QoS Deployment Scenarios

The QoS solution is extremely useful when organizations run into network congestion, or when they want to prioritize some network traffic over other traffic. Although this important feature can be deployed in many ways, this section covers two design scenarios for the ease of understanding:

  • QoS for VoIP traffic
  • QoS for the remote-access VPN tunnels

Note

The design scenarios discussed in this section should be used solely to enforce learning. They should be used for reference purposes only.

 

QoS for VoIP Traffic

SecureMe's information technology (IT) group is responsible for providing network services to its internal users. The IT group hosts an e-mail server and uses Cisco IP Phones for telecommunications. SecureMe management has some specific requirements that the IT group is obliged to meet:

  • Full Internet web access to the internal clients. They should get bandwidth based on best effort and should be restricted to 56 kbps.
  • For VoIP calls, there should not be any network-related delays.
  • Do not allow Internet e-mail users to fully utilize the bandwidth when they download their e-mail using POP3. They should be restricted to have up to 56 kbps bandwidth. Additionally, restrict users to 56 kbps when they upload their e-mail via SMTP.
  • Log all the system-generated syslog messages to a server.

Figure 12-6 shows SecureMe's topology that will be used to meet the network requirements.

Figure 12-6. SecureMe's VoIP and E-Mail QoS Policy

The administrator has put together the following list to meet the requirements:

  • The administrator has set up five class maps to identify traffic.
  • A class map called mail-pop is configured to classify all the packet sources from the mail server to the e-mail users when users download their emails using POP3.
  • The second class map, called mail-smtp, identifies SMTP traffic from the e-mail users to the e-mail server when they upload their e-mails. The email server is translated to 209.165.200.231.
  • The third class map, called web, classifies the web traffic destined to the Internet. The internal hosts are translated to the public interface's IP address.
  • The last two class maps, voip-sig and voip-rtp, identify VoIP traffic.
  • All class maps except for mail-smtp are linked to a policy map called voip-qos-policy, whereas the mail-smtp class is mapped to a policy map called SMTP-policy.

The voip-qos-policy policy map is applied to the outside interface and the SMTP-policy policy map is applied to the inside interface. Example 12-10 shows the relevant configuration of SecureMe's ASA to achieve the previously listed requirements.

Example 12-10. ASA's Full Configuration Showing QoS for VoIP

SecureMe# show run

ASA Version 7.0(1)

! ip address on the outside interface

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.200.225 255.255.255.224

! ip address on the inside interface

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

hostname SecureMe

!Access-list to classify Mail-traffic. SecureMe uses SMTP to upload emails

access-list Mail-ACL-in extended permit tcp any host 209.165.200.231 eq smtp

!Access-list to classify Mail-traffic. SecureMe uses POP3 to download emails

access-list Mail-ACL-out extended permit tcp host 209.165.200.231 eq pop3 any

!Access-list to classify Web-traffic to the internet.

access-list web-out extended permit tcp host 209.165.200.225 any eq www

!Syslog Server information to log the dropped packets.

logging enable

logging trap informational

logging host inside 192.168.10.101

!NAT configuration to allow inside hosts to get Internet connectivity

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

!Static address translation for the Mail-Server

static (inside,outside) 209.165.200.231 192.168.10.11 netmask 255.255.255.255

!

route outside 0.0.0.0 0.0.0.0 209.165.200.230 1

!Class-map to classify Mail traffic in the outbound direction

class-map mail-pop

 match access-list Mail-ACL-out

!Class-map to classify Mail traffic in the inbound direction

class-map mail-smtp

 match access-list Mail-ACL-in

!Class-map to classify Web traffic in the outbound direction

class-map web

 match access-list web-out

!Class-maps to classify VoIP traffic

class-map voip-sig

 match dscp af31

class-map voip-rtp

 match dscp ef

! Policy-map to define rules applied on traffic-class

policy-map voip-mail-qos-policy

! POP mail is rate-limited to 56kbps

 class mail-pop

 police 56000 10500

! VoIP signal is prioritized

 class voip-sig

 priority

! VoIP data is prioritized

 class voip-rtp

 priority

! Web-mail is rate-limited to 56kbps

class web

 police 56000 10500

! Policy-map to define rules applied on inbound mail (SMTP)

policy-map SMTP-policy

! SMTP mail is rate-limited to 56kbps

 class mail-smtp

 police 56000 10500

! Inspection Policies

policy-map global_policy

 class inspection_default

 inspect ctiqbe

 inspect http



 inspect xdmcp

 inspect icmp

! Global Policy  applied for traffic inspection

service-policy global_policy global

! QoS policy is applied to the outside interface

service-policy voip-mail-qos-policy interface outside

! QoS policy is applied to the inside interface

service-policy SMTP-policy interface inside



! Priority Queue is setup on the outside interface for QoS efficiency

priority-queue outside

 tx-ring-limit 100

 queue-limit 200

 

QoS for the Remote-Access VPN Tunnels

Figure 12-7 shows network topology for SecureMe's London's office. It has a Cisco ASA that it uses to provide VPN services for remote users. These users use the security appliance to connect to a file server to access their home directories. SecureMe does not want its broadband VPN users to fully utilize the bandwidth for its office. Therefore, it is interested in using QoS for the VPN tunnels to restrict the users to 256 kbps. SecureMe also hosts a web server at this location. However, it does not want to restrict the Internet web clients when they connect to the web server.

Figure 12-7. SecureMe Network Using QoS for VPN Tunnels

Note

Refer to Chapter 16, "Remote Access VPNs," for detailed VPN configuration examples.

Example 12-11 shows the running configuration of the security appliance in London. A class map called VPN-traffic is configured to match all the packets destined to the VPN group called SecureMeGroup. To provide Internet users access to the web server, another class map called web is set up. The traffic is matched against an ACL that is configured to identify TCP port 80 packets. Both of these classes are linked to a policy map called VPN-Policy, where the VPN traffic is rate-limited to 256 kbps for normal traffic with a burst rate of 48000 bytes. The security appliance is also configured to prioritize web traffic passing through it. The policy is then applied to the outside interface.

Example 12-11. Full Configuration of the ASA in Chicago Using QoS

London# show running

! ip address on the outside interface

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.201.1 255.255.255.224

! ip address on the inside interface

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.30.1 255.255.255.0

!

hostname London

!ACL to classify Web-traffic

access-list HTTP_ACL extended permit tcp host 209.165.201.2 eq www any

!ACL to bypass address translation for the traffic destined to the VPN clients

access-list nonat extended permit ip 192.168.30.0 255.255.255.0 192.168.50.0

255.255.255.0

!NAT 0 to bypass traffic identified in ACL nonat

nat (inside) 0 access-list nonat

!Static address translation for the web server

static (inside,outside) 209.165.201.2 192.168.30.10 netmask 255.255.255.255

! Local pool of addresses to be assigned to the VPN clients

ip local pool vpnpool 192.168.50.1-192.168.50.199

! sysopt to bypass traffic filters

sysopt connection permit-ipsec

! Transform set to specify encryption and hashing algorithm

! Crypto map configuration

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map IPSec_map 10 ipsec-isakmp dynamic dynmap

crypto map IPSec_map interface outside

! isakmp configuration

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

! Remote Access tunnel-group configuration

tunnel-group SecureMeGroup type ipsec-ra

tunnel-group SecureMeGroup general-attributes

 address-pool vpnpool

tunnel-group SecureMeGroup ipsec-attributes

 pre-shared-key *

! Class-map to classify VPN packets

class-map VPN-traffic

 match flow ip destination-address

 match tunnel-group SecureMeGroup

!Class-map to classify Web traffic

class-map web

 match access-list HTTP_ACL

! Policy-map to define rules applied on traffic-class

policy-map VPN-Policy

 class VPN-traffic

 police 256000 48000

 class web

 priority

! Inspection Policies

policy-map global_policy

 class inspection_default

 inspect ctiqbe

 inspect http



 inspect xdmcp

 inspect icmp

! Global Policy  applied for traffic inspection

service-policy global_policy global

! Priority Queue is setup on the outside interface for QoS efficiency

priority-queue outside

 tx-ring-limit 100

 queue-limit 200

! QoS policy is applied to the outside interface

service-policy VPN-Policy interface outside


Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies



Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net