Re: ASA QOS confusion

From: luan nguyen (luan@t3technology.com)
Date: Fri Jun 20 2008 - 20:40:20 ART

• Next message: A.G. Ananth Sarma (GMail): "Re: CCIE Scholarship Program"
• Previous message: Tim: "RE: ASA QOS confusion"
• Maybe in reply to: Tim: "ASA QOS confusion"
• Next in thread: verb2300@yahoo.com: "RE: Re: ASA QOS confusion"
• Maybe reply: verb2300@yahoo.com: "RE: Re: ASA QOS confusion"
• Maybe reply: Tim: "RE: Re: ASA QOS confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Farrukh,
In the begining, I thought the opposite as well.
The way i tested this is using the pair 55.55.55.55 and 66.66.66.66, I
created an IP SLA icmp-jitter probe pinging from 66 to 55. 1400 bytes
request-packet-size, 100 packets per 20 us interval, 2 seconds frequency,
500 ms timeout...max out the 56000 policy.
then just do a source ping from 6.6.6.6 to 5.5.5.5 and ping packets got
dropped. So i figure it *has* to be for the whole tunnel. if per flow,
then there is no way my second source ping got dropped.

-Luan

----- Original Message -----
From: "Farrukh Haroon" <farrukhharoon@gmail.com>
To: "Luan Nguyen" <luan@t3technology.com>
Cc: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "Cisco
certification" <ccielab@groupstudy.com>
Sent: Friday, June 20, 2008 4:45 PM
Subject: Re: ASA QOS confusion

> This seems to be the opposite of what the command reference says:
>
> "The criteria to define flow is the destination IP address. All traffic
> going to a unique IP destination address is considered a flow. Policy
> action
> is applied to each flow instead of the entire class of traffic. QoS action
> police is applied using the *police* command. Use* match tunnel-group*
> along
> with *match flow ip destination-address* to police every tunnel within a
> tunnel group to a specified rate."
>
> How are you testing this?
>
> Perhaps you can experiment with this and check:
>
> http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2152740
>
> Regards
>
> Farrukh
>
> On Fri, Jun 20, 2008 at 11:24 PM, Luan Nguyen <luan@t3technology.com>
> wrote:
>
>> So,
>> after further testing with 2 loopbacks on each side and the config look
>> like this:
>> class-map VPN
>> match flow ip destination-address
>> match tunnel-group X
>> policy-map VPN
>> class VPN
>> police output 56000
>> service-policy VPN interface outside
>> access-list VPN extended permit ip host 6.6.6.6 host 5.5.5.5
>> access-list VPN extended permit ip host 66.66.66.66 host 55.55.55.55
>> crypto ipsec transform-set VPN esp-3des esp-md5-hmac
>> crypto map VPN 10 match address VPN
>> crypto map VPN 10 set peer X
>> crypto map VPN 10 set transform-set VPN
>> crypto map VPN interface outside
>> crypto isakmp enable outside
>> crypto isakmp policy 10
>> authentication pre-share
>> encryption 3des
>> hash md5
>> group 2
>> lifetime 86400
>> tunnel-group X type ipsec-l2l
>> tunnel-group X ipsec-attributes
>> pre-shared-key *
>>
>> Pinging between the 2 pairs suggests that the police policy is for the
>> WHOLE tunnel - not per flow.
>>
>> -Luan
>>
>>
>> ----- Original Message ----- From: "Luan Nguyen" <luan@t3technology.com>
>> To: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "'Cisco
>> certification'" <ccielab@groupstudy.com>
>> Sent: Friday, June 20, 2008 3:58 PM
>>
>> Subject: Re: ASA QOS confusion
>>
>>
>> ASA2(config-pmap-c)# police output 56000
>>> ERROR: tunnel-group can only be policed on a flow basis
>>>
>>> Guess you have to have the match flow ip command.
>>>
>>> -Luan
>>>
>>>
>>> ----- Original Message ----- From: "Luan Nguyen" <luan@t3technology.com>
>>> To: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "'Cisco
>>> certification'" <ccielab@groupstudy.com>
>>> Sent: Friday, June 20, 2008 11:38 AM
>>> Subject: Re: ASA QOS confusion
>>>
>>>
>>> The way i understand this is it depends on the question asked and
>>> depends
>>>> on the ACL. the match flow ip makes the QOS police each flow of
>>>> destination
>>>> ip address inside the ipsec tunnel. If you have 10 different flows (10
>>>> destination hosts) then the police 56000 will police EACH flow to
>>>> 56000. If
>>>> you don't want to do per flow, then don't put the match flow ip
>>>> in...just
>>>> the match tunnel group is enough - the same as permit esp host X host
>>>> Y. In
>>>> this case the police 56000 will apply to the whole tunnel.
>>>> So, yeah, you don't need the match ip flow if you want to police the
>>>> whole tunnel, but if you want to do additional to things inside the
>>>> tunnel
>>>> like classify on dscp...etc, then add more match command - match dscp
>>>> ef,
>>>> match flow ip...etc
>>>>
>>>> -Luan
>>>>
>>>> ----- Original Message ----- From: "Tim" <ccie2be@nyc.rr.com>
>>>> To: <security@groupstudy.com>; "'Cisco certification'" <
>>>> ccielab@groupstudy.com>
>>>> Sent: Friday, June 20, 2008 6:45 AM
>>>> Subject: ASA QOS confusion
>>>>
>>>>
>>>> Hi guys,
>>>>>
>>>>> I need some clarification.
>>>>>
>>>>> This example is from the ASA command line guide:
>>>>>
>>>>> hostname(config)# class-map cmap
>>>>>
>>>>>
>>>>> hostname(config-cmap)# match tunnel-group
>>>>>
>>>>>
>>>>> hostname(config-cmap)# match flow ip destination-address
>>>>>
>>>>>
>>>>> hostname(config-cmap)# exit
>>>>>
>>>>>
>>>>> hostname(config)# policy-map pmap
>>>>>
>>>>>
>>>>> hostname(config-pmap)# class cmap
>>>>>
>>>>>
>>>>> hostname(config-pmap)# police 56000
>>>>>
>>>>>
>>>>> hostname(config-pmap)# exit
>>>>>
>>>>>
>>>>> hostname(config)# service-policy pmap global
>>>>>
>>>>>
>>>>> hostname(config)#
>>>>> I'm not clear exactly what affect the match flow ip command has. Does
>>>>> the
>>>>> match flow
>>>>> command HAVE to be entered when using the match tunnel-group command?
>>>>> If
>>>>> it
>>>>> doesn't what would happen
>>>>> differently if not entered?
>>>>>
>>>>> Also, notice the police command. Does that limit apply to ALL the
>>>>> combined
>>>>> traffic flows thru the tunnel or
>>>>> is 56000 the limit for each flow to a different destination address?
>>>>>
>>>>> I read the command line guide at this link but I'm still confused:
>>>>>
>>>>> <
>>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.h
>>>>> tml#wp1749376>
>>>>>
>>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.ht
>>>>> ml#wp1749376
>>>>>
>>>>>
>>>>> Can someone clear the fog off this command?
>>>>> Thanks, Tim
>>>>>
>>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

• Next message: A.G. Ananth Sarma (GMail): "Re: CCIE Scholarship Program"
• Previous message: Tim: "RE: ASA QOS confusion"
• Maybe in reply to: Tim: "ASA QOS confusion"
• Next in thread: verb2300@yahoo.com: "RE: Re: ASA QOS confusion"
• Maybe reply: verb2300@yahoo.com: "RE: Re: ASA QOS confusion"
• Maybe reply: Tim: "RE: Re: ASA QOS confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART