Reset_
asked on
QoS on Cisco ASA 5520
I have apporx 200 users on a remote site.
They connect to the central site with two site-to-site ipsec vpns.
All applications are running as published applications on a citrix farm at the central site.
I want enable priority for the traffic going to and from the remote site
I see that it is possible to add a service policy, specify tunnel-group as match criteria and check the "enable priority for this flow" box. That is OK, i can do this for each tunnel-group.
First question:
Under "Configuration - Device Management - Advanced - Priority queue" i have to configure priority queue parameters on a interface. In this scenario, should i use the Outside interface? And i see that the default values are: Queue limit 2048 and Transmission ring limit 512. Is there a rule of thumb or something like when setting theese values?
Second question:
It seemes a bit weird to just put priority on the tunnel-groups, i would really like to specify what i want to put priority on. So, keeping in mind that the traffic is going to and from the central environment over ipsec, is it possible to just define a outside-policy and one class for each tcp/udp port i want to enable priority on?
Third question:
if i am far off, what do you think i should do with my ASA 5520 to implement some kind of QoS for my citrix traffic to and from the remote site?
They connect to the central site with two site-to-site ipsec vpns.
All applications are running as published applications on a citrix farm at the central site.
I want enable priority for the traffic going to and from the remote site
I see that it is possible to add a service policy, specify tunnel-group as match criteria and check the "enable priority for this flow" box. That is OK, i can do this for each tunnel-group.
First question:
Under "Configuration - Device Management - Advanced - Priority queue" i have to configure priority queue parameters on a interface. In this scenario, should i use the Outside interface? And i see that the default values are: Queue limit 2048 and Transmission ring limit 512. Is there a rule of thumb or something like when setting theese values?
Second question:
It seemes a bit weird to just put priority on the tunnel-groups, i would really like to specify what i want to put priority on. So, keeping in mind that the traffic is going to and from the central environment over ipsec, is it possible to just define a outside-policy and one class for each tcp/udp port i want to enable priority on?
Third question:
if i am far off, what do you think i should do with my ASA 5520 to implement some kind of QoS for my citrix traffic to and from the remote site?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That is an interesting approach jjmartineziii, i will try to implement it on my ASA.
Is it possible to have levels of priority, like:
priority 1
priority 2
etc..
This will be a good solution in putting priority on the traffic to and from the remote servers over the ipsec connection. But it would have been great to have more than one priority level.
the newer version of xenapp will have keystrokes and screen updates on one port, and print/file traffic on another port etc (not like now where everything runs over port 1494 or 2598). It would make sense to have a higher priority on keystrokes, lower on print/file traffic and no priority on everything else.
I guess i would also have to be able to specify protocol/port in the extended access list and not only IPs.
Is it possible to have levels of priority, like:
priority 1
priority 2
etc..
This will be a good solution in putting priority on the traffic to and from the remote servers over the ipsec connection. But it would have been great to have more than one priority level.
the newer version of xenapp will have keystrokes and screen updates on one port, and print/file traffic on another port etc (not like now where everything runs over port 1494 or 2598). It would make sense to have a higher priority on keystrokes, lower on print/file traffic and no priority on everything else.
I guess i would also have to be able to specify protocol/port in the extended access list and not only IPs.
ASKER
I implemented this on my ASA jjmartineziii and i will award you the points.
Thank you
Thank you
Use class maps and ACLs to match traffic and assign priorities
http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/conns_qos.html