Re: ASA QOS confusion

From: Luan Nguyen (luan@t3technology.com)
Date: Fri Jun 20 2008 - 16:58:15 ART

• Next message: A.G. Ananth Sarma (GMail): "Re: CCIE Scholarship Program"
• Previous message: ccie: "many suffixes for the swtiches documentations"
• Maybe in reply to: Tim: "ASA QOS confusion"
• Next in thread: Luan Nguyen: "Re: ASA QOS confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

ASA2(config-pmap-c)# police output 56000
ERROR: tunnel-group can only be policed on a flow basis

Guess you have to have the match flow ip command.

-Luan

----- Original Message -----
From: "Luan Nguyen" <luan@t3technology.com>
To: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "'Cisco
certification'" <ccielab@groupstudy.com>
Sent: Friday, June 20, 2008 11:38 AM
Subject: Re: ASA QOS confusion

> The way i understand this is it depends on the question asked and depends
> on the ACL. the match flow ip makes the QOS police each flow of
> destination ip address inside the ipsec tunnel. If you have 10 different
> flows (10 destination hosts) then the police 56000 will police EACH flow
> to 56000. If you don't want to do per flow, then don't put the match flow
> ip in...just the match tunnel group is enough - the same as permit esp
> host X host Y. In this case the police 56000 will apply to the whole
> tunnel.
> So, yeah, you don't need the match ip flow if you want to police the whole
> tunnel, but if you want to do additional to things inside the tunnel like
> classify on dscp...etc, then add more match command - match dscp ef, match
> flow ip...etc
>
> -Luan
>
> ----- Original Message -----
> From: "Tim" <ccie2be@nyc.rr.com>
> To: <security@groupstudy.com>; "'Cisco certification'"
> <ccielab@groupstudy.com>
> Sent: Friday, June 20, 2008 6:45 AM
> Subject: ASA QOS confusion
>
>
>> Hi guys,
>>
>> I need some clarification.
>>
>> This example is from the ASA command line guide:
>>
>> hostname(config)# class-map cmap
>>
>>
>> hostname(config-cmap)# match tunnel-group
>>
>>
>> hostname(config-cmap)# match flow ip destination-address
>>
>>
>> hostname(config-cmap)# exit
>>
>>
>> hostname(config)# policy-map pmap
>>
>>
>> hostname(config-pmap)# class cmap
>>
>>
>> hostname(config-pmap)# police 56000
>>
>>
>> hostname(config-pmap)# exit
>>
>>
>> hostname(config)# service-policy pmap global
>>
>>
>> hostname(config)#
>> I'm not clear exactly what affect the match flow ip command has. Does the
>> match flow
>> command HAVE to be entered when using the match tunnel-group command? If
>> it
>> doesn't what would happen
>> differently if not entered?
>>
>> Also, notice the police command. Does that limit apply to ALL the
>> combined
>> traffic flows thru the tunnel or
>> is 56000 the limit for each flow to a different destination address?
>>
>> I read the command line guide at this link but I'm still confused:
>>
>> <http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.h
>> tml#wp1749376>
>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.ht
>> ml#wp1749376
>>
>>
>> Can someone clear the fog off this command?
>> Thanks, Tim

• Next message: A.G. Ananth Sarma (GMail): "Re: CCIE Scholarship Program"
• Previous message: ccie: "many suffixes for the swtiches documentations"
• Maybe in reply to: Tim: "ASA QOS confusion"
• Next in thread: Luan Nguyen: "Re: ASA QOS confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART