Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
0
Helpful
2
Replies

QOS with ASA - matching of packets issues

Go to solution
gp1200x
Level 2
Level 2

‎11-16-2013 08:50 AM

                   I have a few mote questions regarding ASA and QOS - code level 8.2.5

Let's say I have the follwing...

class-map TG-NonVoice

match access-list tg-traffic-acl

class-map TCP-Traffic

match access list tcp-traffic-acl

class-map TG-Voice

match dscp ef

match tunnel-group x.x.x.x

How do I know the pecking order of what the ASA uses to match a packet?  Since a packet can only match one class-map, I created the access-list with deny statements to make sure the packet matches what I want. Example - for the  access-list tcp-traffic-acl I did not want it to include tunneled traffic so I denied the tunnel traffic at the start of the access-list. Is this the correct procedure since I did not know what order the ASA matches the packets to my access-lists for my class-maps.  Is there some order?   The TG-Voice gets priority in the policy map so does it automatically get used for matching first???

Second example:

Let's say I have

class-map TG-NonVoice

match flow ip destination-address

match tunnel-group x.x.x.x

class-map TCP-traffic

match access-list tcp-traffic-acl

class-map TG-Voice

match dscp ef

match tunnel-group x.x.x.x

Here I only have one access-list.  How do I know the order used to match the packets??  If I do not want the tcp-traffic-acl to NOT include packets that could possibly match in the VPN tunnel do I put a deny at the start of the access-list for the VPN traffic to be safe?  What would be the flow used by the ASA to determine if a packet matches a class-map rule since a packet would match multiples but from what I read it does not get included in others once it matches the first match. Understand?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎11-16-2013 10:36 AM

Hello,

I think this covers everything,

This is the best document I have found on the web regarding MPF.

So take a read

http://blog.ine.com/2009/04/19/understanding-modular-policy-framework/

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎11-16-2013 10:36 AM

Hello,

I think this covers everything,

This is the best document I have found on the web regarding MPF.

So take a read

http://blog.ine.com/2009/04/19/understanding-modular-policy-framework/

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
gp1200x
Level 2
Level 2
In response to Julio Carvajal

‎11-17-2013 09:56 PM

Thanks!

Read the document and understood it but I will have to keep it handy since it will not stay in my head for a week or two. Very detailed but a few of the questioners had valid points to make. This answered all my questions and confirmed some of my thoughts.

I do not understand how Cisco can publish things and not fully explain how they work. I always have questions after I read a Cisco doc because they do not fully explain statements and half their examples are full of obvious errors. I sometimes wonder if the Cisco documentation writers understand what they are writing about.

THANKS!

0 Helpful
Customers Also Viewed These Support Documents