[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 974
  • Last Modified:

QoS on Cisco ASA 5520

I have apporx 200 users on a remote site.
They connect to the central site with two site-to-site ipsec vpns.
All applications are running as published applications on a citrix farm at the central site.
I want enable priority for the traffic going to and from the remote site

I see that it is possible to add a service policy, specify tunnel-group as match criteria and check the "enable priority for this flow" box. That is OK, i can do this for each tunnel-group.

First question:
Under "Configuration - Device Management - Advanced - Priority queue" i have to configure priority queue parameters on a interface. In this scenario, should i use the Outside interface? And i see that the default values are: Queue limit 2048 and Transmission ring limit 512. Is there a rule of thumb or something like when setting theese values?

Second question:
It seemes a bit weird to just put priority on the tunnel-groups, i would really like to specify what i want to put priority on. So, keeping in mind that the traffic is going to and from the central environment over ipsec, is it possible to just define a outside-policy and one class for each tcp/udp port i want to enable priority on?

Third question:
if i am far off, what do you think i should do with my ASA 5520 to implement some kind of QoS for my citrix traffic to and from the remote site?
0
Reset_
Asked:
Reset_
  • 2
1 Solution
 
dcj21Commented:
QoS is a good idea if the VPN link is used for multiple kinds of traffic like the Citrix farm, email and internet browsing. Then you can give the Citrix farm high priority and Internet low priority.

Use class maps and ACLs to match traffic and assign priorities

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/conns_qos.html
0
 
jjmartineziiiCommented:
access-list OUTSIDE_PQTRAFFIC extended permit ip host 10.130.16.220 host 10.10.130.220
access-list OUTSIDE_PQTRAFFIC extended permit ip host 10.130.16.220 host 10.130.15.220
access-list OUTSIDE_PQTRAFFIC extended permit ip host 10.130.16.220 host 10.130.3.220
access-list OUTSIDE_PQTRAFFIC extended permit ip host 10.130.16.220 host 10.10.132.220

class-map PQTRAFFIC
 match access-list OUTSIDE_PQTRAFFIC

!
!
policy-map OUTSIDE_PQTRAFFIC
 class PQTRAFFIC
  priority

service-policy OUTSIDE_PQTRAFFIC interface outside

Here is an example of some QoS I did on an ASA. It seems to be working.

Hope this helps.
0
 
Reset_Author Commented:
That is an interesting approach jjmartineziii, i will try to implement it on my ASA.

Is it possible to have levels of priority, like:
priority 1
priority 2
etc..

This will be a good solution in putting priority on the traffic to and from the remote servers over the ipsec connection. But it would have been great to have more than one priority level.

the newer version of xenapp will have keystrokes and screen updates on one port, and print/file traffic  on another port  etc (not like now where everything runs over port 1494 or 2598). It would make sense to have a higher priority on keystrokes, lower on print/file traffic and no priority on everything else.

I guess i would also have to be able to specify protocol/port in the extended access list and not only IPs.
0
 
Reset_Author Commented:
I implemented this on my ASA jjmartineziii and i will award you the points.
Thank you
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now