How to setup Asa Qos for IP ranges? 1

[Snooty42]

Hello

I have a ASA 5505 with IPSec VPN link to HeadOffice.
The VPN setup works fine.

I now want to configure it so IP range

Range1 192.168.210.2 - 192.168.210.10 has top priority while
Range2 192.158.210.150 - 192.168.210.160 has lowest priority.

Range2 consists of ip cameras streaming to the office which should be free to use all the bandwidth when Range1 is not being used (data).

However when Range1 is in use then
Range2 should slow right down e.g 80Kb so to give max bandwith to Range1.

Otherwise I find Range2 floods the bandwidth causing massive slowdown in Range1

I assume the best way to do this is via QOS and is this even possible on the ASA5505?

If it is what do I need to add to my script to achieve the above?

If not then what device / setup do I need to get the above done?


Thank You
Snooty

 

[unclerico]

You can apply a qos-policy to your VPN tunnel (

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml).

Consider marking the traffic as close to the source as possible so that the ASA only has to match based on ToS and minimize the amount of work that it has to do.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Snooty42]

Thank you for the link unclerico

It is very usefull and I shall have a go and try to work through it.

With regard to marking the traffic close to the source as possible. This was my original plan.

What I did was set up two Vlans on a procurve switch
Vlan1: Data Priority 7 (High)
Vlan2: Video Priority 1 (Low)
This was nice and simple to do

Both Vlans were then connected to the ASA5505 unit.

My thinking was that the 5505 unit would therefore give priority to vlan1 when it was being used.

But it seemed to make no difference as if the ASA unit was simply ignoring the tagging.

Is there a command that I am missing which would tell the asa unit to follow the tagging rules for existing traffic e.g enable QOS?

 

[unclerico]

Is there a command that I am missing which would tell the asa unit to follow the tagging rules for existing traffic e.g enable QOS?

1) I'm not sure which model of Procurve you're running, but I would mark the traffic based on vlan-id for DSCP since the ASA does not provide the ability to match based on 802.1p markings. So it would look something like this:

procurve(config)# qos dscp-map 010010 priority 5
procurve(config)# qos dscp-map 001000 priority 1
procurve(config)# vlan 1 qos dscp 010010
procurve(config)# vlan 3 qos dscp 001000

Marking vlan1 with AF21 and vlan3 as cs1. Also, Priority 6 and 7 are in the expedite/priority queue; I would reserve that queue just in case you add voice capability or have requirements for other low latency traffic. Priority 5 traffic is in the Medium queue (emptied second depending on whether or not any traffic is in the high priority queue) and Priority 1 traffic is in the Low queue (emptied last). Chances are you'll never have issues with congestion on the switches themselves, but it never hurts to have a proper qos policy in place.

2) On the ASA create a QoS policy like this:

 class-map video_traffic
  match dscp cs1
  match tunnel-group <l2l_tunnel_group>

 policy-map qos_policy
  class video_traffic
    police output 80000

The issue is that all traffic emanating from vlan1 will be marked as AF21 and all traffic emanating from vlan3 will be marked as cs1 so when that traffic hits the ASA, regardless if the traffic is destined for the other side of the L2L tunnel it will be subject to policing should congestion occur. This may or may not be what you want so I added the second match criteria under the class-map to match the tunnel-group for the L2L tunnel. This way if there is traffic coming from vlan3 that needs to go to the Internet it will be in the class-default class and not be policed. Like I said, this may or may not be what you want.

Also, watch your resource usage on the ASA itself as QoS adds extra load on the device. The QoS capabilities of the ASA are most definitely not as refined or as robust as those of a Router.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Snooty42]

Hello unclerico,

Thank you very much for your advice.

I was not aware that the asa did not match 802.1p markings which is what I was doing the procurve 2626.

I will brush up on my dscp and try your method out over the weekend and post the results once I have done this.
I have a feeling that it will solve this issue quite nicely!

Thank you once again for your guidance.

 

[unclerico]

good luck, and definitely keep us informed.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Snooty42]

Hello,
Well I had a fun weekend

I was still having some problems getting it working so I decided to simplify.

Instead of using the procurve I plugged a PC and a transmitting network camera into the 5505 and tried to do priority by IP address

PC 192.168.210.5
Camera 192.168.210.102

With this in mind I followed your idea of police the output of the network camera so I did:
*************************************
access-list throttle_me extended permit ip host 192.168.210.102 any
access-list throttle_me extended permit ip any host 192.168.210.102

class-map throttle-me
match access-list throttle_me

policy-map throttle-policy
class throttle-me
police output 200000

service-policy throttle-policy interface outside

This worked fine and I could clearly see that the network camera was being capped at around 200K of my upload bandwidth.

However what I wanted was for the camera to use all the bandwitdh until such time as it was needed by the PC.

I then thought if I can ensure that 192.168.210.5 gets a minimum bandwitdh e.g 400K then the camera would be free to use all the bandwidth but when the PC needed the bandwitdth it would get the needed 400K,

so I scrubbed the above and tried it witht the pc as the focus:
***********************************
access-list throttle_me extended permit ip host 192.168.210.5 any
access-list throttle_me extended permit ip any host 192.168.210.5

class-map throttle-me
match access-list throttle_me

policy-map throttle-policy
class throttle-me
police output 400000

service-policy throttle-policy interface outside


However this did not work and as soon as the network camera started to transmit the entire bandwitdh was flooded again

Unless I am missing a command here where gaurantees the above as 400000 as a minimum.

