Hello guys,

I am used to make the VPN QoS on the ASA for a specific L2L or remote acces  based on the tunnel group and ip flow match criteria like this:

class-map Data
match tunnel-group X.X.X.X
match flow ip destination-address

My question would be, what does the above match criteria accomplish? it matches all esp (or udp 4500)  traffic coming/going from that specific tunnel group specified in the match criteria ? or it is actually taking a look at the flow without the esp header (unencrypted)?

I am asking this cause i am wondering if you can do a QoS on L2L or RA vpns using a "match access list" comand, to just apply QoS not the entire vpn incoming flow but certain users/ips on that flow.





  • Hi Emilio,


    Here is good explanation:

    Tunnel Group name. Allows matching the traffic for a particular tunnel group in the firewall.

    Per-flow classification criterion configured using the match flow ip destination-address. This one could be used only along with the match tunnel-group command. When configured, it tracks every VPN connection separately and applies the configured action per-flow, not to all VPN traffic at the same time. This is particularly useful for Remote-Access VPN connections, where multiple users connection to the firewall unit. Notice that you can apply the QoS policing feature only per-flow, when classifying based on tunnel group names. Example:

    class-map VPN_FLOWS
     match tunnel-group TEST
     match flow ip destination-address

    Good Luck

Sign In or Register to comment.