QoS on Cisco ASA 5520

Posted on 2011-10-09
Last Modified: 2012-05-12
I have apporx 200 users on a remote site.
They connect to the central site with two site-to-site ipsec vpns.
All applications are running as published applications on a citrix farm at the central site.
I want enable priority for the traffic going to and from the remote site

I see that it is possible to add a service policy, specify tunnel-group as match criteria and check the "enable priority for this flow" box. That is OK, i can do this for each tunnel-group.

First question:
Under "Configuration - Device Management - Advanced - Priority queue" i have to configure priority queue parameters on a interface. In this scenario, should i use the Outside interface? And i see that the default values are: Queue limit 2048 and Transmission ring limit 512. Is there a rule of thumb or something like when setting theese values?

Second question:
It seemes a bit weird to just put priority on the tunnel-groups, i would really like to specify what i want to put priority on. So, keeping in mind that the traffic is going to and from the central environment over ipsec, is it possible to just define a outside-policy and one class for each tcp/udp port i want to enable priority on?

Third question:
if i am far off, what do you think i should do with my ASA 5520 to implement some kind of QoS for my citrix traffic to and from the remote site?
Question by:Reset_
    LVL 4

    Expert Comment

    QoS is a good idea if the VPN link is used for multiple kinds of traffic like the Citrix farm, email and internet browsing. Then you can give the Citrix farm high priority and Internet low priority.

    Use class maps and ACLs to match traffic and assign priorities
    LVL 12

    Accepted Solution

    access-list OUTSIDE_PQTRAFFIC extended permit ip host host
    access-list OUTSIDE_PQTRAFFIC extended permit ip host host
    access-list OUTSIDE_PQTRAFFIC extended permit ip host host
    access-list OUTSIDE_PQTRAFFIC extended permit ip host host

    class-map PQTRAFFIC
     match access-list OUTSIDE_PQTRAFFIC

    policy-map OUTSIDE_PQTRAFFIC
     class PQTRAFFIC

    service-policy OUTSIDE_PQTRAFFIC interface outside

    Here is an example of some QoS I did on an ASA. It seems to be working.

    Hope this helps.
    LVL 3

    Author Comment

    That is an interesting approach jjmartineziii, i will try to implement it on my ASA.

    Is it possible to have levels of priority, like:
    priority 1
    priority 2

    This will be a good solution in putting priority on the traffic to and from the remote servers over the ipsec connection. But it would have been great to have more than one priority level.

    the newer version of xenapp will have keystrokes and screen updates on one port, and print/file traffic  on another port  etc (not like now where everything runs over port 1494 or 2598). It would make sense to have a higher priority on keystrokes, lower on print/file traffic and no priority on everything else.

    I guess i would also have to be able to specify protocol/port in the extended access list and not only IPs.
    LVL 3

    Author Comment

    I implemented this on my ASA jjmartineziii and i will award you the points.
    Thank you

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now