Cisco ASA 5506-X Configuration Manual page 21
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 1
Service Policy Using the Modular Policy Framework
•
•
•
•
Examples
The following is an example for the class-map command:
hostname(config)# access-list udp permit udp any any
hostname(config)# access-list tcp permit tcp any any
hostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255
hostname(config)# class-map all_udp
hostname(config-cmap)# description "This class-map matches all UDP traffic"
hostname(config-cmap)# match access-list udp
hostname(config-cmap)# class-map all_tcp
hostname(config-cmap)# description "This class-map matches all TCP traffic"
hostname(config-cmap)# match access-list tcp
hostname(config-cmap)# class-map all_http
hostname(config-cmap)# description "This class-map matches all HTTP traffic"
hostname(config-cmap)# match port tcp eq http
hostname(config-cmap)# class-map to_server
hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1"
hostname(config-cmap)# match access-list host_foo
Create a Layer 3/4 Class Map for Management Traffic
For management traffic to the ASA, you might want to perform actions specific to this kind of traffic.
You can specify a management class map that can match an ACL or TCP or UDP ports. The types of
actions available for a management class map in the policy map are specialized for management traffic.
See
match dscp value1 [value2] [...] [value8]—Matches the DSCP value in an IP header, up to eight
DSCP values.
hostname(config-cmap)# match dscp af43 cs1 ef
match precedence value1 [value2] [value3] [value4]—Matches up to four precedence values,
represented by the TOS byte in the IP header, where value1 through value4 can be 0 to 7,
corresponding to the possible precedences.
hostname(config-cmap)# match precedence 1 4
match rtp starting_port range—Matches RTP traffic, where the starting_port specifies an
even-numbered UDP destination port between 2000 and 65534. The range specifies the number of
additional UDP ports to match above the starting_port, between 0 and 16383.
hostname(config-cmap)# match rtp 4004 100
match tunnel-group name—Matches VPN tunnel group traffic to which you want to apply QoS.
You can also specify one other match command to refine the traffic match. You can specify any of
the preceding commands, except for the match any, match access-list, or match
default-inspection-traffic commands. Or you can also enter the match flow ip
destination-address command to match flows in the tunnel group going to each IP address.
hostname(config-cmap)# match tunnel-group group1
hostname(config-cmap)# match flow ip destination-address
Features Configured with Service Policies, page
1-4.
Cisco ASA Series Firewall CLI Configuration Guide
Configure Service Policies
1-15
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
