Filter
Top Products
22-7
Cisco ASDM User Guide
OL-16647-01
Chapter 22 Configuring Service Policy Rules
Adding a Service Policy Rule for Through Traffic
–
Default Inspection Traffic—The class matches the default TCP and UDP ports used by all
applications that the security appliance can inspect.
This option, which is used in the default global policy, is a special shortcut that when used in a
rule, ensures that the correct inspection is applied to each packet, based on the destination port
of the traffic. For example, when UDP traffic for port 69 reaches the security appliance, then
the security appliance applies the TFTP inspection; when TCP traffic for port 21 arrives, then
the security appliance applies the FTP inspection. So in this case only, you can configure
multiple inspections for the same rule (See the “Incompatibility of Certain Feature Actions”
section on page 22-5 for more information about combining actions). Normally, the security
appliance does not use the port number to determine the inspection applied, thus giving you the
flexibility to apply inspections to non-standard ports, for example.
See the “Default Inspection Policy” section on page 24-3 for a list of default ports. The security
appliance includes a default global policy that matches the default inspection traffic, and applies
common inspections to the traffic on all interfaces. Not all applications whose ports are included
in the Default Inspection Traffic class are enabled by default in the policy map.
You can specify a Source and Destination IP Address (uses ACL) class along with the Default
Inspection Traffic class to narrow the matched traffic. Because the Default Inspection Traffic
class specifies the ports and protocols to match, any ports and protocols in the access list are
ignored.
–
Source and Destination IP Address (uses ACL)—The class matches traffic specified by an
extended access list. If the security appliance is operating in transparent firewall mode, you can
use an EtherType access list.
Note When you create a new traffic class of this type, you can only specify one access control
entry (ACE) initially. After you finish adding the rule, you can add additional ACEs by
adding a new rule to the same interface or global policy, and then specifying Add rule
to existing traffic class on the Traffic Classification dialog box (see below).
–
Tunnel Group—The class matches traffic for a tunnel group to which you want to apply QoS.
You can also specify one other traffic match option to refine the traffic match, excluding Any
Traffic, Source and Destination IP Address (uses ACL), or Default Inspection Traffic.
–
TCP or UDP Destination Port—The class matches a single port or a contiguous range of ports.
Tip For applications that use multiple, non-contiguous ports, use the Source and Destination IP
Address (uses ACL) to match each port.
–
RTP Range—The class map matches RTP traffic.
–
IP DiffServ CodePoints (DSCP)—The class matches up to eight DSCP values in the IP header.
–
IP Precedence—The class map matches up to four precedence values, represented by the TOS
byte in the IP header.
–
Any Traffic—Matches all traffic.
• Add rule to existing traffic class. If you already have a service policy rule on the same interface,
or you are adding to the global service policy, this option lets you add an ACE to an existing access
list. You can add an ACE to any access list that you previously created when you chose the Source
and Destination IP Address (uses ACL) option for a service policy rule on this interface. For this
traffic class, you can have only one set of rule actions even if you add multiple ACEs. You can add