One of the new additions in Firewall Cisco ASA is the ability to configure Quality of Service (QoS) for VoIP traffic, which was previously only available on IOS routers. ASA now supports Low Latency Queuing (LLQ priority queuing) which allows you to prioritize certain traffic flows (such as latency-sensitive traffic like voice and video) before other traffic flows. other traffic.
In its simplest form, you simply enable priority queuing on an interface and select with the ACL and policy map the traffic that will go through the interface’s priority queue. All other traffic will go through the “best effort” queue. For example, if we have FTP data traffic (usually one long packet) along with a VoIP packet, the VoIP will be delivered first by the interface (priority queue) while the FTP packet will be delivered on a try your best.
In the example below, a typical scenario is presented in which two (or more) sites communicate via a Lan-to-Lan (site-tosite) IPSEC VPN network over the Internet. Between sites, we can have both data and VoIP traffic communication. Although we cannot enforce real QoS through the Internet, we can at least ensure voice traffic is prioritized on the firewall interface.
From the above diagram, it is assumed that the IPSEC VPN is configured and is working properly (i.e. both subnets 192.168.1.0/24 and 192.168.2.0/24 can communicate over the tunnel). The example configuration below is for ASA-1 firewalls and should be applied accordingly to ASA-2 for better QoS performance.
! Enable priority queue on the external interface
ASA-1(config)# priority-queue outside
ASA-1(config-priority-queue)# exit
! Select VoIP traffic to prioritize
ASA-1(config)#access-list VoIP-Traffic-OUT extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq h323
ASA-1(config)#access-list VoIP-Traffic-OUT extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq sip
ASA-1(config)#access-list VoIP-Traffic-OUT extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq 2000
ASA-1(config)#access-list VoIP-Traffic-IN extended permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq h323
ASA-1(config)#access-list VoIP-Traffic-IN extended permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq sip
ASA-1(config)#access-list VoIP-Traffic-IN extended permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 2000
! Matching ACLs and traffic with Fast Forwarding (EF)
ASA-1(config)# class-map Voice-OUT
ASA-1(config-cmap)# match dscp ef
ASA-1(config-cmap)# match access-list VoIP-Traffic-OUT
ASA-1(config-cmap)# exit
ASA-1(config)#class-map Voice-IN
ASA-1(config-cmap)# match dscp ef
ASA-1(config-cmap)# match access-list VoIP-Traffic-IN
ASA-1(config-cmap)# exit
! Configure the actual policy that will be applied to the interface
ASA-1(config)# policy-map VoicePolicy
ASA-1(config-pmap)# class Voice-OUT
ASA-1(config-pmap-c)# priority
ASA-1(config-pmap-c)# exit
ASA-1(config-pmap)# class Voice-IN
ASA-1(config-pmap-c)# priority
ASA-1(config-pmap-c)# exit
ASA-1(config-pmap)# exit
! Apply policy to external interface
ASA-1(config)# service-policy VoicePolicy interface external
A small note here. The Priority Queue will only apply to interfaces in the “outbound” direction, so the above Voice-IN class will not have any effect in the policy-map. Additionally, as stated at the beginning of the article above, the configuration shown in this post applies to the ASA-1. Reciprocal configuration should also be applied on ASA-2 with appropriate ACLs that should match traffic from network 192.168.2.0 to 192.168.1.0.
Wishing you success!
Xem tiếp...