QoS on Cisco ASA 5505 (DSL)

I have a site with a DSL connection and I'd like to implement outgoing QoS for VoIP. I am aware that the QoS cannot be guaranteed on the inbound (unless done from the ISP) but at this time I'm only having issues when the users on-site are uploading data to an FTP site. I had a similar site 2-3 years ago where I successfully did this, however I do not have a copy of the configuration file, and am having difficulty duplicating what I did back then. Basically as soon as they start uploading files to the FTP site the call data starts cutting in and out.

This is my current config. I'm sure I'm close, but just missing something:

ASA Version 7.2(3) ! hostname RAPID-ASA domain-name sitename.org enable password encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 10.240.30.250 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd encrypted ftp mode passive dns server-group DefaultDNS domain-name sitename.org access-list 110 extended permit icmp any any access-list 110 extended permit icmp any any echo-reply access-list 110 extended permit icmp any any time-exceeded pager lines 24 mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 access-group 110 in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http X.X.X.X 255.255.255.224 outside http 10.0.0.0 255.0.0.0 inside telnet 10.0.0.0 255.0.0.0 inside telnet timeout 25 ssh X.X.X.X 255.255.255.224 outside ssh timeout 60 console timeout 0 dhcpd dns dhcpd ping_timeout 750 dhcpd auto_config outside ! dhcpd address 10.240.30.1-10.240.30.32 inside dhcpd enable inside !

priority-queue inside queue-limit 250 priority-queue outside queue-limit 250 ! class-map outside-class1 description Voice-Call-Sig match dscp cs3 af31 class-map inspection_default match default-inspection-traffic class-map outside-class description Voice-Carrier match dscp cs5 ef ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp policy-map outside-policy description VOIP class outside-class priority class outside-class1 priority ! service-policy global_policy global service-policy outside-policy interface outside prompt hostname context

Any help would be appreciated.

Reply to
Joe
Loading thread data ...

Are you sure your DSL modem implements QoS? If not, there is little you can do from a device behind the modem. The problem with realtime data when uploading is that a transmit queue will build inside the modem where all traffic lines up, and realtime traffic gets delayed too much. This can be solved when the modem offers some way to cut around this queue (by TOS specification), but does it? It can also be solved by rate-limiting the FTP upload traffic to a rate a bit below the upload rate of your connection.

Reply to
Rob

I don't know if it supports it or not, but it's the same setup I had before and it did the trick for me. Is there anything that you can see in my config that would make it not work?

Reply to
Joe

I have experience only with the rate-limiting solution, so I cannot really tell... (I use "traffic-shape group" commands)

Reply to
Rob

Do you have an example of some code to do this? I'd want to do this with ftp, and I have another site that I'd use it with SMTP (for a scan-to-email machine they have).

Reply to
Joe

On the interface attached to the DSL modem:

traffic-shape group 102 256000 12800 12800 1000 traffic-shape group 103 650000 32500 32500 1000 traffic-shape group 104 768000 76800 76800 1000

Access lists:

access-list 102 remark Outgoing ADSL low priority traffic access-list 102 permit tcp any any eq smtp access-list 103 remark Outgoing ADSL medium priority traffic access-list 103 permit tcp any any access-list 104 remark Outgoing ADSL high priority traffic access-list 104 permit ip any any

Here SMTP is put in the low-rate group (256 kbps), any other TCP traffic is medium-rate (650 kbps) and the remainder of IP traffic is highest rate (768 kbps). Just an example, adapt to requirements.

Reply to
Rob

Reply to
alexd

the unit isn't accepting the traffic-shape command on the interface (tried on ETH0/0 and on Vlan2). Is that a function of a higher version than 7.2(3)?

Reply to
Joe

I assumed it would work on the ASA but apparently it doesn't. (I use this on routers)

Reply to
Rob

Yeah, I was looking at that document, but unfortunately it has a lot of information in it that doesn't make sense to me. ASAs are new to me, and most of what I can find involves putting QoS on a vpn connection. I tried to cobble that into what I was trying to do (which resulted in the configuration I have posted above), but there's something I'm missing.

Reply to
Joe

The ASA seems to have the tools you need.

The best solution is to do traffic shaping on the outbound traffic to limit the rate to the DSL upload rate. Then within that do priority queuing for your voice traffic.

This is implemented with a hierarchical policy map.

The main or outer policy map shapes the traffic to some rate and then the inner or sub policy map can priority queue the traffic within that rate.

There is an example in the document already mentioned.

formatting link
See:- "Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing"

class-map CM.voice-carrier match dscp cs5 ef

!
Reply to
bod43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.