Cisco Firewall :: Possible Limitation Of ASA 5505 DSCP Markings
Aug 19, 2012
following about a limitation on the ASA5505.I have a client that has a number of branch offices on a Gen-I OneOffice network. For complex and political reasons, we can’t trust all nodes on that OneOffice network. We need to put a firewall at each branch office between their local network and the OneOffice router.
To avoid having to either readdress the OneOffice routers (politically difficult) or readdress each branch office (logistically difficult) we’ve suggested using a transparent mode ASA5505 firewall between each sites OneOffice router LAN switch.
Recently I’ve discovered the client is deploying Avaya VOIP phones into the offices using QOS/DSCP over the OneOffice network from Avaya units in some offices. I figured I’d need to trust DSCP on the way though the ASA and went about looking at how to achieve that.
I found the following document relating to configuring QOS on the ASA: url...
This suggests in the DSCP and Diffserv Preservation section that “DSCP markings are preserved on all traffic passing through the ASA.” However, in the Guidelines and Limitations section it suggests QOS isn’t supported in transparent mode.I’m a bit worried that the DSCP markings won’t pass through the ASA5505 in transparent mode.
I have a requirement to preserve markings end to end across a network utilising 3750X switches, I am marking the packets without a problem, but due to the rewriting function the marking is being overwritten by ther COS-->DSCP maps.To simplify the scenario I have set up a test environment (see Diagram) and am using ICMP as a simple test using ICMP to test with Both 3750 have 12.2(35)SE5 3750-1
mls qos mls qos rewrite ip dscp ip access-list extended ICMP permit icmp any any Class-map ICMP match access-group name ICMP
[code]....
I have used wireshark to verify that the packets are being marked, with the' mls qos rewrite ip dscp' they are, without rewriting does not occur.Moving my sniffer to the 3750-2 I am monitoring the Layer3 connection (marking preserved), however on the layer 2 trunk the marking has been reset to 0 , if I remove the 'mls qos rewrite ip dscp' from 3750-2 then I see the marking on the layer 2 trunk, however I am then unable to remark anything generated on this switch. I believe with the 'mls qos rewrite ip dscp' enabled the L3 to L2 transistion removes the IP DSCP sets the COS to 0 and themnthe COS to DSCP mapping ensures the DSCP is set back to 0.I have tried implementing additional marking policies on 3750-2 but to no avail.What I need is ensuring that that a frame / packet marked in 3750-1 can keep it's marking to the end system over layer 3 and a layer 2 trunk. The only place I wan t the marking to be stripped off is when the dot1q tag is removed as it goes through an access port.
Does the limitation on ASR 1000 series RP1 with regard to maximum number of match statements per class-map?. I have more than 30 match statements under my class-maps but when I apply the service policy on the interface, I get the error "cannot configure more than 16 matching statements per class-map for the interface”.I am running 3.1.0 S on an RP1. Is it a hardware limitation just like the older Cisco 10Ks?
Due to lack of address space, I have to go to NAT for our wireless guest users.Are there any limitation with WLC/NGS when comes to NAT?I have four 5500 WLCs, should I put them in 1 mobility group, at 2 different locations?
I am wondering what is the TOS value equivalent to DSCP value AF31? I am wondering what is the TOS value equivalent to DSCP value AF31?I have tried to use the charts but I couldn’t understand how to convert it.
2) as a test we are planning do to deploy ex90 at few of locations. at location 1 we will do DSCP EF marking while at the other location we will do DSCP AF41 for video..assume, LOC1 calls LOC2: so, when video traffic from LOC1 arrives to LOC2 will it be marked as EF? and when traffic from LOC2 arrives LOC1 then traffic will be marked as AF41? if yes, then will there be any issue sometimes in case if we run out of bandwidth for EF?
I ran into interesting issue on Sup-2T. As you probably know, QoS CLI is changed on this new supervisor. I'm looking to translate incoming dscp-marked packets, into exp-marked on egress.Now, according to documentation - Catalyst 6500 Release 15.0SY Software Configuration Guide - this functionality is still called mutation-map and is configured under 'platform qos map exp-mutation'. The problem is quite simple – there is no 'platform qos map exp-mutation' on 2 different machines I checked upon. Here:
Some-6513(config)#platform qos ? 10g-only qos pure 10G mode aggregate-policer Named aggregate policer marking marking keyword police police keyword protocol protocol keyword queueing-only queueing-only (no QoS rewrite, no policing) rewrite packet qos rewrite enable/disable statistics-export qos statistics data export
I work in a manufacturing firm where we have offices at 3 different places say A,B and C. Our ERP server is at our original unit A from where we accessed it at B and C through remote desktop application till now. But now we have hired cloud services to connect to our main ERP server. We are in the process of installing the cloud application on our server at B during which we are encountering a problem. The cloud service provider is asking for domain name and password for the DSCP server based at the orignal unit (A) which no one in the company seems to have any idea about. Our IT guy at A has resigned and has not been replaced. Our IT guy at B is inexperienced and just following the instructions of service provider who is stuck at DSCP domain name and ID. How can I know the domain name and password of DSCP server so that the process moves on?
According to product bulletin no 3209 for the Cisco 4400 series, the Access Point supports 802.11e WMM.
My question goes to DSCP mapping, according to IEEE and your bulletin the DSCP field in the IP header should be set to 46 (10110 00) for mapping to a 802.11 QoS voice priority 6/7.But my Wireshark trace revealed 4400N is mapping toward with 802.11 QoS is set to Priority 5 Video.
If I google DSCP mapping toward 802.11 QoS all IEEE documention I found says EF /Voice should have 46 or 101xxx in the DSCP IP field but running through Cisco and HP docs gives 46 or 48 as value, that is the correct value. [code]
I am running 1.1.24 and spa303 phones I have a qos policy setup to mark all packets
The following is my qos
information 192.168.1.15/24 makring enabled cos/DSCO DSCO Value 0xb8
On my upstream device I only allow traffic that is marked with this dscp value. No traffic is coming through. RTP traffic is marked because it comes off the phone marked but I would expect the qos Policy so mark everything going to that ip space to be marked.
I have a 1262 that will be setup as a WGB and wirelessly connect to a Cisco MESH AP. A switch and clients will hang off of the 1262 WGB. How many clients can a 1262 WGB support?
I have a NMWLC6 module connected to a 3825 ISR using 1140N APs. Latest (but one) code. I had two SSIDs configured and deployed in the default AP group. Last week I needed to deploy a third SSID for unencrypted webauth, I created the interface and WLAN associated with the interface and the sub interface/svi on the WLAN-controller 0/1 with dot1q. All created with no problem and enabled, however the SSID was not available to clients and did not show up as available WLANs under AP groups menu. Out of desperation I created a new AP group and added an AP to it and hey presto all three WLANs were available and the third is now visible to clients! Is this normal behaviour? Is the default AP group limited to two SSIDs? (a quick google failed to find any documented limitation!) or is something weird going on?
We have a deployment of 400 store. Each of those have 2 GRE tunnels running over MPLS & 2 GRE Tunnels running over Internet leading to our 2 data-centers. At each Data-Center, we have 1 ASR-1002 connecting both MPLS & Internet MPLS tunnels (800 total per router).
I saw in the documentation that OER & PfR cannot support more than 20 external interface (in our case GRE tunnels) per MC. Does it means that we need to have 20 routers acting as MC to be able to use PfR for our Internet GRE tunnels ?
Is there any more scalable solution for this ? How big company address this issue when they have a lot of interface to run PfR ?
I have LMS3.2 running and have set up daily log rotation of my SYSLOG file via Common Services-Server-Admin-Log Rotation. In LMS2.6 I set this up from the command line and was able to set the number of rotations to 120. I found in LMS3.2 setting up the rotation via the GUI that the number of rotations is limited to 90.
I am getting a very strange problem where 4500 switch is remarking the packet with dscp 1 to 0.
Let me explaint the setup. I have two PCs connected on same switch but on different modules. PC1 is conencted to Gi4/19 and PC2 is connected to Gi2/43. Both the ports has been configured to trust the dscp. Below are the configuration:
The Cisco 3560 uses a relatively simple classification scheme, assuming you consider only what happens when the forwarding decision has been made. These switches make most internal QoS decisions based on an internal DSCP setting. The internal DSCP is determined when the frame is forwarded. What internal DSCP setting means?
i did on cisco 2960S switch at user ingress interface. but the marking is not showing in show policy-map interface gig 1/0/10 interface and ACL is not showing any match.
I also had a config reference from 2960S cisco guide.
access-list 103 permit tcp any any eq 80 access-list 104 permit tcp any any eq 23 access-list 105 permit icmp host 172.24.68.4 any
Looking to link up to 6513 chassis via 6704 10 gig cards.
I have a 6513 on the 8th floor and one on the 3rd floor in same building. Distance would be approx 150' max. New 10 gig cabling was installed between these floors.
I would like to use 2 10 gig ints on each 6704 to form a port channel (LACP) between the 2 environments.
So far I have been unable to get the links up between 6704's.
Customer wants to place a single 1552E to cover a particular area in his campus, and it will be placed on a tower, and the question is concerning the height. I can not find any particular height limitation such as 5 meters, 10 meters, etc. I understand this will influence the sign propagation as well as throughtput to the users, but can not find a matrix or a best practice guide for that.
I want to use a subnet mask of 255.255.254.0. The setup window doesn't allow me to type in that mask, rather it only allows me to choose from options on a drop down menu (which doesn't include that mask). Is there a way to do this?
our WAN is connected via L2WAN and using EIGRP to connect the sites. Currently there are 35 EIGRP neighbors over L2WAN and we are to install 15 more sites and will be connected to the same L2WAN. Some sites are still using Cisco 2651XM and we would like to know if it can still handle another 15 EIGRP neighbors. Some sites are 2800 and 2900 routers. And is there any other things to consider for EIGRP over L2WAN?
For the past week, I have tried to setup the PPTP VPN server on the RV180. The setup was straight forward, but I could not log-on no matter what I tried. I decided to call Cisco small business support, and as I was talking to the engineer, it mysteriously started to work. I was puzzled and somewhat embarrassed because I'd hate to admit it was an id10t problem on my part. As I tried a few different configurations, I began to realize there might be a limitation in the RV180 PPTP VPN server with the current firmware (1.0.1.9).
In short, the RV180 PPTP only works with 192.168.xxx.xxx/24 subnet. My setup has 3 vlans: vlan1 in 172.xxx.xxx.xxx/24 subnet, vlan2 192.168.0.xxx/24, and vlan3 10.xxx.xxx.xxx/24. My originally plan was to keep vlan3 isolated by disabling inter-vlan routing, but I needed a way to manage a couple of devices on vlan3 remotely, thus I wanted to setup a VPN in the 10.xxx.xxx.xxx/24 subnet. This turned out to be the reason why it never worked before. Today when I called Cisco support, I assigned the PPTP VPN server a 192.168.0.xxx ip range, and it worked. Later, I tried assigning 172.xxx or 10.xxx ip addresses to the PPTP VPN server, and they both failed to work. I created another test vlan4 with 192.168.2.xxx/24 subnet, and assigned the PPTP VPN server to that vlan, and it worked again.
I'd like to mention that I already configured the 10.xxx.xxx.xxx/24 subnet with a few devices before I replaced my router with RV180, and I don't want to have to change and test the setup of all the devices. Another reason I want to have my VPN server outside the 192.168.xxx.xxx range is that it's way too commonly used by wifi hotspots that it increases the chance of wifi and vpn in the same subnet.
I can test a few more configurations, but I think the results will be the same. Perhaps Cisco should test the RV180 in the lab to confirm what I found.
any information regarding height limitation for installing the above ceiling mounted antennas. And is there a separation between the 2 antennas when mounted in the ceiling.
I need to know it the adsl router SRP547w or SRP546 permits to set class B subnetting ( or class A) on the Lan interface. I read the model SRP527 has a limitation to set ip address on the lan interface but I did not find any information about 547 or 546.
access point and the limitation on the users connected to the SSID using a wireless lan controller. From the installation guide I see an incredible thing:
Supported User Count Only fifteen users are allowed to connect on the WLAN Controller WLANs provided on the 600 series at any one time. A sixteenth user cannot authenticate until one of the first clients de-authenticates or a timeout occurred on the controller. Note: This number is cumulative across the controller WLANs on the 600 series. For example, if two controller WLANs are configured and there are fifteen users on one of the WLANs, no users will be able to join the other WLAN on the 600 series at that time. This limit does not apply to the local private WLANs that the end user configures on the 600 series designed for personal use and clients connected on these private WLANs or on the wired ports do not affect these limits.
We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.