From: Luan Nguyen (luan@t3technology.com)
Date: Fri Jun 20 2008 - 17:24:55 ART
So,
after further testing with 2 loopbacks on each side and the config look like
this:
class-map VPN
match flow ip destination-address
match tunnel-group X
policy-map VPN
class VPN
police output 56000
service-policy VPN interface outside
access-list VPN extended permit ip host 6.6.6.6 host 5.5.5.5
access-list VPN extended permit ip host 66.66.66.66 host 55.55.55.55
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map VPN 10 match address VPN
crypto map VPN 10 set peer X
crypto map VPN 10 set transform-set VPN
crypto map VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group X type ipsec-l2l
tunnel-group X ipsec-attributes
pre-shared-key *
Pinging between the 2 pairs suggests that the police policy is for the WHOLE
tunnel - not per flow.
-Luan
----- Original Message -----
From: "Luan Nguyen" <luan@t3technology.com>
To: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "'Cisco
certification'" <ccielab@groupstudy.com>
Sent: Friday, June 20, 2008 3:58 PM
Subject: Re: ASA QOS confusion
> ASA2(config-pmap-c)# police output 56000
> ERROR: tunnel-group can only be policed on a flow basis
>
> Guess you have to have the match flow ip command.
>
> -Luan
>
>
> ----- Original Message -----
> From: "Luan Nguyen" <luan@t3technology.com>
> To: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "'Cisco
> certification'" <ccielab@groupstudy.com>
> Sent: Friday, June 20, 2008 11:38 AM
> Subject: Re: ASA QOS confusion
>
>
>> The way i understand this is it depends on the question asked and depends
>> on the ACL. the match flow ip makes the QOS police each flow of
>> destination ip address inside the ipsec tunnel. If you have 10 different
>> flows (10 destination hosts) then the police 56000 will police EACH flow
>> to 56000. If you don't want to do per flow, then don't put the match
>> flow ip in...just the match tunnel group is enough - the same as permit
>> esp host X host Y. In this case the police 56000 will apply to the whole
>> tunnel.
>> So, yeah, you don't need the match ip flow if you want to police the
>> whole tunnel, but if you want to do additional to things inside the
>> tunnel like classify on dscp...etc, then add more match command - match
>> dscp ef, match flow ip...etc
>>
>> -Luan
>>
>> ----- Original Message -----
>> From: "Tim" <ccie2be@nyc.rr.com>
>> To: <security@groupstudy.com>; "'Cisco certification'"
>> <ccielab@groupstudy.com>
>> Sent: Friday, June 20, 2008 6:45 AM
>> Subject: ASA QOS confusion
>>
>>
>>> Hi guys,
>>>
>>> I need some clarification.
>>>
>>> This example is from the ASA command line guide:
>>>
>>> hostname(config)# class-map cmap
>>>
>>>
>>> hostname(config-cmap)# match tunnel-group
>>>
>>>
>>> hostname(config-cmap)# match flow ip destination-address
>>>
>>>
>>> hostname(config-cmap)# exit
>>>
>>>
>>> hostname(config)# policy-map pmap
>>>
>>>
>>> hostname(config-pmap)# class cmap
>>>
>>>
>>> hostname(config-pmap)# police 56000
>>>
>>>
>>> hostname(config-pmap)# exit
>>>
>>>
>>> hostname(config)# service-policy pmap global
>>>
>>>
>>> hostname(config)#
>>> I'm not clear exactly what affect the match flow ip command has. Does
>>> the
>>> match flow
>>> command HAVE to be entered when using the match tunnel-group command?
>>> If it
>>> doesn't what would happen
>>> differently if not entered?
>>>
>>> Also, notice the police command. Does that limit apply to ALL the
>>> combined
>>> traffic flows thru the tunnel or
>>> is 56000 the limit for each flow to a different destination address?
>>>
>>> I read the command line guide at this link but I'm still confused:
>>>
>>> <http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.h
>>> tml#wp1749376>
>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.ht
>>> ml#wp1749376
>>>
>>>
>>> Can someone clear the fog off this command?
>>> Thanks, Tim
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART