Per-Flow Policing on ASA VPN

Posted December 16th, 2008 by bcarroll and filed in CCIE Security, IE Labs, SNAF, SNPA
Tags: ,
Add a Comment

Tonight I worked on the ASA Per-flow policing.  The configuration is fairly straight forward.  After ensuring that the VPN works create a class-map to match the tunnel-group and the destination-address like so:

class-map vpn_data
match flow ip destination-address
match tunnel-group ezvpn

Next create the policy map to police based on the class we just created:

policy-map outside
class vpn_voice
priority
class vpn_data
police output 256000
class class-default
police output 2000000

Finally activate it on the interface:

service-policy outside interface outside

So while that is pretty simple I did come across a gotcha.  In the IE lab workbook volume 1 it has you create a class-map for vpn_voice, match dscp=ef and the same tunnel-group.  It then wants to apply priority queueing to it.  Here is where it could cause some issues.  When you apply the policy-map to the interface with the priority command configured for a class it give you a really nice error:

asa1(config-pmap-c)# service-policy outside int outside
ERROR: Class vpn_voice has 'priority' set
without 'priority-queue' in any interface

A quick show service-policy indicates that it was not actually enabled:

asa1(config)# sh service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0

So watch out!

TIP:

if you are telling a class that it should priority queue packets
 you need to enable the priority queue on that interface:

asa1(config-if)# priority-queue outside
asa1(config-priority-queue)#

Leave a Reply