RE: Re: ASA QOS confusion

From: verb2300@yahoo.com
Date: Sat Jun 21 2008 - 05:00:06 ART

• Next message: akyccie: "Re: Flow-control"
• Previous message: ccie: "(no subject)"
• Maybe in reply to: luan nguyen: "Re: ASA QOS confusion"
• Next in thread: Tim: "RE: Re: ASA QOS confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Luan/All

I think you are over complicating the command.
You are matching on the TUNNEL GROUP. Granted it is defined per flow your tunnel group is a l2l tunnel. You only have one flow... The destination is the tunnel endpoint. Try matching on a remote access group.

Regards,

Nathan

luan nguyen wrote:
> Hi Farrukh,
> In the begining, I thought the opposite as well.
> The way i tested this is using the pair 55.55.55.55 and 66.66.66.66, I
> created an IP SLA icmp-jitter probe pinging from 66 to 55. 1400 bytes
> request-packet-size, 100 packets per 20 us interval, 2 seconds frequency,
> 500 ms timeout...max out the 56000 policy.
> then just do a source ping from 6.6.6.6 to 5.5.5.5 and ping packets got
> dropped. So i figure it *has* to be for the whole tunnel. if per flow,
> then there is no way my second source ping got dropped.
> -Luan
> ----- Original Message -----
> From: "Farrukh Haroon" <farrukhharoon@gmail.com>
> To: "Luan Nguyen" <luan@t3technology.com>
> Cc: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "Cisco
> certification" <ccielab@groupstudy.com>
> Sent: Friday, June 20, 2008 4:45 PM
> Subject: Re: ASA QOS confusion
>> This seems to be the opposite of what the command reference says:
>>
>> "The criteria to define flow is the destination IP address. All traffic
>> going to a unique IP destination address is considered a flow. Policy
>> action
>> is applied to each flow instead of the entire class of traffic. QoS action
>> police is applied using the *police* command. Use* match tunnel-group*
>> along
>> with *match flow ip destination-address* to police every tunnel within a
>> tunnel group to a specified rate."
>>
>> How are you testing this?
>>
>> Perhaps you can experiment with this and check:
>>
>> http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2152740
>>
>> Regards
>>
>> Farrukh
>>
>> On Fri, Jun 20, 2008 at 11:24 PM, Luan Nguyen <luan@t3technology.com>
>> wrote:
>>
>>> So,
>>> after further testing with 2 loopbacks on each side and the config look
>>> like this:
>>> class-map VPN
>>> match flow ip destination-address
>>> match tunnel-group X
>>> policy-map VPN
>>> class VPN
>>> police output 56000
>>> service-policy VPN interface outside
>>> access-list VPN extended permit ip host 6.6.6.6 host 5.5.5.5
>>> access-list VPN extended permit ip host 66.66.66.66 host 55.55.55.55
>>> crypto ipsec transform-set VPN esp-3des esp-md5-hmac
>>> crypto map VPN 10 match address VPN
>>> crypto map VPN 10 set peer X
>>> crypto map VPN 10 set transform-set VPN
>>> crypto map VPN interface outside
>>> crypto isakmp enable outside
>>> crypto isakmp policy 10
>>> authentication pre-share
>>> encryption 3des
>>> hash md5
>>> group 2
>>> lifetime 86400
>>> tunnel-group X type ipsec-l2l
>>> tunnel-group X ipsec-attributes
>>> pre-shared-key *
>>>
>>> Pinging between the 2 pairs suggests that the police policy is for the
>>> WHOLE tunnel - not per flow.
>>>
>>> -Luan
>>>
>>>
>>> ----- Original Message ----- From: "Luan Nguyen" <luan@t3technology.com>
>>> To: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "'Cisco
>>> certification'" <ccielab@groupstudy.com>
>>> Sent: Friday, June 20, 2008 3:58 PM
>>>
>>> Subject: Re: ASA QOS confusion
>>>
>>>
>>> ASA2(config-pmap-c)# police output 56000
>>>> ERROR: tunnel-group can only be policed on a flow basis
>>>>
>>>> Guess you have to have the match flow ip command.
>>>>
>>>> -Luan
>>>>
>>>>
>>>> ----- Original Message ----- From: "Luan Nguyen" <luan@t3technology.com>
>>>> To: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "'Cisco
>>>> certification'" <ccielab@groupstudy.com>
>>>> Sent: Friday, June 20, 2008 11:38 AM
>>>> Subject: Re: ASA QOS confusion
>>>>
>>>>
>>>> The way i understand this is it depends on the question asked and
>>>> depends
>>>>> on the ACL. the match flow ip makes the QOS police each flow of
>>>>> destination
>>>>> ip address inside the ipsec tunnel. If you have 10 different flows (10
>>>>> destination hosts) then the police 56000 will police EACH flow to
>>>>> 56000. If
>>>>> you don't want to do per flow, then don't put the match flow ip
>>>>> in...just
>>>>> the match tunnel group is enough - the same as permit esp host X host
>>>>> Y. In
>>>>> this case the police 56000 will apply to the whole tunnel.
>>>>> So, yeah, you don't need the match ip flow if you want to police the
>>>>> whole tunnel, but if you want to do additional to things inside the
>>>>> tunnel
>>>>> like classify on dscp...etc, then add more match command - match dscp
>>>>> ef,
>>>>> match flow ip...etc
>>>>>
>>>>> -Luan
>>>>>
>>>>> ----- Original Message ----- From: "Tim" <ccie2be@nyc.rr.com>
>>>>> To: <security@groupstudy.com>; "'Cisco certification'" <
>>>>> ccielab@groupstudy.com>
>>>>> Sent: Friday, June 20, 2008 6:45 AM
>>>>> Subject: ASA QOS confusion
>>>>>
>>>>>
>>>>> Hi guys,
>>>>>>
>>>>>> I need some clarification.
>>>>>>
>>>>>> This example is from the ASA command line guide:
>>>>>>
>>>>>> hostname(config)# class-map cmap
>>>>>>
>>>>>>
>>>>>> hostname(config-cmap)# match tunnel-group
>>>>>>
>>>>>>
>>>>>> hostname(config-cmap)# match flow ip destination-address
>>>>>>
>>>>>>
>>>>>> hostname(config-cmap)# exit
>>>>>>
>>>>>>
>>>>>> hostname(config)# policy-map pmap
>>>>>>
>>>>>>
>>>>>> hostname(config-pmap)# class cmap
>>>>>>
>>>>>>
>>>>>> hostname(config-pmap)# police 56000
>>>>>>
>>>>>>
>>>>>> hostname(config-pmap)# exit
>>>>>>
>>>>>>
>>>>>> hostname(config)# service-policy pmap global
>>>>>>
>>>>>>
>>>>>> hostname(config)#
>>>>>> I'm not clear exactly what affect the match flow ip command has. Does
>>>>>> the
>>>>>> match flow
>>>>>> command HAVE to be entered when using the match tunnel-group command?
>>>>>> If
>>>>>> it
>>>>>> doesn't what would happen
>>>>>> differently if not entered?
>>>>>>
>>>>>> Also, notice the police command. Does that limit apply to ALL the
>>>>>> combined
>>>>>> traffic flows thru the tunnel or
>>>>>> is 56000 the limit for each flow to a different destination address?
>>>>>>
>>>>>> I read the command line guide at this link but I'm still confused:
>>>>>>
>>>>>> <
>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.h
>>>>>> tml#wp1749376>
>>>>>>
>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.ht
>>>>>> ml#wp1749376
>>>>>>
>>>>>>
>>>>>> Can someone clear the fog off this command?
>>>>>> Thanks, Tim
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

• Next message: akyccie: "Re: Flow-control"
• Previous message: ccie: "(no subject)"
• Maybe in reply to: luan nguyen: "Re: ASA QOS confusion"
• Next in thread: Tim: "RE: Re: ASA QOS confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART