• Kiếm tiền với Hostinger

    Kiếm Tiền Cùng Hostinger

    Bạn đang tìm kiếm cách kiếm thêm thu nhập online? Hãy tham gia ngay chương trình Affiliate của Hostinger! Với mỗi khách hàng đăng ký thông qua liên kết của bạn, bạn sẽ nhận được khoản hoa hồng hấp dẫn.

    Hostinger cung cấp các dịch vụ lưu trữ web (hosting) chất lượng cao với mức giá cạnh tranh, giúp bạn dễ dàng giới thiệu và thu hút người dùng.

    Đừng bỏ lỡ cơ hội tuyệt vời này để tăng thêm thu nhập thụ động.

    Tham Gia Ngay

QoS for VoIP Traffic on Cisco ASA Firewall devices (QoS for VoIP Traffic on Cisco ASA)

TigerDao

Administrator
Thành viên BQT
One of the new additions in Firewall Cisco ASA is the ability to configure Quality of Service (QoS) for VoIP traffic, which was previously only available on IOS routers. ASA now supports Low Latency Queuing (LLQ priority queuing) which allows you to prioritize certain traffic flows (such as latency-sensitive traffic like voice and video) before other traffic flows. other traffic.

In its simplest form, you simply enable priority queuing on an interface and select with the ACL and policy map the traffic that will go through the interface’s priority queue. All other traffic will go through the “best effort” queue. For example, if we have FTP data traffic (usually one long packet) along with a VoIP packet, the VoIP will be delivered first by the interface (priority queue) while the FTP packet will be delivered on a try your best.

In the example below, a typical scenario is presented in which two (or more) sites communicate via a Lan-to-Lan (site-tosite) IPSEC VPN network over the Internet. Between sites, we can have both data and VoIP traffic communication. Although we cannot enforce real QoS through the Internet, we can at least ensure voice traffic is prioritized on the firewall interface.

(IMG)


From the above diagram, it is assumed that the IPSEC VPN is configured and is working properly (i.e. both subnets 192.168.1.0/24 and 192.168.2.0/24 can communicate over the tunnel). The example configuration below is for ASA-1 firewalls and should be applied accordingly to ASA-2 for better QoS performance.

! Enable priority queue on the external interface

ASA-1(config)# priority-queue outside
ASA-1(config-priority-queue)# exit


! Select VoIP traffic to prioritize

ASA-1(config)#access-list VoIP-Traffic-OUT extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq h323

ASA-1(config)#access-list VoIP-Traffic-OUT extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq sip

ASA-1(config)#access-list VoIP-Traffic-OUT extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq 2000

ASA-1(config)#access-list VoIP-Traffic-IN extended permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq h323

ASA-1(config)#access-list VoIP-Traffic-IN extended permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq sip

ASA-1(config)#access-list VoIP-Traffic-IN extended permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 2000


! Matching ACLs and traffic with Fast Forwarding (EF)

ASA-1(config)# class-map Voice-OUT
ASA-1(config-cmap)# match dscp ef
ASA-1(config-cmap)# match access-list VoIP-Traffic-OUT
ASA-1(config-cmap)# exit

ASA-1(config)#class-map Voice-IN
ASA-1(config-cmap)# match dscp ef
ASA-1(config-cmap)# match access-list VoIP-Traffic-IN
ASA-1(config-cmap)# exit


! Configure the actual policy that will be applied to the interface

ASA-1(config)# policy-map VoicePolicy
ASA-1(config-pmap)# class Voice-OUT
ASA-1(config-pmap-c)# priority
ASA-1(config-pmap-c)# exit

ASA-1(config-pmap)# class Voice-IN
ASA-1(config-pmap-c)# priority
ASA-1(config-pmap-c)# exit
ASA-1(config-pmap)# exit


! Apply policy to external interface

ASA-1(config)# service-policy VoicePolicy interface external

A small note here. The Priority Queue will only apply to interfaces in the “outbound” direction, so the above Voice-IN class will not have any effect in the policy-map. Additionally, as stated at the beginning of the article above, the configuration shown in this post applies to the ASA-1. Reciprocal configuration should also be applied on ASA-2 with appropriate ACLs that should match traffic from network 192.168.2.0 to 192.168.1.0.

Wishing you success!

Xem tiếp...
 
Top