I also scrubbed the above and tried:

***********************************************
access-list priority_me extended permit ip host 192.168.210.5 any
access-list priority_me extended permit ip any host 192.168.210.5

class-map priority-me
match access-list priority_me

policy-map priority-policy
class priority-me
priority

service-policy priority-policy interface outside

but got an error on the last command.
******************************************

I think it is the right thing to sort the issue out on an IP level without the procurve before bringing qos functions into it.


Back to square one
Any clues as to where I may be going wrong?

 

[unclerico]

I believe on the ASAs policing will be constant as opposed to only when congestion occurs. Unlike on a router, there are no minimum bandwidth guarantees.

What error did you recieve when you tried to apply the service-policy?? Since you have a priority queue you need to add priority-queue outside. In theory your last example should work, but you can remove the second ACE from the priority_me ACL.



I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Snooty42]

Hello

For
service-policy priority-policy interface outside

I get
ERROR: Class throttle-me has 'priority' set without 'priority-queue' in any interface

Which is what I thought I was doing with the last command?

Thanks

 

[unclerico]

in my last post i referenced that priority-queue outside needed to be added to the config, did you ever add that in??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Snooty42]

Hi unclerico

In the words of the great homer -- Doh!!!
My apologies, I had rushed through a little too fast.

I added the command in + removed the second ace and it accepted the configuration.

However it did not work as intented, for example:
192.168.210.5 (PC) & 192.168.210.102 (Camera)

In the above config I gave the PC priority and the asdm service policy rules show this in place.

However a test shows that it has no effect:

Copy 2MB file to remote location
Average speeds taken over multiple attempts)

Without network camera running: 37 Seconds
With network camera running: 2Mins 26 seconds

---------------------
I have the throttle side understood well and the asa implements this perfectly.

It is a pity that the policing committed rate cannot be set as a minimum guaranteed rate.

The priority command seems to get no results, unless I am doing something wrong or misunderstanding its purpose.

I tried to play around with the queue limit + transmission ring limit settings by setting them to their highest and lowest values but this did not change the above results.

I am starting to think that this is just not possible with the 5505 unit....

Should I give up now or is there anything else I could try?

 

[unclerico]

i would try one last thing. according to the documentation:

If a service policy is applied or removed from an interface that has existing VPN Client/LAN-to-LAN or non-tunneled traffic already established, the QoS policy is not applied or removed from the traffic stream. In order to apply or remove the QoS policy for such connections, you must clear (drop) the connections and re-establish them.

so when you can, clear the crypto sa and let it re-establish. see if that works for you. if that doesn't work, you may want to look at putting in a Cisco router instead as that will do what you need.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Snooty42]

Hi unclerico,

>>clear the crypto sa and let it re-establish

I tried this and also saved & restarted the entire unit but this had no effect.

I have also over the week tried many many different ideas including bandwidth shaping option with priority given to the PC IP address etc.. All to no effect.

Your tip actually provided a clue as to the problem.

Because the network camera is streaming at all times, it does not break like normal traffic to allow the asa to prioritise the traffic.

I confirmed this by using another PC instead of the camera and started a file transfer after the firt PC, I could clearly see the benefit of qos in this instance.

If I momentarily pull the network cord on the camera and my PC test transmission speeds up, even when the camera has re-established connection as long as I am still in mid transmission. However this is clearly not practical


What I really wanted was to reserve minimum bandwidth for the PC so they would not be choked when they tried to use the WAN.

After a lot of digging through the guides I found this is not possible on the ASA units.

The cisco website states that for the ASA
"Bandwidth reservation is not supported. There is no minimum bandwidth guarantee."

which I suppose is the clearest way of stating that I have no chance of getting this done via the ASA

I will now start to look at a cisco router to do the job.
Any recomendations for the cheapest on that will do the job?

All I really need is a 1 x IPSEC VPN connection + minimum bandwidth guarantee for an ip range / vlan (10 Users Max).

From What I can see the choices are the 871 or 1811 Integrated Services Routers. Am I on the right track?

Do these also require smartnet like the ASA in order to get the latest images?

It has been an interesting learning experience and I am very grateful for your help without which I think I would still be stuck at stage 1 !!!!

Thanks again

 

[unclerico]

I would go with an 1811 personally. As far as SmartNet, unfortunately the legal answer is yes. Be sure to post any questions regarding the QoS setup in the Cisco Routers forum and we'll help you out. Good luck.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Snooty42]

1800 series it is then
I shall get hold of a unit and start to have a play.

This might sound a daft question.

For a Branch as I only have a single IPSEC VPN connection to Headoffice + whitelist internet access to selected corporate sites e.g Bank, SFTP.

No other traffic is allowed in or out then do I still need the ASA or any other form of firewall?

Thanks

 

[unclerico]

i would definitely have a firewall in the mix without question. you can simply the deploy the zone-based firewall features in the IOS on the 1800 series or you can use a separate firewall.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)