Cisco ASA 5505 User Manual

Page 652

Advertising
background image

32-14

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework

Identifying Traffic (Layer 3/4 Class Maps)

Examples

The following is an example for the class-map command:

hostname(config)# access-list udp permit udp any any

hostname(config)# access-list tcp permit tcp any any

hostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255

hostname(config)# class-map all_udp

hostname(config-cmap)# description "This class-map matches all UDP traffic"

hostname(config-cmap)# match access-list udp

hostname(config-cmap)# class-map all_tcp

hostname(config-cmap)# description "This class-map matches all TCP traffic"

hostname(config-cmap)# match access-list tcp

hostname(config-cmap)# class-map all_http

hostname(config-cmap)# description "This class-map matches all HTTP traffic"

hostname(config-cmap)# match port tcp eq http

hostname(config-cmap)# class-map to_server

hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1"

hostname(config-cmap)# match access-list host_foo

Creating a Layer 3/4 Class Map for Management Traffic

For management traffic to the ASA, you might want to perform actions specific to this kind of traffic.
You can specify a management class map that can match an access list or TCP or UDP ports. The types
of actions available for a management class map in the policy map are specialized for management
traffic. See the

“Supported Features for Management Traffic” section on page 32-2

.

match precedence

value1 [value2] [value3]

[value4]

Example:

hostname(config-cmap)# match precedence 1

4

Matches up to four precedence values, represented by the TOS
byte in the IP header, where value1 through value4 can be 0 to 7,
corresponding to the possible precedences.

match rtp

starting_port range

Example:

hostname(config-cmap)# match rtp 4004 100

Matches RTP traffic, where the starting_port specifies an
even-numbered UDP destination port between 2000 and 65534.
The range specifies the number of additional UDP ports to match
above the starting_port, between 0 and 16383.

match tunnel-group

name

(Optional)

match flow ip destination-address

Example:

hostname(config-cmap)# match tunnel-group

group1

hostname(config-cmap)# match flow ip

destination-address

Matches VPN tunnel group traffic to which you want to apply
QoS.

You can also specify one other match command to refine the
traffic match. You can specify any of the preceding commands,
except for the match any, match access-list, or match
default-inspection-traffic commands. Or you can also enter the
match flow ip destination-address command to match flows in
the tunnel group going to each IP address.

Command

Purpose

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals