February 6, 2012

Posts Comments

You are here: Home / 2008 / Archives for December 2008

Year End- time to snag some training!

December 16, 2008 By Leave a Comment

For those of you not familiar with learning credits you may be missing out on training.  Check out this page over at Cisco.com that details the program, then go see if you have any that are about to expire.  Contact Ascolta, Cisco Learning Partner of the Year- 2007,  and register for the class you want using the learning credits you already have.  Don’t miss out- they expire after a year!

ascolta-small

You may be interested in these courses in Bellevue, Wa.  Odds are I’ll be teaching them if they are a Security,   Wireless, or Routing and Switching class.

Filed Under: CCNA Corner, CCNP Study, CCSP Study, General Information, General Training

Per-Flow Policing on ASA VPN

December 16, 2008 By Leave a Comment

Tonight I worked on the ASA Per-flow policing.  The configuration is fairly straight forward.  After ensuring that the VPN works create a class-map to match the tunnel-group and the destination-address like so: 

class-map vpn_data
match flow ip destination-address
match tunnel-group ezvpn
Next create the policy map to police based on the class we just created: 
policy-map outside
class vpn_voice
priority
class vpn_data
police output 256000
class class-default
police output 2000000
Finally activate it on the interface: 
service-policy outside interface outside
So while that is pretty simple I did come across a gotcha.  In the IE lab workbook volume 1 it has you create a class-map for vpn_voice, match dscp=ef and the same tunnel-group.  It then wants to apply priority queueing to it.  Here is where it could cause some issues.  When you apply the policy-map to the interface with the priority command configured for a class it give you a really nice error: 
asa1(config-pmap-c)# service-policy outside int outside
ERROR: Class vpn_voice has 'priority' set
without 'priority-queue' in any interface
A quick show service-policy indicates that it was not actually enabled: 
asa1(config)# sh service-policy



Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
So watch out!

TIP: 

if you are telling a class that it should priority queue packets
 you need to enable the priority queue on that interface:



asa1(config-if)# priority-queue outside
asa1(config-priority-queue)#

Filed Under: CCIE Security, IE Labs, SNAF, SNPA Tagged With: ,

IPexpert CCIE Security Lab 1

December 13, 2008 By 1 Comment

Not a bad lab night.  I only did 2 sections of lab 1, so I am going to continue this post later.  The one thing that was good to be reminded of has to do with Reflexive ACLs.

TIP:

When testing Reflixive ACLs the /source-interface option does not cause the ACL to evaluate.  To test use a different device.

I’ll continue to work through IPexperts lab guide.  The last time I went through this lab was 4/15/07.  I guess It was due.

More later.  :)

Filed Under: CCIE Security, IPExpert Labs Tagged With:
« Older Posts
Newer Posts »