From: Christopher M. Heffner (cheffner@certified-labs.com)
Date: Thu Apr 14 2005 - 12:33:35 GMT-3
BBD,
What you are looking for is called "Modular Policy Framework" in the PIX
OS.
There are three parts to the configuration for the QOS support for the
PIX OS.
1. Configuring a Class-Map - The Class-Map is used to identity the
types of traffic flows for the QOS. Once you create the Class-map using
the class-map command followed by a class_map_name of your choosing:
PIX1(config)# class-map my-voice-traffic
Then you can identity the characteristics of the traffic flows using a
set of attributes that you define in the class-map that must matter to
be true.
Attributes: Access-list - match a predefined access-list
Any - match all traffic
DSCP - match the IETF-defined DSCP in the IP Header
Flow - specifies to match an IP Flow within a
Tunnel-Group
Ports - specified UDP/TCP port numbers to match
Precedence - match the precedence value - TOS byte in
IP Header
RTP - match the RTP UDP port number within specified
range
Tunnel-group - match a specified tunnel group
PIX1(config-cmap)# description <text>
match any
match access-list <acl-name>
match port tcp|udp {eq <number> | range number
number}
match precedence <precedence_value>
match dscp <dcsp_value>
match rtp <starting port> <range>
match tunnel-group <tunnel_group_id>
match flow ip <source-address |
destination-address>
match default-inspection-traffic
2. Configuring a Policy-Map - Used to associate one or more actions
with the class of traffic from the class-map. You use the Policy-map to
link the your class-map to the action or actions you wish to take if
there is a match to the class-map. You use the policy-map global
configuration command with a name of your choosing to enter the
policy-map subconfiguration mode. You can only have one policy per
interface.
PIX1(config)# policy-map my-voice-policy
PIX1(config-policy)# description <text>
PIX1(config-policy)# class my-voice-traffic
Once you link the class-map to the policy-map then you need to define
your action or actions to perform.
Actions include - forward traffic to IDS, perform protocol inspection,
police the bandwidth, direct flow to low latency queue or to set
connection parameters on the flow.
PIX1(config-policy)# set connection random-seq# enable|disable
set connection {conn-max|embryonic-conn-max}
number
set connection timeout tcp hh[:mm:ss]
embryonic hh[:mm:ss] half-closed hh[:mm:ss]
set connection advanced-options <tcp-map>
inspect
{ctiqbe|dns|esmtp|ftp|gtp|http|h323|icmp|icmp
error|ils|mgcp|netbios|pptp|rpc|rsh|rtsp|sip|skinny|snmp|sqlnet|tftp|xdm
cp}
ids {inline|promiscuous}
{fail-open|fail-close}
priority
police
3. Configuring a Service-Policy - Used to enable the set of the
policies on an interface for the PIX device. Now that you have created
the class-map which is linked to the policy-map, now you must link the
policy-map to the service-policy which will link to the interface.
PIX1(config)# service-policy my-voice-policy global
Or
PIX1(config)# service-policy my-voice-policy interface outside
See chapter 18 of the Cisco Security Appliance Command Line
Configuration Guide for additional information and examples.
HTH.
Christopher M. Heffner, CCIE 8211, CCSI 98760
Strategic Network Solutions, Inc.
www.certified-labs.com
"Complete online CCIE R&S and Security Lab Racks"
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Wing Lam
Sent: Wednesday, April 13, 2005 10:51 PM
To: ccielab@groupstudy.com
Subject: PIX 7.0
Hi Group;
Sorry for OT; the linke below mentions that PIX OS 7.0 supports QoS
Services, just want to know who have tested this and what QoS it can
support if anybody knows.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pi
x_upgd/pixupgrd.htm
Thanks,
BBD
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:57 GMT-3