ASA QoS on VPN
Hello guys,
I am used to make the VPN QoS on the ASA for a specific L2L or remote acces based on the tunnel group and ip flow match criteria like this:
class-map Data
match tunnel-group X.X.X.X
match flow ip destination-address
My question would be, what does the above match criteria accomplish? it matches all esp (or udp 4500) traffic coming/going from that specific tunnel group specified in the match criteria ? or it is actually taking a look at the flow without the esp header (unencrypted)?
I am asking this cause i am wondering if you can do a QoS on L2L or RA vpns using a "match access list" comand, to just apply QoS not the entire vpn incoming flow but certain users/ips on that flow.
Thanks!
Emilio
Comments
Hi Emilio,
Here is good explanation:
http://blog.ine.com/2009/04/19/understanding-modular-policy-framework/
Tunnel Group name. Allows matching the traffic for a particular tunnel group in the firewall.
Per-flow classification criterion configured using the match flow ip destination-address. This one could be used only along with the match tunnel-group command. When configured, it tracks every VPN connection separately and applies the configured action per-flow, not to all VPN traffic at the same time. This is particularly useful for Remote-Access VPN connections, where multiple users connection to the firewall unit. Notice that you can apply the QoS policing feature only per-flow, when classifying based on tunnel group names. Example:
class-map VPN_FLOWS
match tunnel-group TEST
match flow ip destination-address
Good Luck