RE: Re: ASA QOS confusion

From: Tim (ccie2be@nyc.rr.com)
Date: Sat Jun 21 2008 - 10:49:20 ART

Nathan,

That can't be right because then there's no point in applying different QoS
policies to different flows transiting a L2L tunnel.

Suppose, you have voice and date running across the same L2L tunnel and you
what to prioritize voice over data.

Based on what you say, that couldn't be done.

When they're talking about destination ip address, I'm pretty sure they mean
the ultimate destination ip address, not the tunnel endpoint.

Keep in mind, QoS policies get appllied to the traffic before it's
encapsulated inside the IPSec tunnel.

Tim

-----Original Message-----
From: verb2300@yahoo.com [mailto:verb2300@yahoo.com]
Sent: Saturday, June 21, 2008 4:00 AM
To: luan nguyen
Cc: ccie2be@nyc.rr.com; security@groupstudy.com; ccielab@groupstudy.com;
farrukhharoon@gmail.com
Subject: RE: Re: ASA QOS confusion

Luan/All

I think you are over complicating the command.
You are matching on the TUNNEL GROUP. Granted it is defined per flow your
tunnel group is a l2l tunnel. You only have one flow... The destination is
the tunnel endpoint. Try matching on a remote access group.

Regards,

Nathan

luan nguyen wrote:
> Hi Farrukh,
> In the begining, I thought the opposite as well.
> The way i tested this is using the pair 55.55.55.55 and 66.66.66.66, I
> created an IP SLA icmp-jitter probe pinging from 66 to 55. 1400 bytes
> request-packet-size, 100 packets per 20 us interval, 2 seconds
> frequency, 500 ms timeout...max out the 56000 policy.
> then just do a source ping from 6.6.6.6 to 5.5.5.5 and ping packets
> got dropped. So i figure it *has* to be for the whole tunnel. if per
> flow, then there is no way my second source ping got dropped.
> -Luan
> ----- Original Message -----
> From: "Farrukh Haroon" <farrukhharoon@gmail.com>
> To: "Luan Nguyen" <luan@t3technology.com>
> Cc: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "Cisco
> certification" <ccielab@groupstudy.com>
> Sent: Friday, June 20, 2008 4:45 PM
> Subject: Re: ASA QOS confusion
>> This seems to be the opposite of what the command reference says:
>>
>> "The criteria to define flow is the destination IP address. All
>> traffic going to a unique IP destination address is considered a
>> flow. Policy action is applied to each flow instead of the entire
>> class of traffic. QoS action police is applied using the *police*
>> command. Use* match tunnel-group* along with *match flow ip
>> destination-address* to police every tunnel within a tunnel group to
>> a specified rate."
>>
>> How are you testing this?
>>
>> Perhaps you can experiment with this and check:
>>
>> http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/
>> c5.html#wp2152740
>>
>> Regards
>>
>> Farrukh
>>
>> On Fri, Jun 20, 2008 at 11:24 PM, Luan Nguyen <luan@t3technology.com>
>> wrote:
>>
>>> So,
>>> after further testing with 2 loopbacks on each side and the config
>>> look like this:
>>> class-map VPN
>>> match flow ip destination-address
>>> match tunnel-group X
>>> policy-map VPN
>>> class VPN
>>> police output 56000
>>> service-policy VPN interface outside access-list VPN extended permit
>>> ip host 6.6.6.6 host 5.5.5.5 access-list VPN extended permit ip host
>>> 66.66.66.66 host 55.55.55.55 crypto ipsec transform-set VPN esp-3des
>>> esp-md5-hmac crypto map VPN 10 match address VPN crypto map VPN 10
>>> set peer X crypto map VPN 10 set transform-set VPN crypto map VPN
>>> interface outside crypto isakmp enable outside crypto isakmp policy
>>> 10 authentication pre-share encryption 3des hash md5 group 2
>>> lifetime 86400 tunnel-group X type ipsec-l2l tunnel-group X
>>> ipsec-attributes pre-shared-key *
>>>
>>> Pinging between the 2 pairs suggests that the police policy is for
>>> the WHOLE tunnel - not per flow.
>>>
>>> -Luan
>>>
>>>
>>> ----- Original Message ----- From: "Luan Nguyen"
>>> <luan@t3technology.com>
>>> To: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "'Cisco
>>> certification'" <ccielab@groupstudy.com>
>>> Sent: Friday, June 20, 2008 3:58 PM
>>>
>>> Subject: Re: ASA QOS confusion
>>>
>>>
>>> ASA2(config-pmap-c)# police output 56000
>>>> ERROR: tunnel-group can only be policed on a flow basis
>>>>
>>>> Guess you have to have the match flow ip command.
>>>>
>>>> -Luan
>>>>
>>>>
>>>> ----- Original Message ----- From: "Luan Nguyen"
>>>> <luan@t3technology.com>
>>>> To: "Tim" <ccie2be@nyc.rr.com>; <security@groupstudy.com>; "'Cisco
>>>> certification'" <ccielab@groupstudy.com>
>>>> Sent: Friday, June 20, 2008 11:38 AM
>>>> Subject: Re: ASA QOS confusion
>>>>
>>>>
>>>> The way i understand this is it depends on the question asked and
>>>> depends
>>>>> on the ACL. the match flow ip makes the QOS police each flow of
>>>>> destination ip address inside the ipsec tunnel. If you have 10
>>>>> different flows (10 destination hosts) then the police 56000 will
>>>>> police EACH flow to 56000. If you don't want to do per flow, then
>>>>> don't put the match flow ip in...just the match tunnel group is
>>>>> enough - the same as permit esp host X host Y. In this case the
>>>>> police 56000 will apply to the whole tunnel.
>>>>> So, yeah, you don't need the match ip flow if you want to police
>>>>> the whole tunnel, but if you want to do additional to things
>>>>> inside the tunnel like classify on dscp...etc, then add more match
>>>>> command - match dscp ef, match flow ip...etc
>>>>>
>>>>> -Luan
>>>>>
>>>>> ----- Original Message ----- From: "Tim" <ccie2be@nyc.rr.com>
>>>>> To: <security@groupstudy.com>; "'Cisco certification'" <
>>>>> ccielab@groupstudy.com>
>>>>> Sent: Friday, June 20, 2008 6:45 AM
>>>>> Subject: ASA QOS confusion
>>>>>
>>>>>
>>>>> Hi guys,
>>>>>>
>>>>>> I need some clarification.
>>>>>>
>>>>>> This example is from the ASA command line guide:
>>>>>>
>>>>>> hostname(config)# class-map cmap
>>>>>>
>>>>>>
>>>>>> hostname(config-cmap)# match tunnel-group
>>>>>>
>>>>>>
>>>>>> hostname(config-cmap)# match flow ip destination-address
>>>>>>
>>>>>>
>>>>>> hostname(config-cmap)# exit
>>>>>>
>>>>>>
>>>>>> hostname(config)# policy-map pmap
>>>>>>
>>>>>>
>>>>>> hostname(config-pmap)# class cmap
>>>>>>
>>>>>>
>>>>>> hostname(config-pmap)# police 56000
>>>>>>
>>>>>>
>>>>>> hostname(config-pmap)# exit
>>>>>>
>>>>>>
>>>>>> hostname(config)# service-policy pmap global
>>>>>>
>>>>>>
>>>>>> hostname(config)#
>>>>>> I'm not clear exactly what affect the match flow ip command has.
>>>>>> Does the match flow command HAVE to be entered when using the
>>>>>> match tunnel-group command?
>>>>>> If
>>>>>> it
>>>>>> doesn't what would happen
>>>>>> differently if not entered?
>>>>>>
>>>>>> Also, notice the police command. Does that limit apply to ALL
>>>>>> the combined traffic flows thru the tunnel or is 56000 the limit
>>>>>> for each flow to a different destination address?
>>>>>>
>>>>>> I read the command line guide at this link but I'm still confused:
>>>>>>
>>>>>> <
>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/refere
>>>>>> nce/m_72.h
>>>>>> tml#wp1749376>
>>>>>>
>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/refere
>>>>>> nce/m_72.ht
>>>>>> ml#wp1749376
>>>>>>
>>>>>>
>>>>>> Can someone clear the fog off this command?
>>>>>> Thanks, Tim
>>>>>>
>>>>>
>>>>
>>>> ___________________________________________________________________
>>>> ____ Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>
>>>
>>> ____________________________________________________________________
>>> ___ Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART