Sponsored Links
One of the new additions in the Cisco ASA 7.x and 8.x software image is the ability to configure Quality of Service for VoIP traffic, something that was found only on IOS routers in the past. The ASA supports now Low Latency Queuing (LLQ priority queuing) which lets you prioritize certain traffic flows (such as latency-sensitive traffic like voice and video) ahead of other traffic.
In its simplest form, you just enable priority queuing on an interface and select with an ACL and a policy map which traffic should pass through the priority queue of the interface. All other traffic will be passing through the “best effort” queue. For example if we have FTP data traffic (which is usually a long packet) together with a VoIP packet, the VoIP will be served first by the interface (priority queue) while the FTP packet will be served in a best-effort basis.
In our example below, we present a usual scenario in which we have two (or more) sites communicating through a Lan-to-Lan IPSEC VPN via the Internet. Between the sites we can have both data and VoIP traffic communication. Although we can not enforce real QoS through the Internet, at least we can ensure voice traffic prioritization on the firewall interface.
From the diagram above we assume that we have already configured the IPSEC VPN and is working properly (i.e both subnets 192.168.1.0/24 and 192.168.2.0/24 can communicate via the tunnel). The example configuration below is for the ASA-1 firewall and should be applied accordingly to ASA-2 for better QoS performance.
! Enable a priority queue on the outside interface
ASA-1(config)# priority-queue outside
ASA-1(config-priority-queue)# exit
! Select VoIP traffic for prioritization
ASA-1(config)#access-list VoIP-Traffic-OUT extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq h323
ASA-1(config)#access-list VoIP-Traffic-OUT extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq sip
ASA-1(config)#access-list VoIP-Traffic-OUT extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq 2000
ASA-1(config)#access-list VoIP-Traffic-IN extended permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq h323
ASA-1(config)#access-list VoIP-Traffic-IN extended permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq sip
ASA-1(config)#access-list VoIP-Traffic-IN extended permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 2000
! Match the ACL and traffic with Expedited Forwarding (EF)
ASA-1(config)# class-map Voice-OUT
ASA-1(config-cmap)# match dscp ef
ASA-1(config-cmap)# match access-list VoIP-Traffic-OUT
ASA-1(config-cmap)# exit
ASA-1(config)#class-map Voice-IN
ASA-1(config-cmap)# match dscp ef
ASA-1(config-cmap)# match access-list VoIP-Traffic-IN
ASA-1(config-cmap)# exit
! Configure the actual policy that will be applied to the interface
ASA-1(config)# policy-map VoicePolicy
ASA-1(config-pmap)# class Voice-OUT
ASA-1(config-pmap-c)# priority
ASA-1(config-pmap-c)# exit
ASA-1(config-pmap)# class Voice-IN
ASA-1(config-pmap-c)# priority
ASA-1(config-pmap-c)# exit
ASA-1(config-pmap)# exit
! Apply the policy to the outside interface
ASA-1(config)# service-policy VoicePolicy interface outside
Related posts:
- Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
- Cisco ASA NetFlow Support – NetFlow Security Event Logging – NSEL
- Restricting DMZ server access with time based ACL on ASA
- Passing non-IP Traffic over IPSEC VPN using GRE over IPSEC
- Using Interfaces with same security levels on Cisco ASA
- Cisco ASA Firewall with PPPoE
- Prevent Spoofing Attacks on Cisco ASA using RPF
Sponsored Links
6 Responses to 'Cisco ASA QoS for VoIP Traffic'
Leave a Reply
Configuration Tutorial For Cisco ASA 5500 Firewalls
With FREE ASA 5505 Configuration Tutorial Bonus
CLICK HERE TO DOWNLOAD EBOOKS
- August 2010 (4)
- July 2010 (4)
- June 2010 (6)
- May 2010 (4)
- April 2010 (7)
- March 2010 (5)
- February 2010 (6)
- January 2010 (6)
- December 2009 (6)
- November 2009 (3)
- October 2009 (4)
- September 2009 (4)
- August 2009 (2)
- July 2009 (4)
- June 2009 (4)
- May 2009 (3)
- April 2009 (4)
- March 2009 (5)
- February 2009 (3)
- January 2009 (3)
- December 2008 (5)
- November 2008 (7)
- October 2008 (6)
- September 2008 (7)
- August 2008 (6)
- July 2008 (6)
- June 2008 (3)
- May 2008 (6)
- April 2008 (6)
- March 2008 (4)
ASA-1(config)# class-map Voice-OUT
ASA-1(config-cmap)# match dscp ef
ASA-1(config-cmap)# match access-list VoIP-Traffic-OUT
I cannot add these 2 matches. Can you help me?
First of all, for the access list match you must create the ACL first and then use it in the match statement of the class-map. For the dscp value match, this should work just as I show in the example. If you still have problems for matching the dscp value, just leave the ACL match only.
Cheers
Harris
I too am having the same problem as Wesley. When I try to add the second match, I get this
ERROR: Multiple match commands are not supported except for the ‘match tunnel-group or default-inspect-traffic’ command.
This seems to imply that you cannot have two match statements in a class-map. If that is true, how do you match traffic with Express Forwarding and the ACL?
Thanks for your help!
Well guys the firewall I tested the above configuration on did not give me an error message. Maybe it depends on the software version. Anyway, my opinion is to forget about matching the DSCP EF value and use only the ACL matching. Since the ACL is very specific (i.e you match specific traffic with specific ports, h323,sip,2000) then you can be assured that you are only prioritizing voice traffic and nothing else. Also, matching on the DSCP value might not be a very reliable match since you depend on the voice source device which must set the DSCP value of the voice packets to EF.
First of all, thanks for the great information on your site. It is very helpful. However, I just want to point out that I was having problems getting priority queuing to work so I called Cisco and they said priority queuing will not work unless you also implement traffic policing or shaping. Here is a good article that discusses both. http://tinyurl.com/yed7e6l
Also, your access list only matches tcp traffic and most VoIP traffic is udp so you’re probably not matching any packets with the current ACL. I changed mine to udp and it’s working now.
Thanks
Kent
fkento
Thanks for the comment. Usually the signaling control protocols (H323, SIP, and SCCP) use TCP ports for communication. H323 uses TCP 1720, SIP uses TCP port 5060 and the Cisco SCCP protocol uses TCP 2000. Sometimes I have seen devices using UDP also so yes you might be right that UDP should be configured also on the ACL in addition to TCP. For payload voice traffic, this is definitely UDP (Real Time Protocol-RTP).
Cheers