ASA QOS Application Question

[usfregale]

I have a network of about 50 ASA 5505s all connected via VPN to a single ASA 5510.

When I apply dscp based QOS to an ASA 5505 I use the match tunnel-group xx.xx.xx.xx command to apply QOS to the VPN tunnel back to the ASA 5510.

On the 5510 is there a way to uniformly apply QOS to all 50 outbound VPN tunnels? As it isn't desirable to have to designate each individual access list.

A full config is provided on the 5510 below just in case that is helpful.

Thanks,

Richard

ASA Version 8.0(4)
!
hostname JHSCHQ
domain-name default.domain.invalid
enable password xx encrypted
passwd xx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address X.x.x.x 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.20.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service H323 tcp
port-object eq h323
object-group service SCN tcp
description Avaya Small Community Networking
port-object range 50795 50795
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.102.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.103.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.104.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.105.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.107.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.110.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.111.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.108.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.112.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.113.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.114.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.115.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.116.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.117.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.118.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.119.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.120.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.121.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.122.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.124.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.125.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.126.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.127.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.128.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.129.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.106.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.130.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.132.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.133.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.150.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.151.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.152.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.154.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.155.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.156.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.157.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.158.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.159.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.160.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.161.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.170.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.171.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.172.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.180.0.0 255.255.255.0
access-list nonat extended permit ip 10.123.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list nonat extended permit ip 10.101.0.0 255.255.255.0 10.123.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.123.0.0 255.255.255.0
access-list nonat extended permit ip 10.150.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list nonat extended permit ip 10.131.0.0 255.255.255.0 10.150.0.0 255.255.255.0
access-list vpn_to_jh70333 extended permit ip 10.20.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list 101_to_123 extended permit ip 10.101.0.0 255.255.255.0 10.123.0.0 255.255.255.0
access-list 101_to_123 extended permit ip 10.123.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list vpn_to_jh13765 extended permit ip 10.20.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list vpn_to_jh51829 extended permit ip 10.20.0.0 255.255.255.0 10.102.0.0 255.255.255.0
access-list vpn_to_jh18114 extended permit ip 10.20.0.0 255.255.255.0 10.103.0.0 255.255.255.0
access-list vpn_to_jh71216 extended permit ip 10.20.0.0 255.255.255.0 10.104.0.0 255.255.255.0
access-list vpn_to_jh18363 extended permit ip 10.20.0.0 255.255.255.0 10.105.0.0 255.255.255.0
access-list vpn_to_jh18363 extended permit ip 10.20.0.0 255.255.255.0 10.130.0.0 255.255.255.0
access-list vpn_to_jh50642 extended permit ip 10.20.0.0 255.255.255.0 10.107.0.0 255.255.255.0
access-list vpn_to_jh18364 extended permit ip 10.20.0.0 255.255.255.0 10.110.0.0 255.255.255.0
access-list vpn_to_jh18364 extended permit ip 10.20.0.0 255.255.255.0 10.132.0.0 255.255.255.0
access-list vpn_to_jh15533 extended permit ip 10.20.0.0 255.255.255.0 10.111.0.0 255.255.255.0
access-list vpn_to_jh15533 extended permit ip 10.20.0.0 255.255.255.0 10.151.0.0 255.255.255.0
access-list vpn_to_hg51135 extended permit ip 10.20.0.0 255.255.255.0 10.108.0.0 255.255.255.0
access-list vpn_to_jh70244 extended permit ip 10.20.0.0 255.255.255.0 10.112.0.0 255.255.255.0
access-list vpn_to_jh50630 extended permit ip 10.20.0.0 255.255.255.0 10.113.0.0 255.255.255.0
access-list vpn_to_JH18640 extended permit ip 10.20.0.0 255.255.255.0 10.172.0.0 255.255.255.0
access-list vpn_to_jh70952 extended permit ip 10.20.0.0 255.255.255.0 10.180.0.0 255.255.255.0
access-list nonatout extended permit ip 10.105.0.0 255.255.0.0 10.101.0.0 255.255.0.0
access-list nonatout extended permit ip 10.150.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list nonatout extended permit ip 10.131.0.0 255.255.255.0 10.150.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list nonatout
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 70.63.248.109 1
timeout xlate 3:00:00
timeout conn 12:00:00 half-closed 12:00:00 udp 12:00:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 12:00:00 h225 12:00:00 mgcp 12:00:00 mgcp-pat 12:00:00
timeout sip 0:30:00 sip_media 0:10:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 3:00:00 absolute uauth 3:00:00 inactivity
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
http server enable
http 10.20.0.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 10.123.0.158 community public
snmp-server location Processing
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 5 set transform-set ESP-AES-MD5
crypto dynamic-map outside_dyn_map 5 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 5 set security-association lifetime kilobytes 4608000
crypto map outside_map 65500 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 24.25.5.60 24.25.5.61
dhcpd option 176 ascii "TFTPSRVR=10.20.0.33,MCIPADD=10.20.0.32,MCPORT=1719"
!
dhcpd address 10.20.0.100-10.20.0.205 inside
dhcpd enable inside
!
priority-queue outside
tx-ring-limit 256
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption rc4-sha1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
username cisco password xx encrypted privilege 15
username blynch password xx encrypted privilege 0
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
!
class-map Voice
match dscp ef
class-map inspection_default
match default-inspection-traffic
class-map Data
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class Voice
priority
policy-map Voicepolicy
class Voice
priority
class Data
police output 200000 37500
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
service-policy Voicepolicy interface outside
prompt hostname context
Cryptochecksum:xx
: end
JHSCHQ(config)#

 

[usfregale]

I'll add that the above configuration isn't accomplishing what I need to do. We're still experiencing regular voice quality problems at certain sites and intermitent issues at all (I can deal with intermitent). I've thought of applying QOS via VLAN as well. All we need to do to isolate our voice traffic is isolate two devices at the central site and all the POE ports on the 5505s. That should be rather easy to do.

I originally chose to do it via dscp because I thought some router or switch on the public network might notice the dscp priority and in the packet and route it faster, though in hindsight that doesn't really make sense since it is the individual telephones/call servers applying the dscp settings, so they will be there no matter what I do with the routers' settings.

Also, I'm not even sure that I have a QOS issue as when I do a show priority-queue statistics command the results are:


Queue Type = BE
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 7036167
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0

Queue Type = LLQ
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 4552671
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
JHSCHQ(config)#

So there are actual drops or other issues -- of course I ran this at midnight when no one was on the phone, but it should have showed me any drops back to the last device reset, right? I haven't had the opportunity to run the same command at the remote locations yet, but will do so and post the results.

Richard

 

[unclerico]

the problem is that no matter how much you try to provide QoS, once the packets leave your domain they are all treated as best effort traffic by your isp and all other isp's down the line. if you want true QoS and SLA enforcement you need leased lines between each facility.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)