! !Enable the piority queues on both interfaces !I opened up all udp just to keep things simple ! access-list outside_access_in extended permit udp any any ! !Although I used the entire subnet to classify the voip packets, please !feel free to use dscp, precedence or ports instead ! !Inbound voip traffic classificationĪccess-list voip_inside extended permit ip any 10.16.1.0 255.255.255.0 ! !outbound (toward Internet) voip traffic classification access-list voip_outside extended permit ip 10.16.1.0 255.255.255.0 any ! global (outside) 1 70.35.47.195 netmask 255.255.255.255Īccess-group outside_access_in in interface outside !I expect you to limit the udp ports to just what your provider has recommended. Here's the relevant ASA 5505 configs with some explanations. Change the shape rate accordingly if you have asymmetrical speeds. Since I had a symmetrical 3Mbps Internet connection, I applied 2Mbps of traffic shaping to both interfaces. To do this, you shape the default class to 2Mbps and nest the voice policy so that the voip traffic is omitted from shaping (or drops) which will give it the remaining 1Mbps. This implies that the data traffic (or all but voip traffic) can share 2Mbps. In my opinion it's a small price to pay.Įach call takes up about 80Kbps in our example and we have had about 10 simultaneous calls in the past so I reserved 1Mbps of our 3Mbps Internet pipe for voice traffic. Unfortunately, you've got to sacrifice the data bandwidth for this solution to work but there is no way around it. The policy on the inside acts on the egress interface and therefore will impact the inbound traffic from the Internet whereas the outside one impacts the outbound traffic toward the Internet. I used a nested policy on both the outside and inside interfaces of the firewall. Those VoIP packets don't have a chance getting down in time from the Internet to your network over that saturated pipe! The second critical detail omitted is that even after you have applied the QoS to the correct interfaces, it does not help when a really long download is saturating the ISP link. Now, because QoS only acts on the egress traffic when applied to an interface, this does nothing for the inbound traffic from the ISP - the more important direction! Their example always use just the outside interface (ISP facing).
Prioritizing VoIP traffic using a Cisco ASA is well documented but the problem is Cisco's documents tend to omit a few important facts.
It is advised that you turn on QoS on the switches if they supported it. Not included in this blog are the configs for the switches.
In this particular example, we have a Cisco ASA 5505, a layer 3 switch with two VLANs, one for data and one for voice.
0 kommentar(er)
