The QoS solution is extremely useful when organizations run into network congestion, or when they want to prioritize some network traffic over other traffic. Although this important feature can be deployed in many ways, this section covers two design scenarios for the ease of understanding:
The design scenarios discussed in this section should be used solely to enforce learning. They should be used for reference purposes only.
QoS for VoIP Traffic
SecureMe's information technology (IT) group is responsible for providing network services to its internal users. The IT group hosts an e-mail server and uses Cisco IP Phones for telecommunications. SecureMe management has some specific requirements that the IT group is obliged to meet:
Figure 12-6 shows SecureMe's topology that will be used to meet the network requirements.
Figure 12-6. SecureMe's VoIP and E-Mail QoS Policy
The administrator has put together the following list to meet the requirements:
The voip-qos-policy policy map is applied to the outside interface and the SMTP-policy policy map is applied to the inside interface. Example 12-10 shows the relevant configuration of SecureMe's ASA to achieve the previously listed requirements.
Example 12-10. ASA's Full Configuration Showing QoS for VoIP
SecureMe# show run ASA Version 7.0(1) ! ip address on the outside interface interface GigabitEthernet0/0 nameif outside security-level 0 ip address 220.127.116.11 255.255.255.224 ! ip address on the inside interface interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 ! hostname SecureMe !Access-list to classify Mail-traffic. SecureMe uses SMTP to upload emails access-list Mail-ACL-in extended permit tcp any host 18.104.22.168 eq smtp !Access-list to classify Mail-traffic. SecureMe uses POP3 to download emails access-list Mail-ACL-out extended permit tcp host 22.214.171.124 eq pop3 any !Access-list to classify Web-traffic to the internet. access-list web-out extended permit tcp host 126.96.36.199 any eq www !Syslog Server information to log the dropped packets. logging enable logging trap informational logging host inside 192.168.10.101 !NAT configuration to allow inside hosts to get Internet connectivity global (outside) 1 interface nat (inside) 1 192.168.10.0 255.255.255.0 !Static address translation for the Mail-Server static (inside,outside) 188.8.131.52 192.168.10.11 netmask 255.255.255.255 ! route outside 0.0.0.0 0.0.0.0 184.108.40.206 1 !Class-map to classify Mail traffic in the outbound direction class-map mail-pop match access-list Mail-ACL-out !Class-map to classify Mail traffic in the inbound direction class-map mail-smtp match access-list Mail-ACL-in !Class-map to classify Web traffic in the outbound direction class-map web match access-list web-out !Class-maps to classify VoIP traffic class-map voip-sig match dscp af31 class-map voip-rtp match dscp ef ! Policy-map to define rules applied on traffic-class policy-map voip-mail-qos-policy ! POP mail is rate-limited to 56kbps class mail-pop police 56000 10500 ! VoIP signal is prioritized class voip-sig priority ! VoIP data is prioritized class voip-rtp priority ! Web-mail is rate-limited to 56kbps class web police 56000 10500 ! Policy-map to define rules applied on inbound mail (SMTP) policy-map SMTP-policy ! SMTP mail is rate-limited to 56kbps class mail-smtp police 56000 10500 ! Inspection Policies policy-map global_policy class inspection_default inspect ctiqbe inspect http inspect xdmcp inspect icmp ! Global Policy applied for traffic inspection service-policy global_policy global ! QoS policy is applied to the outside interface service-policy voip-mail-qos-policy interface outside ! QoS policy is applied to the inside interface service-policy SMTP-policy interface inside ! Priority Queue is setup on the outside interface for QoS efficiency priority-queue outside tx-ring-limit 100 queue-limit 200
QoS for the Remote-Access VPN Tunnels
Figure 12-7 shows network topology for SecureMe's London's office. It has a Cisco ASA that it uses to provide VPN services for remote users. These users use the security appliance to connect to a file server to access their home directories. SecureMe does not want its broadband VPN users to fully utilize the bandwidth for its office. Therefore, it is interested in using QoS for the VPN tunnels to restrict the users to 256 kbps. SecureMe also hosts a web server at this location. However, it does not want to restrict the Internet web clients when they connect to the web server.
Figure 12-7. SecureMe Network Using QoS for VPN Tunnels
Refer to Chapter 16, "Remote Access VPNs," for detailed VPN configuration examples.
Example 12-11 shows the running configuration of the security appliance in London. A class map called VPN-traffic is configured to match all the packets destined to the VPN group called SecureMeGroup. To provide Internet users access to the web server, another class map called web is set up. The traffic is matched against an ACL that is configured to identify TCP port 80 packets. Both of these classes are linked to a policy map called VPN-Policy, where the VPN traffic is rate-limited to 256 kbps for normal traffic with a burst rate of 48000 bytes. The security appliance is also configured to prioritize web traffic passing through it. The policy is then applied to the outside interface.
Example 12-11. Full Configuration of the ASA in Chicago Using QoS
London# show running ! ip address on the outside interface interface GigabitEthernet0/0 nameif outside security-level 0 ip address 220.127.116.11 255.255.255.224 ! ip address on the inside interface interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.30.1 255.255.255.0 ! hostname London !ACL to classify Web-traffic access-list HTTP_ACL extended permit tcp host 18.104.22.168 eq www any !ACL to bypass address translation for the traffic destined to the VPN clients access-list nonat extended permit ip 192.168.30.0 255.255.255.0 192.168.50.0 255.255.255.0 !NAT 0 to bypass traffic identified in ACL nonat nat (inside) 0 access-list nonat !Static address translation for the web server static (inside,outside) 22.214.171.124 192.168.30.10 netmask 255.255.255.255 ! Local pool of addresses to be assigned to the VPN clients ip local pool vpnpool 192.168.50.1-192.168.50.199 ! sysopt to bypass traffic filters sysopt connection permit-ipsec ! Transform set to specify encryption and hashing algorithm ! Crypto map configuration crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map IPSec_map 10 ipsec-isakmp dynamic dynmap crypto map IPSec_map interface outside ! isakmp configuration isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ! Remote Access tunnel-group configuration tunnel-group SecureMeGroup type ipsec-ra tunnel-group SecureMeGroup general-attributes address-pool vpnpool tunnel-group SecureMeGroup ipsec-attributes pre-shared-key * ! Class-map to classify VPN packets class-map VPN-traffic match flow ip destination-address match tunnel-group SecureMeGroup !Class-map to classify Web traffic class-map web match access-list HTTP_ACL ! Policy-map to define rules applied on traffic-class policy-map VPN-Policy class VPN-traffic police 256000 48000 class web priority ! Inspection Policies policy-map global_policy class inspection_default inspect ctiqbe inspect http inspect xdmcp inspect icmp ! Global Policy applied for traffic inspection service-policy global_policy global ! Priority Queue is setup on the outside interface for QoS efficiency priority-queue outside tx-ring-limit 100 queue-limit 200 ! QoS policy is applied to the outside interface service-policy VPN-Policy interface outside
Part I: Product Overview
Introduction to Network Security
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
Authentication, Authorization, and Accounting (AAA)
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM