Filter
Top Products
22-3
Cisco ASDM User Guide
OL-16647-01
Chapter 22 Configuring Service Policy Rules
Service Policy Overview
Feature Directionality
Actions are applied to traffic bidirectionally or unidirectionally depending on the feature. For features
that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy
map is affected if the traffic matches the class map for both directions.
Note When you use a global policy, all features are unidirectional; features that are normally bidirectional
when applied to a single interface only apply to the ingress of each interface when applied globally.
Because the policy is applied to all interfaces, the policy will be applied in both directions so
bidirectionality in this case is redundant.
For features that are applied unidirectionally, for example QoS priority queue, only traffic that exits the
interface to which you apply the policy map is affected. See Table 22-1 for the directionality of each
feature.
Feature Matching Guidelines
See the following guidelines for how a packet matches rules for a given interface or for the global policy:
1. A packet can match only one rule for each feature type.
2. When the packet matches a rule for a feature type, the security appliance does not attempt to match
it to any subsequent rules for that feature type.
3. If the packet matches a subsequent rule for a different feature type, however, then the security
appliance also applies the actions for the subsequent rule, if supported. See the “Incompatibility of
Certain Feature Actions” section on page 22-5 for more information about unsupported
combinations.
For example, if a packet matches a rule for connection limits, and also matches a rule for application
inspection, then both rule actions are applied.
If a packet matches a rule for HTTP inspection, but also matches another rule that includes HTTP
inspection, then the second rule actions are not applied.
Table 22-1 Feature Directionality
Feature Single Interface Direction Global Direction
Application inspection Bidirectional Ingress
CSC Bidirectional Ingress
IPS Bidirectional Ingress
NetFlow Secure Event Logging filtering N/A Ingress
QoS input policing Ingress Ingress
QoS output policing Egress Egress
QoS priority queue Egress Egress
QoS traffic shaping, hierarchical priority
queue
Egress Egress
TCP normalization, TCP and UDP connection
limits and timeouts, and TCP sequence number
randomization
Bidirectional Ingress