   match dscp ef

class-map SD-OC-VOIP-CLASS

   match tunnel-group 4.4.4.4

   match dscp ef

policy-map VOIP-PRIORITY-MAP

   class SD-CV-VOIP-CLASS

      priority

   class SD-ST-VOIP-CLASS

      priority

   class SD-OC-VOIP-CLASS

      priority

policy-map QOS-POLICY-INTERFACE-MAP

   service-policy VOIP-PRIORITY-MAP

   class class-default

      shape average 2400000

service-policy QOS-POLICY-INTERFACE-MAP interface outside

Comments? Ideas? Suggestions?

Thanks

New Member

Re: QoS policy on VPN tunnels

During configuration it looks like this:

policy-map QOS-POLICY-INTERFACE-MAP

   service-policy VOIP-PRIORITY-MAP

   class class-default

      shape average 2400000

..must be configured like this instead:

policy-map QOS-POLICY-INTERFACE-MAP

   class class-default

      shape average 2400000

      service-policy VOIP-PRIORITY-MAP

New Member

QoS policy on VPN tunnels

I have the same problem.what were you do ? could you share you configuration?Thank you!

1266
Views
0
Helpful
4
Replies