ASA5510: VLAN and QoS config for VoIP?

Hi everyone,

We're in the process of switching over our phone system from a legacy Nortel MICS and are currently playing with a FreePBX implementation.  Our network consists of Cisco Catalyst 2690 switches, Dell PowerConnect 3448P PoE switches, and an ASA5510.  We have no layer 3 switches or separate routers and are hoping to avoid adding either for cost reasons.

The ASA has 4 interfaces configured: inside, outside, dmz, and guest_inside.  We host our own mail and web servers which sit on the DMZ.  We also have a WLC-2504 which has one interface on our inside network and another connected to the guest_inside interface on the ASA.

Our internal network configuration consists of one VLAN (vlan 1).  We’re currently in an experimentation phase with FreePBX and are trying to understand how to best configure QoS, separate VLANs, etc.

After that long winded intro, I have some questions:

1. We have 2 Dell PowerConnect 3448P switches set aside for use only with VoIP phones.   We’re currently using the ASA as a DHCP Server on the inside interface and we’ll also need DHCP (and option 66) for the VoIP phones.  What’s the best way to connect the Dell PoE switches to the network:

A.  Connect them to the existing Cisco switch stack with a trunk and create a VLAN  for VoIP on the Dell switch ports?

B.  Create another interface on the ASA (inside_voip for example) with the same security level as the inside interface (100) and create a VLAN  for VoIP on the Dell switch ports?

C.  Create sub-interfaces on the inside interface and let the ASA handle intervlan routing and create a VLAN  for VoIP on the Dell switch ports?

D.  Something else?


2. What’s the best strategy for setting up QoS on the ASA?  I’ve read the “Configuring QoS” ASDM help docs and they aren’t particularly helpful. Ultimately, I want to give absolute priority to voice and it’s not clear to me if I just need to setup a Priority Queue, Policing, Traffic Shaping, or some combination of the 3.

Thanks -- Steve
SteveVAsked:
Who is Participating?
 
David PiniellaCommented:
With that done, would I create my sub-interfaces and for each sub-interface specify the VLAN and setup DHCP server?

from: http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/intrface.html

You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the security appliance changes the old ID.

Step 3 To enable the subinterface, enter the following command:

 hostname(config-subif)# no shutdown

Open in new window


Will this break my config?  Or asked differently; will removing the IP address from the physical interface affect existing access lists, nat, etc. and if so, what's the best way to correct this?

Yes-ish? Possibly they will break and you'll want to redo the ACLs. It depends on how you have your ACLs setup currently. If you've got something like this, you'll have to make your ACLs something with the interface names for the new subinterfaces. If your new subinterfaces will not need any external access/routing, you don't need to worry about that stuff. I would recommend starting from scratch so you know everything is where it should be.
0
 
David PiniellaCommented:
1. I would personally go with C, but A is also a sound policy.

2.  You'll want all three. This http://www.laguiadelnetworking.com/how-to-enable-qos-priority-queue-on-the-cisco-asa-firewall/ will help, as will this: https://albahra.com/journal/2013/04/crash-course-cisco-asa-5505-setup-with-qos
0
 
SteveVAuthor Commented:
Thanks for the reply.  If I go with C, I assume I'll need to remove the IP address and DHCP server settings from the physical interface before I create my sub-interfaces?

With that done, would I create my sub-interfaces and for each sub-interface specify the VLAN and setup DHCP server?

Will this break my config?  Or asked differently; will removing the IP address from the physical interface affect existing access lists, nat, etc. and if so, what's the best way to correct this?

Sorry if these are basic questions but I know enough to be moderately dangerous and want to make sure I fully understand what things I'll need to change.

Thanks again -- Steve
0
 
SteveVAuthor Commented:
Still looking for help on this if anyone has any suggestions.

Thanks -- Steve
0
 
SteveVAuthor Commented:
Thanks for the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.