QOS on a 5525X


I have a 5525X that I need to impliment QOS on, i have no experiance with QOS.

I need to allow a single IP address on the inside, unrestricted bandwidth no matter what else is going on, this is over a VPN Connection.

Our DR is on this remote site as well, but I need this PC's data to make it to the main office over all else.

1 Reply 1

Dean Romanelli


Unfortunately I do not believe traffic shaping is supported on the next generation firewall ASA platforms, and subsequently QOS likely will not function as intended on a next gen ASA without the ability to traffic shape the WAN port.  

Someone please correct me if I am wrong, but I believe in order to implement QOS on an ASA and have it actually kick in, you need to shape the WAN port's bandwidth on the ASA to whatever the connection speed that your ISP is providing you is.  For example; If the bandwidth of your WAN circuit is 50Mbps from your ISP, you would need to tell the ASA that the outside interface bandwidth is 50Mbps. If you don't do that, then you can still configure QOS, but it will not kick in until you approach the actual speed of the outside interface physical port itself, which in your case I believe the ports on 5525-X are gigabit ports (1000Mbps).  You'd need to get close to hitting that before QOS would kick in.

Attached is an example of QOS I configured on the last generation platform (5505) where my WAN was a T-1 speed.  Without the shape average command telling the ASA the bandwidth of the outside WAN was 1.544Mbps, QOS never kicked in, because the actual outside interface port is 100Mbps on a 5505 unless I told the ASA otherwise.

One other thing to mention: Once you configure QOS, if you want it to remain in tact from source to destination, you need to have every node in the path honor the QOS markings.  For example, an MPLS network where you can request your ISP configure each hop to recognize and honor the QOS markings you are sending.  Since you said this is a VPN connection I am assuming this is going over the internet. In that case, as soon as your traffic arrives at the first node in the path that you don't control in towards the destination, the QOS markings are dropped, and it becomes best effort. So if you don't control every node in the path, then the best you can do is ensure that certain traffic is prioritized over your local WAN pipe before other classes.

