Confused with QoS on ASA

Andrew White · ‎02-07-2019

Hi,

We have a 100MB internet line which is managed by our ISP and is heavily used. It's part of an HSRP, but the standby line is only 30MB. The 2 routers go into a stack of Cisco switches (1 router in each). The ASAs (active/standby) go into the same switch and outside VLAN.

I've been looking as QoS (LLQ?) as I've noticed our Guest WiFi subnets are using this 100MB line too much so I have put in a QoS statement to limit them to 10MB. On top of this I have put another statement in to priorities access to a remote https website we all use so it get's preference.

I believe the above only kicks in when the line is saturated which is ok, but how do I know they are actually working? The ASAs outside ports are set to 1Gb and go into the switch, but the internet is only 100MB, so how does it do the math to implement the traffic shaping and policing? Or am I looking at it from the wrong angle and is it based on those QoS limits I set. For example if a one of the guest networks his 5MB then it will stay at that as I've told it to?

I did a speed test on the guest network and they were getting around 60MB each way in the morning, but later I tried and they were being limited to 5MB each way.

Thanks and sorry for all the questions, just very confused.

Karsten Iwen · ‎02-07-2019

Well, I do not understand what you really have done, but some info on QoS on the ASA:

ASA QoS is very much limited, but basic tasks can be done.
There is no LLQ, but the ASA can do priority Queuing. It will not help in this situation as the interface has to be saturated to kick in.
Shaping on the ASA has gone a very long time ago.
Policing is the way to go here. You can configure your guest-interface with an in- and outgoing policing to unconditionally police the traffic to a specific data rate. That will be enforced regardless if the ASA-interface or the WAN-link is saturated.