Cisco ASA 5505 Configuration Manual page 610

Adding a Service Policy Rule for Through Traffic
Tip
Add rule to existing traffic class. If you already have a service policy rule on the same interface,
•
or you are adding to the global service policy, this option lets you add an ACE to an existing access
list. You can add an ACE to any access list that you previously created when you chose the Source
and Destination IP Address (uses ACL) option for a service policy rule on this interface. For this
traffic class, you can have only one set of rule actions even if you add multiple ACEs. You can add
multiple ACEs to the same traffic class by repeating this entire procedure. See the
Order of Service Policy Rules" section on page 29-15
ACEs.
• Use an existing traffic class. If you created a traffic class used by a rule on a different interface,
you can reuse the traffic class definition for this rule. Note that if you alter the traffic class for one
rule, the change is inherited by all rules that use that traffic class. If your configuration includes any
class-map commands that you entered at the CLI, those traffic class names are also available
(although to view the definition of the traffic class, you need to create the rule).
Use class default as the traffic class. This option uses the class-default class, which matches all
•
traffic. The class-default class is created automatically by the adaptive security appliance and placed
at the end of the policy. If you do not apply any actions to it, it is still created by the adaptive security
appliance, but for internal purposes only. You can apply actions to this class, if desired, which might
be more convenient than creating a new traffic class that matches all traffic. You can only create one
rule for this service policy using the class-default class, because each traffic class can only be
associated with a single rule per service policy.
Click Next.
Step 5
The next dialog box depends on the traffic match criteria you chose.
Step 6
Note
Default Inspections—This dialog box is informational only, and shows the applications and the ports
•
that are included in the traffic class.
Cisco ASA 5500 Series Configuration Guide using ASDM
29-10
When you create a new traffic class of this type, you can only specify one access control
Note
entry (ACE) initially. After you finish adding the rule, you can add additional ACEs by
adding a new rule to the same interface or global policy, and then specifying Add rule
to existing traffic class on the Traffic Classification dialog box (see below).
Tunnel Group—The class matches traffic for a tunnel group to which you want to apply QoS.
–
You can also specify one other traffic match option to refine the traffic match, excluding Any
Traffic, Source and Destination IP Address (uses ACL), or Default Inspection Traffic.
TCP or UDP Destination Port—The class matches a single port or a contiguous range of ports.
–
For applications that use multiple, non-contiguous ports, use the Source and Destination IP
Address (uses ACL) to match each port.
– RTP Range—The class map matches RTP traffic.
– IP DiffServ CodePoints (DSCP)—The class matches up to eight DSCP values in the IP header.
IP Precedence—The class map matches up to four precedence values, represented by the TOS
–
byte in the IP header.
– Any Traffic—Matches all traffic.
The Any Traffic option does not have a special dialog box for additional configuration.
Chapter 29 Configuring a Service Policy
for information about changing the order of
"Managing the
OL-20339-01