RE: ASA QOS confusion

From: Tim (ccie2be@nyc.rr.com)
Date: Fri Jun 20 2008 - 18:15:00 ART

• Next message: luan nguyen: "Re: ASA QOS confusion"
• Previous message: keith tokash: "RE: I am NOT a number ... I AM A FREE MAN!"
• Maybe in reply to: Tim: "ASA QOS confusion"
• Next in thread: luan nguyen: "Re: ASA QOS confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Luan,

How are doing the pinging?

Do you have 2 pings going at the same time?

If not, maybe this could be done:

Reduce the police bps to a very small amound, maybe 5 kbps.

Then, vty into the pinging device and start an extended ping eg. Ping
x.x.x.x repeat 10000 timeout 1

Then, console into the same device and do another ping to a different ip
address so that there are 2 long pings taking place at the same time

which together exceed the police bandwidth.

Then do a show service-policy -----

I don't know for sure whether that will prove this per flow theory or not
but maybe

Thanks for taking the time to check this out and share your results with us.

Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Luan
Nguyen
Sent: Friday, June 20, 2008 4:25 PM
To: Tim; security@groupstudy.com; 'Cisco certification'
Subject: Re: ASA QOS confusion

So,
after further testing with 2 loopbacks on each side and the config look like
this:
class-map VPN
 match flow ip destination-address
 match tunnel-group X
policy-map VPN
 class VPN
  police output 56000
service-policy VPN interface outside
access-list VPN extended permit ip host 6.6.6.6 host 5.5.5.5 access-list VPN
extended permit ip host 66.66.66.66 host 55.55.55.55 crypto ipsec
transform-set VPN esp-3des esp-md5-hmac crypto map VPN 10 match address VPN
crypto map VPN 10 set peer X crypto map VPN 10 set transform-set VPN crypto
map VPN interface outside crypto isakmp enable outside crypto isakmp policy
10 authentication pre-share encryption 3des hash md5 group 2 lifetime
86400 tunnel-group X type ipsec-l2l tunnel-group X ipsec-attributes
pre-shared-key *

Pinging between the 2 pairs suggests that the police policy is for the WHOLE
tunnel - not per flow.

-Luan

----- Original Message -----
From: "Luan Nguyen" <luan@t3technology.com>
To: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "'Cisco
certification'" <ccielab@groupstudy.com>
Sent: Friday, June 20, 2008 3:58 PM
Subject: Re: ASA QOS confusion

> ASA2(config-pmap-c)# police output 56000
> ERROR: tunnel-group can only be policed on a flow basis
>
> Guess you have to have the match flow ip command.
>
> -Luan
>
>
> ----- Original Message -----
> From: "Luan Nguyen" <luan@t3technology.com>
> To: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "'Cisco
> certification'" <ccielab@groupstudy.com>
> Sent: Friday, June 20, 2008 11:38 AM
> Subject: Re: ASA QOS confusion
>
>
>> The way i understand this is it depends on the question asked and
>> depends on the ACL. the match flow ip makes the QOS police each flow
>> of destination ip address inside the ipsec tunnel. If you have 10
>> different flows (10 destination hosts) then the police 56000 will
>> police EACH flow to 56000. If you don't want to do per flow, then
>> don't put the match flow ip in...just the match tunnel group is
>> enough - the same as permit esp host X host Y. In this case the
>> police 56000 will apply to the whole tunnel.
>> So, yeah, you don't need the match ip flow if you want to police the
>> whole tunnel, but if you want to do additional to things inside the
>> tunnel like classify on dscp...etc, then add more match command -
>> match dscp ef, match flow ip...etc
>>
>> -Luan
>>
>> ----- Original Message -----
>> From: "Tim" <ccie2be@nyc.rr.com>
>> To: <security@groupstudy.com>; "'Cisco certification'"
>> <ccielab@groupstudy.com>
>> Sent: Friday, June 20, 2008 6:45 AM
>> Subject: ASA QOS confusion
>>
>>
>>> Hi guys,
>>>
>>> I need some clarification.
>>>
>>> This example is from the ASA command line guide:
>>>
>>> hostname(config)# class-map cmap
>>>
>>>
>>> hostname(config-cmap)# match tunnel-group
>>>
>>>
>>> hostname(config-cmap)# match flow ip destination-address
>>>
>>>
>>> hostname(config-cmap)# exit
>>>
>>>
>>> hostname(config)# policy-map pmap
>>>
>>>
>>> hostname(config-pmap)# class cmap
>>>
>>>
>>> hostname(config-pmap)# police 56000
>>>
>>>
>>> hostname(config-pmap)# exit
>>>
>>>
>>> hostname(config)# service-policy pmap global
>>>
>>>
>>> hostname(config)#
>>> I'm not clear exactly what affect the match flow ip command has.
>>> Does the match flow command HAVE to be entered when using the match
>>> tunnel-group command?
>>> If it
>>> doesn't what would happen
>>> differently if not entered?
>>>
>>> Also, notice the police command. Does that limit apply to ALL the
>>> combined traffic flows thru the tunnel or is 56000 the limit for
>>> each flow to a different destination address?
>>>
>>> I read the command line guide at this link but I'm still confused:
>>>
>>> <http://www.cisco.com/en/US/docs/security/asa/asa72/command/referenc
>>> e/m_72.h
>>> tml#wp1749376>
>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference
>>> /m_72.ht
>>> ml#wp1749376
>>>
>>>
>>> Can someone clear the fog off this command?
>>> Thanks, Tim
>
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: luan nguyen: "Re: ASA QOS confusion"
• Previous message: keith tokash: "RE: I am NOT a number ... I AM A FREE MAN!"
• Maybe in reply to: Tim: "ASA QOS confusion"
• Next in thread: luan nguyen: "Re: ASA QOS confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART