Re: ASA QOS confusion

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Fri Jun 20 2008 - 17:45:43 ART

• Next message: Antonio Soares: "RE: Testing Multicast Map"
• Previous message: Luan Nguyen: "Re: ASA QOS confusion"
• Maybe in reply to: Tim: "ASA QOS confusion"
• Next in thread: Tim: "RE: ASA QOS confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This seems to be the opposite of what the command reference says:

"The criteria to define flow is the destination IP address. All traffic
going to a unique IP destination address is considered a flow. Policy action
is applied to each flow instead of the entire class of traffic. QoS action
police is applied using the *police* command. Use* match tunnel-group* along
with *match flow ip destination-address* to police every tunnel within a
tunnel group to a specified rate."

How are you testing this?

Perhaps you can experiment with this and check:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2152740

Regards

Farrukh

On Fri, Jun 20, 2008 at 11:24 PM, Luan Nguyen <luan@t3technology.com> wrote:

> So,
> after further testing with 2 loopbacks on each side and the config look
> like this:
> class-map VPN
> match flow ip destination-address
> match tunnel-group X
> policy-map VPN
> class VPN
> police output 56000
> service-policy VPN interface outside
> access-list VPN extended permit ip host 6.6.6.6 host 5.5.5.5
> access-list VPN extended permit ip host 66.66.66.66 host 55.55.55.55
> crypto ipsec transform-set VPN esp-3des esp-md5-hmac
> crypto map VPN 10 match address VPN
> crypto map VPN 10 set peer X
> crypto map VPN 10 set transform-set VPN
> crypto map VPN interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash md5
> group 2
> lifetime 86400
> tunnel-group X type ipsec-l2l
> tunnel-group X ipsec-attributes
> pre-shared-key *
>
> Pinging between the 2 pairs suggests that the police policy is for the
> WHOLE tunnel - not per flow.
>
> -Luan
>
>
> ----- Original Message ----- From: "Luan Nguyen" <luan@t3technology.com>
> To: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "'Cisco
> certification'" <ccielab@groupstudy.com>
> Sent: Friday, June 20, 2008 3:58 PM
>
> Subject: Re: ASA QOS confusion
>
>
> ASA2(config-pmap-c)# police output 56000
>> ERROR: tunnel-group can only be policed on a flow basis
>>
>> Guess you have to have the match flow ip command.
>>
>> -Luan
>>
>>
>> ----- Original Message ----- From: "Luan Nguyen" <luan@t3technology.com>
>> To: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "'Cisco
>> certification'" <ccielab@groupstudy.com>
>> Sent: Friday, June 20, 2008 11:38 AM
>> Subject: Re: ASA QOS confusion
>>
>>
>> The way i understand this is it depends on the question asked and depends
>>> on the ACL. the match flow ip makes the QOS police each flow of destination
>>> ip address inside the ipsec tunnel. If you have 10 different flows (10
>>> destination hosts) then the police 56000 will police EACH flow to 56000. If
>>> you don't want to do per flow, then don't put the match flow ip in...just
>>> the match tunnel group is enough - the same as permit esp host X host Y. In
>>> this case the police 56000 will apply to the whole tunnel.
>>> So, yeah, you don't need the match ip flow if you want to police the
>>> whole tunnel, but if you want to do additional to things inside the tunnel
>>> like classify on dscp...etc, then add more match command - match dscp ef,
>>> match flow ip...etc
>>>
>>> -Luan
>>>
>>> ----- Original Message ----- From: "Tim" <ccie2be@nyc.rr.com>
>>> To: <security@groupstudy.com>; "'Cisco certification'" <
>>> ccielab@groupstudy.com>
>>> Sent: Friday, June 20, 2008 6:45 AM
>>> Subject: ASA QOS confusion
>>>
>>>
>>> Hi guys,
>>>>
>>>> I need some clarification.
>>>>
>>>> This example is from the ASA command line guide:
>>>>
>>>> hostname(config)# class-map cmap
>>>>
>>>>
>>>> hostname(config-cmap)# match tunnel-group
>>>>
>>>>
>>>> hostname(config-cmap)# match flow ip destination-address
>>>>
>>>>
>>>> hostname(config-cmap)# exit
>>>>
>>>>
>>>> hostname(config)# policy-map pmap
>>>>
>>>>
>>>> hostname(config-pmap)# class cmap
>>>>
>>>>
>>>> hostname(config-pmap)# police 56000
>>>>
>>>>
>>>> hostname(config-pmap)# exit
>>>>
>>>>
>>>> hostname(config)# service-policy pmap global
>>>>
>>>>
>>>> hostname(config)#
>>>> I'm not clear exactly what affect the match flow ip command has. Does
>>>> the
>>>> match flow
>>>> command HAVE to be entered when using the match tunnel-group command? If
>>>> it
>>>> doesn't what would happen
>>>> differently if not entered?
>>>>
>>>> Also, notice the police command. Does that limit apply to ALL the
>>>> combined
>>>> traffic flows thru the tunnel or
>>>> is 56000 the limit for each flow to a different destination address?
>>>>
>>>> I read the command line guide at this link but I'm still confused:
>>>>
>>>> <
>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.h
>>>> tml#wp1749376>
>>>>
>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.ht
>>>> ml#wp1749376
>>>>
>>>>
>>>> Can someone clear the fog off this command?
>>>> Thanks, Tim
>>>>
>>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Antonio Soares: "RE: Testing Multicast Map"
• Previous message: Luan Nguyen: "Re: ASA QOS confusion"
• Maybe in reply to: Tim: "ASA QOS confusion"
• Next in thread: Tim: "RE: ASA QOS confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART