beautypg.com

Feature matching within a service policy – Cisco ASA 5505 User Manual

Page 641

background image

32-3

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework

Information About Service Policies

Note

When you use a global policy, all features are unidirectional; features that are normally bidirectional
when applied to a single interface only apply to the ingress of each interface when applied globally.
Because the policy is applied to all interfaces, the policy will be applied in both directions so
bidirectionality in this case is redundant.

For features that are applied unidirectionally, for example QoS priority queue, only traffic that enters (or
exits, depending on the feature) the interface to which you apply the policy map is affected. See

Table 32-2

for the directionality of each feature.

Feature Matching Within a Service Policy

See the following information for how a packet matches class maps in a policy map for a given interface:

1.

A packet can match only one class map in the policy map for each feature type.

2.

When the packet matches a class map for a feature type, the ASA does not attempt to match it to any
subsequent class maps for that feature type.

3.

If the packet matches a subsequent class map for a different feature type, however, then the ASA
also applies the actions for the subsequent class map, if supported. See the

“Incompatibility of

Certain Feature Actions” section on page 32-5

for more information about unsupported

combinations.

Note

Application inspection includes multiple inspection types, and most are mutually exclusive.
For inspections that can be combined, each inspection is considered to be a separate feature.

Table 32-2

Feature Directionality

Feature

Single Interface Direction Global Direction

Application inspection (multiple types)

Bidirectional

Ingress

ASA CSC

Bidirectional

Ingress

ASA CX

Bidirectional

Ingress

ASA CX authentication proxy

Ingress

Ingress

ASA IPS

Bidirectional

Ingress

NetFlow Secure Event Logging filtering

N/A

Ingress

QoS input policing

Ingress

Ingress

QoS output policing

Egress

Egress

QoS standard priority queue

Egress

Egress

QoS traffic shaping, hierarchical priority
queue

Egress

Egress

TCP and UDP connection limits and timeouts,
and TCP sequence number randomization

Bidirectional

Ingress

TCP normalization

Bidirectional

Ingress

TCP state bypass

Bidirectional

Ingress

This manual is related to the following products:
See also other documents in the category Cisco Hardware: