Re: ASA QOS confusion

From: Luan Nguyen (luan@t3technology.com)
Date: Fri Jun 20 2008 - 12:38:20 ART

• Next message: Luan Nguyen: "Re: How I could see just the EIGRP running configuration"
• Previous message: Larry: "Re: How I could see just the EIGRP running configuration"
• Maybe in reply to: Tim: "ASA QOS confusion"
• Next in thread: Luan Nguyen: "Re: ASA QOS confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The way i understand this is it depends on the question asked and depends on
the ACL. the match flow ip makes the QOS police each flow of destination ip
address inside the ipsec tunnel. If you have 10 different flows (10
destination hosts) then the police 56000 will police EACH flow to 56000. If
you don't want to do per flow, then don't put the match flow ip in...just
the match tunnel group is enough - the same as permit esp host X host Y. In
this case the police 56000 will apply to the whole tunnel.
So, yeah, you don't need the match ip flow if you want to police the whole
tunnel, but if you want to do additional to things inside the tunnel like
classify on dscp...etc, then add more match command - match dscp ef, match
flow ip...etc

-Luan

----- Original Message -----
From: "Tim" <ccie2be@nyc.rr.com>
To: <security@groupstudy.com>; "'Cisco certification'"
<ccielab@groupstudy.com>
Sent: Friday, June 20, 2008 6:45 AM
Subject: ASA QOS confusion

> Hi guys,
>
> I need some clarification.
>
> This example is from the ASA command line guide:
>
> hostname(config)# class-map cmap
>
>
> hostname(config-cmap)# match tunnel-group
>
>
> hostname(config-cmap)# match flow ip destination-address
>
>
> hostname(config-cmap)# exit
>
>
> hostname(config)# policy-map pmap
>
>
> hostname(config-pmap)# class cmap
>
>
> hostname(config-pmap)# police 56000
>
>
> hostname(config-pmap)# exit
>
>
> hostname(config)# service-policy pmap global
>
>
> hostname(config)#
> I'm not clear exactly what affect the match flow ip command has. Does the
> match flow
> command HAVE to be entered when using the match tunnel-group command? If
> it
> doesn't what would happen
> differently if not entered?
>
> Also, notice the police command. Does that limit apply to ALL the
> combined
> traffic flows thru the tunnel or
> is 56000 the limit for each flow to a different destination address?
>
> I read the command line guide at this link but I'm still confused:
>
> <http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.h
> tml#wp1749376>
> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.ht
> ml#wp1749376
>
>
> Can someone clear the fog off this command?
> Thanks, Tim

• Next message: Luan Nguyen: "Re: How I could see just the EIGRP running configuration"
• Previous message: Larry: "Re: How I could see just the EIGRP running configuration"
• Maybe in reply to: Tim: "ASA QOS confusion"
• Next in thread: Luan Nguyen: "Re: ASA QOS confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART