QoS on Cisco ASA 5505 (DSL)

Discussion in 'Cisco' started by Joe, Feb 17, 2010.

  1. Joe

    Joe Guest

    I have a site with a DSL connection and I'd like to implement outgoing
    QoS for VoIP. I am aware that the QoS cannot be guaranteed on the
    inbound (unless done from the ISP) but at this time I'm only having
    issues when the users on-site are uploading data to an FTP site. I
    had a similar site 2-3 years ago where I successfully did this,
    however I do not have a copy of the configuration file, and am having
    difficulty duplicating what I did back then. Basically as soon as
    they start uploading files to the FTP site the call data starts
    cutting in and out.

    This is my current config. I'm sure I'm close, but just missing
    something:

    ASA Version 7.2(3)
    !
    hostname RAPID-ASA
    domain-name sitename.org
    enable password <removed> encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.240.30.250 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd <removed> encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name sitename.org
    access-list 110 extended permit icmp any any
    access-list 110 extended permit icmp any any echo-reply
    access-list 110 extended permit icmp any any time-exceeded
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group 110 in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http X.X.X.X 255.255.255.224 outside
    http 10.0.0.0 255.0.0.0 inside
    telnet 10.0.0.0 255.0.0.0 inside
    telnet timeout 25
    ssh X.X.X.X 255.255.255.224 outside
    ssh timeout 60
    console timeout 0
    dhcpd dns <dns1> <dns2>
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    !
    dhcpd address 10.240.30.1-10.240.30.32 inside
    dhcpd enable inside
    !

    priority-queue inside
    queue-limit 250
    priority-queue outside
    queue-limit 250
    !
    class-map outside-class1
    description Voice-Call-Sig
    match dscp cs3 af31
    class-map inspection_default
    match default-inspection-traffic
    class-map outside-class
    description Voice-Carrier
    match dscp cs5 ef
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    policy-map outside-policy
    description VOIP
    class outside-class
    priority
    class outside-class1
    priority
    !
    service-policy global_policy global
    service-policy outside-policy interface outside
    prompt hostname context




    Any help would be appreciated.
    Joe, Feb 17, 2010
    #1
    1. Advertising

  2. Joe

    Rob Guest

    Joe <> wrote:
    >
    > I have a site with a DSL connection and I'd like to implement outgoing
    > QoS for VoIP. I am aware that the QoS cannot be guaranteed on the
    > inbound (unless done from the ISP) but at this time I'm only having
    > issues when the users on-site are uploading data to an FTP site. I
    > had a similar site 2-3 years ago where I successfully did this,
    > however I do not have a copy of the configuration file, and am having
    > difficulty duplicating what I did back then. Basically as soon as
    > they start uploading files to the FTP site the call data starts
    > cutting in and out.
    >
    > This is my current config. I'm sure I'm close, but just missing
    > something:


    Are you sure your DSL modem implements QoS? If not, there is little
    you can do from a device behind the modem. The problem with realtime
    data when uploading is that a transmit queue will build inside the
    modem where all traffic lines up, and realtime traffic gets delayed
    too much. This can be solved when the modem offers some way to
    cut around this queue (by TOS specification), but does it?
    It can also be solved by rate-limiting the FTP upload traffic to a
    rate a bit below the upload rate of your connection.
    Rob, Feb 17, 2010
    #2
    1. Advertising

  3. Joe

    Joe Guest

    On Feb 17, 11:56 am, Rob <> wrote:
    > Joe <> wrote:
    >
    > > I have a site with a DSL connection and I'd like to implement outgoing
    > > QoS for VoIP.  I am aware that the QoS cannot be guaranteed on the
    > > inbound (unless done from the ISP) but at this time I'm only having
    > > issues when the users on-site are uploading data to an FTP site.  I
    > > had a similar site 2-3 years ago where I successfully did this,
    > > however I do not have a copy of the configuration file, and am having
    > > difficulty duplicating what I did back then.  Basically as soon as
    > > they start uploading files to the FTP site the call data starts
    > > cutting in and out.

    >
    > > This is my current config.  I'm sure I'm close, but just missing
    > > something:

    >
    > Are you sure your DSL modem implements QoS?  If not, there is little
    > you can do from a device behind the modem.  The problem with realtime
    > data when uploading is that a transmit queue will build inside the
    > modem where all traffic lines up, and realtime traffic gets delayed
    > too much.  This can be solved when the modem offers some way to
    > cut around this queue (by TOS specification), but does it?
    > It can also be solved by rate-limiting the FTP upload traffic to a
    > rate a bit below the upload rate of your connection.


    I don't know if it supports it or not, but it's the same setup I had
    before and it did the trick for me. Is there anything that you can
    see in my config that would make it not work?
    Joe, Feb 17, 2010
    #3
  4. Joe

    Rob Guest

    Joe <> wrote:
    > Is there anything that you can
    > see in my config that would make it not work?


    I have experience only with the rate-limiting solution, so I cannot
    really tell...
    (I use "traffic-shape group" commands)
    Rob, Feb 17, 2010
    #4
  5. Joe

    Joe Guest

    On Feb 17, 12:30 pm, Rob <> wrote:
    > Joe <> wrote:
    > > Is there anything that you can
    > > see in my config that would make it not work?

    >
    > I have experience only with the rate-limiting solution, so I cannot
    > really tell...
    > (I use "traffic-shape group" commands)


    Do you have an example of some code to do this? I'd want to do this
    with ftp, and I have another site that I'd use it with SMTP (for a
    scan-to-email machine they have).
    Joe, Feb 17, 2010
    #5
  6. Joe

    Rob Guest

    Joe <> wrote:
    > On Feb 17, 12:30 pm, Rob <> wrote:
    >> Joe <> wrote:
    >> > Is there anything that you can
    >> > see in my config that would make it not work?

    >>
    >> I have experience only with the rate-limiting solution, so I cannot
    >> really tell...
    >> (I use "traffic-shape group" commands)

    >
    > Do you have an example of some code to do this? I'd want to do this
    > with ftp, and I have another site that I'd use it with SMTP (for a
    > scan-to-email machine they have).


    On the interface attached to the DSL modem:

    traffic-shape group 102 256000 12800 12800 1000
    traffic-shape group 103 650000 32500 32500 1000
    traffic-shape group 104 768000 76800 76800 1000

    Access lists:

    access-list 102 remark Outgoing ADSL low priority traffic
    access-list 102 permit tcp any any eq smtp
    access-list 103 remark Outgoing ADSL medium priority traffic
    access-list 103 permit tcp any any
    access-list 104 remark Outgoing ADSL high priority traffic
    access-list 104 permit ip any any


    Here SMTP is put in the low-rate group (256 kbps), any other
    TCP traffic is medium-rate (650 kbps) and the remainder of
    IP traffic is highest rate (768 kbps). Just an example, adapt
    to requirements.
    Rob, Feb 17, 2010
    #6
  7. Joe

    alexd Guest

    On Wed, 17 Feb 2010 10:43:04 -0800, Joe wrote:

    > Do you have an example of some code to do this? I'd want to do this
    > with ftp, and I have another site that I'd use it with SMTP (for a
    > scan-to-email machine they have).


    <http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/
    qos.html>

    --
    <http://ale.cx/> (AIM:troffasky) ()
    18:57:50 up 1 day, 23:48, 6 users, load average: 0.00, 0.04, 0.06
    DIMENSION-CONTROLLING FORT DOH HAS NOW BEEN DEMOLISHED,
    AND TIME STARTED FLOWING REVERSELY
    alexd, Feb 17, 2010
    #7
  8. Joe

    Joe Guest

    On Feb 17, 1:51 pm, Rob <> wrote:
    > Joe <> wrote:
    > > On Feb 17, 12:30 pm, Rob <> wrote:
    > >> Joe <> wrote:
    > >> > Is there anything that you can
    > >> > see in my config that would make it not work?

    >
    > >> I have experience only with the rate-limiting solution, so I cannot
    > >> really tell...
    > >> (I use "traffic-shape group" commands)

    >
    > > Do you have an example of some code to do this?  I'd want to do this
    > > with ftp, and I have another site that I'd use it with SMTP (for a
    > > scan-to-email machine they have).

    >
    > On the interface attached to the DSL modem:
    >
    >  traffic-shape group 102 256000 12800 12800 1000
    >  traffic-shape group 103 650000 32500 32500 1000
    >  traffic-shape group 104 768000 76800 76800 1000
    >
    > Access lists:
    >
    > access-list 102 remark Outgoing ADSL low priority traffic
    > access-list 102 permit tcp any any eq smtp
    > access-list 103 remark Outgoing ADSL medium priority traffic
    > access-list 103 permit tcp any any
    > access-list 104 remark Outgoing ADSL high priority traffic
    > access-list 104 permit ip any any
    >
    > Here SMTP is put in the low-rate group (256 kbps), any other
    > TCP traffic is medium-rate (650 kbps) and the remainder of
    > IP traffic is highest rate (768 kbps).  Just an example, adapt
    > to requirements.


    the unit isn't accepting the traffic-shape command on the interface
    (tried on ETH0/0 and on Vlan2). Is that a function of a higher
    version than 7.2(3)?
    Joe, Feb 17, 2010
    #8
  9. Joe

    Rob Guest

    Joe <> wrote:
    > the unit isn't accepting the traffic-shape command on the interface
    > (tried on ETH0/0 and on Vlan2). Is that a function of a higher
    > version than 7.2(3)?


    I assumed it would work on the ASA but apparently it doesn't.
    (I use this on routers)
    Rob, Feb 17, 2010
    #9
  10. Joe

    Joe Guest

    On Feb 17, 1:58 pm, alexd <> wrote:
    > On Wed, 17 Feb 2010 10:43:04 -0800, Joe wrote:
    > > Do you have an example of some code to do this?  I'd want to do this
    > > with ftp, and I have another site that I'd use it with SMTP (for a
    > > scan-to-email machine they have).

    >
    > <http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/
    > qos.html>
    >
    > --
    >  <http://ale.cx/> (AIM:troffasky) ()
    >  18:57:50 up 1 day, 23:48,  6 users,  load average: 0.00, 0.04, 0.06
    >  DIMENSION-CONTROLLING FORT DOH HAS NOW BEEN DEMOLISHED,
    >  AND TIME STARTED FLOWING REVERSELY


    Yeah, I was looking at that document, but unfortunately it has a lot
    of information in it that doesn't make sense to me. ASAs are new to
    me, and most of what I can find involves putting QoS on a vpn
    connection. I tried to cobble that into what I was trying to do
    (which resulted in the configuration I have posted above), but there's
    something I'm missing.
    Joe, Feb 17, 2010
    #10
  11. Joe

    bod43 Guest

    On 17 Feb, 19:36, Joe <> wrote:
    > On Feb 17, 1:58 pm, alexd <> wrote:
    >
    > > On Wed, 17 Feb 2010 10:43:04 -0800, Joe wrote:
    > > > Do you have an example of some code to do this?  I'd want to do this
    > > > with ftp, and I have another site that I'd use it with SMTP (for a
    > > > scan-to-email machine they have).

    >
    > > <http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/
    > > qos.html>

    >
    > > --
    > >  <http://ale.cx/> (AIM:troffasky) ()
    > >  18:57:50 up 1 day, 23:48,  6 users,  load average: 0.00, 0.04, 0..06
    > >  DIMENSION-CONTROLLING FORT DOH HAS NOW BEEN DEMOLISHED,
    > >  AND TIME STARTED FLOWING REVERSELY

    >
    > Yeah, I was looking at that document, but unfortunately it has a lot
    > of information in it that doesn't make sense to me.  ASAs are new to
    > me, and most of what I can find involves putting QoS on a vpn
    > connection.  I tried to cobble that into what I was trying to do
    > (which resulted in the configuration I have posted above), but there's
    > something I'm missing.


    The ASA seems to have the tools you need.

    The best solution is to do traffic shaping on
    the outbound traffic to limit the rate to
    the DSL upload rate. Then within that
    do priority queuing for your voice traffic.

    This is implemented with a hierarchical
    policy map.

    The main or outer policy map shapes the traffic to
    some rate and then the inner or sub policy map
    can priority queue the traffic within that rate.


    There is an example in the document already mentioned.
    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/qos.html
    See:-
    "Creating a Policy for Traffic Shaping and
    Hierarchical Priority Queueing"

    class-map CM.voice-carrier
    match dscp cs5 ef

    !<-- First define the "sub" policy for priority queuing
    policy-map PM.sub.voice-carrier
    class CM.voice-carrier
    priority

    !<-- Now define the "main" policy for traffic shaping
    policy-map PM.main.shape
    class class-default !<-- this class defined by default
    shape average 256000 10000
    service-policy PM.sub.voice-carrier


    !<-- Now add the policy to an interface. Only makes sense
    !<-- outbound so that seems to be assumed.
    service-policy PM.main.shape interface outside

    I don't have an ASA to play with so I have not
    tried these commands.

    Be conservative with the shape rate, make SURE it is
    LOWER than your traffic speed.

    The other thing to worry about is to ensure that the ASA
    honours the dscp bits. I have not checked. By default
    switches throw them away on receipt.

    "DSCP markings are preserved on all traffic passing
    through the security appliance."
    So no worries there then:)))

    Good luck.
    bod43, Feb 18, 2010
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    3
    Views:
    16,170
    Walter Roberson
    Feb 2, 2007
  2. Replies:
    1
    Views:
    3,354
  3. csnpaul

    Cisco Asa 5505

    csnpaul, Jul 20, 2007, in forum: Cisco
    Replies:
    1
    Views:
    521
    csnpaul
    Aug 5, 2007
  4. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    645
    Dogg Child
    Jun 7, 2010
  5. Dogg Child

    ASA 5550 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    4
    Views:
    1,068
    Morph
    Jun 8, 2010
Loading...

Share This Page