brian_appliedcpu
asked on
Using QOS for RDP Traffic on a Cisco ASA should I apply it to the outside or inside interface?
In our office we have a 5505 ASA with about 15 tunnels to various other offices. We use the tunnels to access the systems and servers in these offices but we also RDC into other servers not through a vpn.
We are wanting to set up QOS to prioritize the RDC traffic. I would normally put it on the outside interface but when I tried this and flooded the network with downloads I noticed that RDC sessions that were tunneled stalled. This makes sense since the traffic is encrypted and tunneled thru the outside interface so the QOS cannot properly prioritize it. So if i put the QOS rule on the inside interface will it prioritize both the RDC to the internet and also the RDC to VPN tunnel.
The other alternative is to prioritize the VPN tunnel but we have like i said around 15 of them.
Any guidance is always appreciated.
We are wanting to set up QOS to prioritize the RDC traffic. I would normally put it on the outside interface but when I tried this and flooded the network with downloads I noticed that RDC sessions that were tunneled stalled. This makes sense since the traffic is encrypted and tunneled thru the outside interface so the QOS cannot properly prioritize it. So if i put the QOS rule on the inside interface will it prioritize both the RDC to the internet and also the RDC to VPN tunnel.
The other alternative is to prioritize the VPN tunnel but we have like i said around 15 of them.
Any guidance is always appreciated.
Expected outcome unclear
Do you have any routers that you control between the ASA and the Internet?
QoS markings (COS and/or DSCP) is ignored on the Internet, as required by Net Neutrality. A border router would be able to classify RDP vs non-RDP traffic and apply appropriate policing rules. Otherwise, you need the ASA to limit the overall ingress/egress traffic to match what your provider is able to provide.
Do you have any routers that you control between the ASA and the Internet?
QoS markings (COS and/or DSCP) is ignored on the Internet, as required by Net Neutrality. A border router would be able to classify RDP vs non-RDP traffic and apply appropriate policing rules. Otherwise, you need the ASA to limit the overall ingress/egress traffic to match what your provider is able to provide.
ASKER
No, we do not have a router between the asa and the internet.
This is the pertinent section of the firewall config:
class-map outside-class2
match access-list outside_mpc_1
class-map outside-class1
description rdp
match port tcp eq 3389
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match any
policy-map COS1_traffic
description QOS_trarric
class COS1_traffic
priority
user-statistics accounting
class outside-class1
priority
user-statistics accounting
class outside-class2
priority
user-statistics accounting
class outside-class
police input 95000000 47500
police output 9000000 4500
user-statistics accounting
This is the pertinent section of the firewall config:
class-map outside-class2
match access-list outside_mpc_1
class-map outside-class1
description rdp
match port tcp eq 3389
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match any
policy-map COS1_traffic
description QOS_trarric
class COS1_traffic
priority
user-statistics accounting
class outside-class1
priority
user-statistics accounting
class outside-class2
priority
user-statistics accounting
class outside-class
police input 95000000 47500
police output 9000000 4500
user-statistics accounting
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
I am following up on your question. Do you still need help?
If you solved the problem on your own, would you please post the solution here in case others have the same problem?
Regards,
Stacy-Richard
Customer Relations