Step 1: The Class Map 129
ipsec IP Security Protocol (ESP/AH)
ipx Novell IPX
irc Internet Relay Chat
kerberos Kerberos
l2tp L2F/L2TP tunnel
ldap Lightweight Directory Access Protocol
llc2 llc2
napster Napster Traffic
netbios NetBIOS
netshow Microsoft Netshow
nfs Network File System
nntp Network News Transfer Protocol
notes Lotus Notes(R)
novadigm Novadigm EDM
ntp Network Time Protocol
pad PAD links
pcanywhere Symantec pcANYWHERE
pop3 Post Office Protocol
pppoe PPP over Ethernet
pptp Point-to-Point Tunneling Protocol
printer print spooler/lpd
qllc qllc protocol
rcmd BSD r-commands (rsh, rlogin, rexec)
realaudio Real Audio streaming protocol
rip Routing Information Protocol
rsrb Remote Source-Route Bridging
rsvp Resource Reservation Protocol
secure-ftp FTP over TLS/SSL
secure-http Secured HTTP
secure-imap Internet Message Access Protocol over TLS/SSL
secure-irc Internet Relay Chat over TLS/SSL
secure-ldap Lightweight Directory Access Protocol over TLS/SSL
secure-nntp Network News Transfer Protocol over TLS/SSL
secure-pop3 Post Office Protocol over TLS/SSL
secure-telnet Telnet over TLS/SSL
smtp Simple Mail Transfer Protocol
snapshot Snapshot routing support
snmp Simple Network Management Protocol
socks SOCKS
sqlnet SQL*NET for Oracle
sqlserver MS SQL Server
ssh Secured Shell
streamwork Xing Technology StreamWorks player
stun Serial Tunnel
sunrpc Sun RPC
syslog System Logging Utility
telnet Telnet
tftp Trivial File Transfer Protocol
vdolive VDOLive streaming video
vines Banyan VINES
vofr voice over Frame Relay packets
xns Xerox Network Services
xwindows X-Windows remote access
Example 5-6 match protocol Possibilities Where NBAR Is Supported (Continued)
130 Chapter 5: Introduction to the Modular QoS Command-Line Interface
On routers that do not support NBAR, the list is quite a bit smaller, as shown in
Example 5-7.
• qos-group—Allows for the matching of a packet based on its qos-group marking.
QoS groups are locally significant to a given router and are not carried with the packet
once it leaves the router. Further, QoS groups are not mathematically significant. That
is, a packet belonging to QoS Group 1 is no more, or less, important than a packet
belonging to QoS Group 2. Assigning a packet to a QoS group is fairly simple as
Example 5-8 demonstrates.
• source-address—Again, don’t be fooled by the name of this option. This is for
matching the source MAC address, not the source IP address.
Example 5-7 match protocol Possibilities Where NBAR Is Not Supported
R1(config-cmap)# match protocol ?
aarp AppleTalk ARP
apollo Apollo Domain
appletalk AppleTalk
arp IP ARP
bridge Bridging
bstun Block Serial Tunnel
cdp Cisco Discovery Protocol
clns ISO CLNS
clns_es ISO CLNS End System
clns_is ISO CLNS Intermediate System
cmns ISO CMNS
compressedtcp Compressed TCP
decnet DECnet
decnet_node DECnet Node
decnet_router-l1 DECnet Router L1
decnet_router-l2 DECnet Router L2
dlsw Data Link Switching
ip IP
ipv6 IPV6
ipx Novell IPX
llc2 llc2
pad PAD links
qllc qllc protocol
rsrb Remote Source-Route Bridging
snapshot Snapshot routing support
stun Serial Tunnel
vines Banyan VINES
vofr voice over Frame Relay packets
xns Xerox Network Services
Example 5-8 Assigning a Packet to a QoS Group
rr
rr
oo
oo
uu
uu
tt
tt
ee
ee
--
--
mm
mm
aa
aa
pp
pp
ss
ss
ee
ee
tt
tt
--
--
qq
qq
oo
oo
ss
ss
--
--
gg
gg
rr
rr
oo
oo
uu
uu
pp
pp
pp
pp
ee
ee
rr
rr
mm
mm
ii
ii
tt
tt
11
11
00
00
mm
mm
aa
aa
tt
tt
cc
cc
hh
hh
cc
cc
oo
oo
mm
mm
mm
mm
uu
uu
nn
nn
ii
ii
tt
tt
yy
yy
33
33
ss
ss
ee
ee
tt
tt
ii
ii
pp
pp
qq
qq
oo
oo
ss
ss
--
--
gg
gg
rr
rr
oo
oo
uu
uu
pp
pp
33
33
00
00
Step 1: The Class Map 131
Class Map Configuration Example
The most commonly used method is to match an ACL through the access-group option. Do
not be fooled by the options for matching source and destination address. Those options
refer to the MAC address; so if you want to match source or destination IP address, you will
have to use an ACL. In the Accounting department example given earlier in the chapter,
both the source address and a port number (either for HTTP or FTP) need to be matched.
Because the class map configuration does not provide the capability to do that directly,
ACLs are required for each. Example 5-9 shows traffic matching using ACLs.
ACL 101 matches all HTTP traffic; ACL 102 matches all FTP traffic (on port 20 only), ACL
103 matches all traffic from 10.1.1.1, and ACL 104 matches all traffic from 10.1.1.2. The
trick now is to combine the ACLs and class map configuration commands correctly, to
achieve the desired result. Example 5-10 shows the class map configuration for matching
HTTP traffic from 10.1.1.1.
This is where the difference between match-any and match-all comes into play. As
highlighted earlier in the chapter, match-any is a logical OR operation, meaning if access
group 101 or access group 103 are a match, the traffic belongs to this class. In this case, that
would not be the desired behavior, because the intent is to match only traffic that matches
both ACLs. That behavior is accomplished through the use of a class-map match-all,
which is a logical AND operation. That means that access group 101 and access group 103
must be match for the traffic to belong to this class.
You can verify the configured class map with the show class-map command, as demon-
strated in Example 5-11.
Example 5-9 Using ACLs to Match Traffic
R1(config)# access-list 101 permit tcp any any eq www
R1(config)# access-list 102 permit tcp any any eq ftp
R1(config)# access-list 103 permit ip host 10.1.1.1 any
R1(config)# access-list 104 permit ip host 10.1.1.2 any
Example 5-10 Class Map Configuration for Matching HTTP Traffic from a Specific Network
R1(config)# class-map match-all HTTP
R1(config-cmap)# match access-group 101
R1(config-cmap)# match access-group 103
Example 5-11 Verifying the Class Map
R1# show class-map
Class Map match-all HTTP (id 2)
Match access-group 101
Match access-group 103
Class Map match-any class-default (id 0)
Match any
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.