Step 1: The Class Map 131
Class Map Configuration Example
The most commonly used method is to match an ACL through the access-group option. Do
not be fooled by the options for matching source and destination address. Those options
refer to the MAC address; so if you want to match source or destination IP address, you will
have to use an ACL. In the Accounting department example given earlier in the chapter,
both the source address and a port number (either for HTTP or FTP) need to be matched.
Because the class map configuration does not provide the capability to do that directly,
ACLs are required for each. Example 5-9 shows traffic matching using ACLs.
ACL 101 matches all HTTP traffic; ACL 102 matches all FTP traffic (on port 20 only), ACL
103 matches all traffic from 10.1.1.1, and ACL 104 matches all traffic from 10.1.1.2. The
trick now is to combine the ACLs and class map configuration commands correctly, to
achieve the desired result. Example 5-10 shows the class map configuration for matching
HTTP traffic from 10.1.1.1.
This is where the difference between match-any and match-all comes into play. As
highlighted earlier in the chapter, match-any is a logical OR operation, meaning if access
group 101 or access group 103 are a match, the traffic belongs to this class. In this case, that
would not be the desired behavior, because the intent is to match only traffic that matches
both ACLs. That behavior is accomplished through the use of a class-map match-all,
which is a logical AND operation. That means that access group 101 and access group 103
must be match for the traffic to belong to this class.
You can verify the configured class map with the show class-map command, as demon-
strated in Example 5-11.
Example 5-9 Using ACLs to Match Traffic
R1(config)# access-list 101 permit tcp any any eq www
R1(config)# access-list 102 permit tcp any any eq ftp
R1(config)# access-list 103 permit ip host 10.1.1.1 any
R1(config)# access-list 104 permit ip host 10.1.1.2 any
Example 5-10 Class Map Configuration for Matching HTTP Traffic from a Specific Network
R1(config)# class-map match-all HTTP
R1(config-cmap)# match access-group 101
R1(config-cmap)# match access-group 103
Example 5-11 Verifying the Class Map
R1# show class-map
Class Map match-all HTTP (id 2)
Match access-group 101
Match access-group 103
Class Map match-any class-default (id 0)
Match any