Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


what is the best way to setup QOS between an ASA 5505 and ASA 5510x for VOIP Traffic


I have four sites that use ASA 5505's that connect to the main office's ASA 5510x in Dallas via site 2 site tunnels.  I need to setup QOS for voip traffic from our Houston site and possibly the others in the future.

The Houston site  has four ip phones that connect to a pbx at our main location and have Comcast cable as the ISP. They have light internet usage (5 person office) and 3 printers that are also printed to from our main office.

Our  main location has a T1 and will soon be moving to fibre.

I need help with a best practice step by step guide to setup the voip on the 5505/5510.  I have looked at the configuration guide and perused some discussion groups and it seems there are many ways to accomplish this.

Everyone's tags (4)




I cannot work on a step by step configuration reference as that's why the configuration guide exists :D I can talk about recommendations and what I think the best option is.


In this case if I am not mistaken you want to implement QoS for VoIP traffic across VPN tunnels.

For this u will use something as 

class-map VPN_TO_Main_Office
 description “match on Branch Tunnel Group based on flows”
 match tunnel-group x.x.x Main_Office_IP_addres
 match dscp ef (To match VoIP traffic)

And then of course prioritize (On the ASA u Need to create a priority queue manually, configure the queue limit and Transmit-Ring setttions).


Now Remember that Priotity will only take place after the interface queue gets fullfiled (So the Congestion Management tool takes place) So I would also recommend first shapping the traffic to the exact rate you are paying the ISP (So the congestion management kicks in faster).


I know, I know sounds hard to do but it's not that bad, and just for ur reference here is a links that talks about it.


Man I need my own ASA to create blog posts about stuff like this!






Julio Carvajal
Senior Network Security and Core Specialist

Thank you for taking to time

Thank you for taking to time to help with this.

Can you tell me what the x.x.x indicates from the above example on this line:

match tunnel-group x.x.x Main_Office_IP_addres

Does it signify the name of the vpn tunnel-group?

If so I am assuming the "Main_Office_IP_address" is the address of the main office outside interface or is that there describing the "x.x.x"?

class-map VPN_TO_Main_Office
description “match on Branch Tunnel Group based on flows”
match tunnel-group
match dscp ef

So if am reading this right

So if am reading this right Julio Carvaja it would look like this:

priority-queue outside
class-map VOIP-TRAFFIC
 match tunnel-group
 match dscp ef


policy-map QOS-TRAFFIC-OUT
 class class-default   Default traffic policy
  shape average 600000
  service-policy PRIORITY-POLICY

service-policy QOS-TRAFFIC-OUT


Would I also apply something similar at the main office for VOIP traffice outbound to the satellite office?

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here