Specifications

ManualsBrandsCisco ManualsHome building and DecorPIX 525

311

312

313

314

315

316

317

318

319

320

20-5

Cisco Security Appliance Command Line Configuration Guide

OL-6721-01

Chapter 20 Applying QoS Policies

Classifying Traffic for QoS

hostname(config-cmap)# match tunnel-group tunnel-grp1

hostname(config-cmap)# match flow ip destination-address

hostname(config-cmap)# exit

hostname(config)#

The following example shows a way of policing a flow within a tunnel, provided the classed traffic is

not specified as a tunnel, but does go through the tunnel. In this example, 192.168.10.10 is the address

of the host machine on the private side of the remote tunnel, and the access list is named “host-over-l2l”.

By creating a class-map (named “host-specific”), you can then police the “host-specific” class before the

LAN-to-LAN connection polices the tunnel. In this example, the “host-specific” traffic is rate-limited

before the tunnel, then the tunnel is rate-limited:

hostname# access-list host-over-l2l extended permit ip any host 192.168.10.10

hostname# class-map host-specific

hostname# match access-list host-over-l2l

The following table summarizes the match command criteria available and relevant to QoS. For the full

list of all match commands and their syntax, see Cisco Security Appliance Command Reference:

In addition to the user-defined classes, a system-defined class named class-default also exists. This

class-default represents all packets that do not match any of the user-defined classes, so that policies can

be defined for these packets.

Command Description

match access-list Matches, by name or number, access list traffic within a class map.

match any Identifies traffic that matches any of the criteria in the class map.

match dscp Matches the IETF-defined DSCP value (in an IP header) in a class map. You

can specify up to 64 different dscp values, defining the class as composed of

packets that match any of the specified values.

match flow ip

destination-address

Enables flow-based policy actions. The criteria to define flow is the

destination IP address. All traffic going to a unique IP destination address is

considered a flow. Policy action is applied to each flow instead of the entire

class of traffic. This command always accompanies match tunnel group.

For remote-access VPNs, this command applies to each remote-access host

flow. For LAN-to-LAN VPNs, this command applies to the single

aggregated VPN flow identified by the local and remote tunnel address pair.

match port Specifies the TCP/UDP ports as the comparison criteria for packets received

on that interface.

match precedence Matches the precedence value represented by the TOS byte in the IP header.

You can specify up to 8 different precedence values, defining the class as

composed of packets that match any of the specified values.

match rtp Matches traffic that uses a specific RTP port within a specified range. The

allowed range is targeted at capturing applications likely to be using RTP.

The packet matches the defined class only if the UDP port falls within the

specified range, inclusive, and the port number is an even number.

match tunnel group Matches every tunnel within the specified tunnel group.