Identifying Traffic For Qos - Cisco PIX 500 Series Configuration Manual

Identifying Traffic for QoS

Identifying Traffic for QoS
The class-map command classifies a set of traffic with which QoS actions are associated. You can use
various types of match criteria to classify traffic. The match commands identify the traffic included in
the traffic class for a class map. They include different criteria to define the traffic included in a
class-map. Define a traffic class using the class-map global configuration command as part of
configuring a security feature using Modular Policy Framework. From class-map configuration mode,
you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the
criteria defined by the match statements in the class map. If the packet matches the specified criteria, it
is included in the traffic class and is subjected to any actions associated with that traffic class. Packets
that do not match any of the criteria in any traffic class are assigned to the default traffic class.
One such criterion is access-list. For example, in the following sequence, the class-map command
classifies all non-tunneled TCP traffic, using an access-list named tcp_traffic:
hostname(config)# access-list tcp_traffic permit tcp any any
hostname(config)# class-map tcp_traffic
hostname(config-cmap)# match access-list tcp_traffic
When a packet is matched against a class-map, the result is either a match or a no-match.
In the following example, other, more specific match criteria are used for classifying traffic for specific,
security-related tunnel groups. These specific match criteria stipulate that a match on tunnel-group (in
this case, the previously-defined Tunnel-Group-1) is required as the first match characteristic to classify
traffic for a specific tunnel, and it allows for an additional match line to classify the traffic (IP differential
services code point, expedited forwarding).
hostname(config)# class-map TG1-voice
hostname(config-cmap)# match tunnel-group Tunnel-Group-1
hostname(config-cmap)# match dscp ef
In the following example, the class-map command classifies both tunneled and non-tunneled traffic
according to the traffic type:
hostname(config)# access-list tunneled extended permit ip 10.10.34.0 255.255.255.0 20.20.10.0 255.255.255.0
hostname(config)# access-list non-tunneled extended permit tcp any any
hostname(config)# tunnel-group tunnel-grp1 type IPSec_L2L
hostname(config)# class-map browse
hostname(config-cmap)# description "This class-map matches all non-tunneled tcp traffic."
hostname(config-cmap)# match access-list non-tunneled
hostname(config-cmap)# class-map TG1-voice
hostname(config-cmap)# description "This class-map matches all dscp ef traffic for tunnel-grp 1."
hostname(config-cmap)# match dscp ef
hostname(config-cmap)# match tunnel-group tunnel-grp1
hostname(config-cmap)# class-map TG1-BestEffort
hostname(config-cmap)# description "This class-map matches all best-effort traffic for tunnel-grp1."
hostname(config-cmap)# match tunnel-group tunnel-grp1
hostname(config-cmap)# match flow ip destination-address
The following example shows a way of policing a flow within a tunnel, provided the classed traffic is
not specified as a tunnel, but does go through the tunnel. In this example, 192.168.10.10 is the address
of the host machine on the private side of the remote tunnel, and the access list is named "host-over-l2l".
By creating a class-map (named "host-specific"), you can then police the "host-specific" class before the
LAN-to-LAN connection polices the tunnel. In this example, the "host-specific" traffic is rate-limited
before the tunnel, then the tunnel is rate-limited:
Cisco Security Appliance Command Line Configuration Guide
24-4
Chapter 24 Applying QoS Policies
OL-12172-03