Configuring a traffic class

To configure a traffic class to be used in one or more policies, follow these steps:

Procedure
  1. Enter the class command from the global configuration context.

    Context: Global configuration

    Syntax

    
    no class [ipv4 | ipv6 | mac] classname

    Defines a traffic class and specifies whether a policy is to be applied to IPv4 or IPv6 packets, where classname is a text string (64 characters maximum).

    After you enter the class command, you enter the class configuration context to specify match criteria. A traffic class contains a series of match and ignore commands, which specify the criteria used to classify packets.

    The no form of the command removes the existing class .

  2. Enter one or more match or ignore commands from the traffic class configuration context to filter traffic and determine the packets on which policy actions will be performed.

    Context: Class configuration

    Syntax

    
    no [seq—number] [match | ignore] igmp source—address destination—address [igmp—type] [ip—dscp codepoint] [precedence precedence—value] [tos tos—value] [vlan vlan—id]
    
    seq-number

    (Optional) Sequentially orders the match/ignore statements that you enter in a traffic class configuration. Packets are checked by the statements in numerical order.

    Default: Match/ignore statements are numbered in increments of 10, starting at 10. To re-number the match/ignore statements in a class configuration, use the resequence command.

    match | ignore

    Defines the classifier criteria used to determine which packets belong to the traffic class.

    If a packet matches a match criterion, it becomes a member of the traffic class and is forwarded according to the actions configured with the policy command. If a packet matches an ignore criterion, no policy action is performed on the packet. You can enter one or more match/ignore statements in a traffic class.

    To remove a match/ignore statement from a class configuration, enter the no seq-number command or the complete form of a no match or no ignore command.

    ip-protocol

    Specifies an IP protocol to be matched in packet fields of IPv4 or IPv6 traffic, where ip-protocol is one of the values described below.

    When entering a match/ignore command in an IPv4 or IPv6 class, enter ? to display a list of valid ip-protocol entries.

    In an IPv4 class, you can enter any of the following IPv4 protocol match criteria:

    ahesp

    gre

    icmp1

    igmp1

    ipip-in-ip

    ipv6–in-ip

    ospf

    pim

    sctptcp1

    udp1

    vrrp

    To specify an IPv4 protocol as match criteria, you can also enter its protocol number. Valid values are from 0 to 255.

    For example, 8 means Exterior Gateway Protocol; 121 means Simple Message Protocol. For a list of IPv4 protocol numbers and corresponding protocol names, see the IANA "Protocol Number Assignment Services" at www.iana.com.

    In an IPv6 class, you can enter any of the following IPv6 protocol match criteria:

    ahesp

    icmp2

    ipv6

    sctptcp2

    udp2

    source-address

    destination-address

    Defines the source IP address (SA) and destination IP address (DA) that a packet must contain to match a match/ignore statement in an IPv4 or IPv6 traffic class. Both the source and destination address parameters are required entries in a match/ignore statement.

    Valid values for source-address and destination-address are as follows:
    • any: Matches IPv4 or IPv6 packets from, or destined to, any SA or DA.

    • host [ SA | DA ]: Matches only packets from a specified IPv4 or IPv6 host address. Use this match criterion when you want to match IP packets from only one SA/DA.

    • SAv4 mask | DAv4 mask: Matches packets received from, or destined to, a subnet or a group of IP4 addresses defined by the IPv4 mask. Enter an IPv4 mask in dotted-decimal format for an IPv4 address (for example, 10.28.31.1 0.0.0.255).

    NOTE:

    An IPv6 address and mask are not supported as SAv6 mask and DAv6 mask match criteria.

    • SAv4/mask-length | DAv4/mask-length: Matches packets received from, or destined to, an IPv4 subnet or a group of IPv4 addresses defined by the mask length. Enter the mask length for an IPv4 SA or DA mask in CIDR format by using the number of significant bits. (for example, 10.28.31.3/24).

      An IPv4 mask-length is applied to an SA or DA in a match/ignore statement to define which bits in a packet's SA/DA must exactly match the specified SA/DA and which bits need not match. For example, 10.28.31.3/24 means that the leftmost 24 bits in an IPv4 source or destination address in a packet header must match the same bit set in the specified IPv4 address (in this case, 10.28.3.3).

      An IPv4 mask-length is applied from right to left, starting from the rightmost bits. For example, 10.10.10.1/24 and 10.10.10.1 0.0.0.255 both match IPv4 addresses in the range 10.10.10.(1 to 255).

    NOTE:

    Specifying a group of non-contiguous IP source addresses may require more than one match/ignore statement.

    • SAv6/prefix-length | DAv6/prefix-length: Matches packets received from, or destined to, an IPv6 subnet or a group of IPv6 addresses defined by the prefix length. Enter the prefix length for an IPv6 SA/DA in CIDR format by using the number of significant bits; for example: 2001:db8:2620:212::01b4/64.

      An IPv6 prefix-length is applied to an SA/DA in a match/ignore statement to define which bits in a packet's SA/DA must exactly match the specified SA/DA and which bits need not match. For example, 2001:db8:2620:212::01b4/64 means that the leftmost 64 bits in a 128-bit IPv6 source or destination address in a packet header must match the same bit set in the specified IPv6 address (in this case, 2001:db8:2620:212::01b4).

      An IPv6 prefix-length is applied from left to right, starting from the leftmost bits. For example, 2001:db8::0001: 2620:a03:e102:127/64 and 2001:db8::1: 244:17ff:feb6:d37d/64 both match IPv6 addresses with a network prefix of 2001:db8:0000:0001.

    ip-dscp codepoint

    (Optional) Matches the six-bit DSCP codepoint DSCP codepoint in IPv4 or IPv6 packets to further define match criteria. Valid values for codepoint are one of the following:

    • Numeric equivalent of a binary DSCP bit set from 0 (low priority) to 63 (high priority)

    • ASCII standard name for a binary DSCP bit set

      af11 (001010) af42 (100100)

      af12 (001100) af43 (100110)

      af13 (001110) ef

      (101110) af21 (010010) cs1 (001000)=precedence 1

      af22 (010100) cs2 (010000)= precedence 2

      af23 (010110) cs3 (011000)= precedence 3

      af31 (011010) cs4 (100000)= precedence 4

      af32 (011100) cs5 (101000)= precedence 5

      af33 (011110) cs6 (110000)= precedence 6

      af41 (100010) cs7 (111000) = precedence 7

      default (000000)

    To display a list of valid codepoint entries when you enter ip-dscp in a match/ignore statement, enter ?.

    The DSCP codepoints are the leftmost six bits of the ToS/Traffic Class byte.

    precedence precedence-value

    (Optional) Matches the three-bit IP precedence value in IPv4 or IPv6 packets to further define match criteria. Valid values for precedence-value are either the numeric value (0 to 7) or corresponding name of an IP precedence bit set:

    0 routine

    1 priority

    2 immediate

    3 flash

    4 flash-override

    5 critical

    6 internet (for internetwork control)

    7 network (for network control)

    To display a list of valid precedence-value entries when you enter precedence in a match/ignore statement, enter ?.

    NOTE:

    When used as a match criteria, the IP precedence value is applied to all other criteria configured in the match/ignore statement. You can enter a match/ignore statement either with or without a precedence-value.

    The IP precedence bits are the leftmost three bits of the ToS/Traffic Class byte. The numeric value (0 to 7) of the IP precedence bits corresponds to the hexadecimal equivalent of the three binary 0 and 1 bits in the IP precedence field. For example if the IP precedence-bit binary values are 1 1 1, the numeric value is 7 (1+2+4). Similarly, if the IP precedence bits are 0 1 0, the numeric value is 2 (0+2+0).

    tos tos-value

    (Optional) Matches the Delay Throughput Reliability (DTR) bit set in the IPv4 Type-of-Service or IPv6 Traffic Class byte to further define match criteria.

    Valid values are the numeric value or corresponding name of the DTR bit set. Some useful values are as follows:

    0 — normal

    2 — max-reliability

    4 — max-throughput

    8 — minimize-delay

    Default: 0 or normal.

    To display a list of valid tos-value entries when you enter tos in a match/ignore statement, enter ?.

    NOTE:

    When used as a match criteria, the ToS/Traffic Class byte entry is applied to all other criteria configured in the match/ignore statement. You can enter a match/ignore statement either with or without a tos-value.

    vlan vlan-id

    (Optional) Matches the VLAN ID number in the Layer 2 header of 802.1Q VLAN packets to further define match criteria. Valid VLAN IDs are from 1 to 4094.

    The image below, shows a sample ToS/Traffic Class field of 10101000 to show the differences between the IP precedence (101), DSCP (101010), and ToS/Traffic Class (10101000) bits. The rightmost two bits are reserved as 00.

    1

    For IPv4 ICMP, IGMP, TCP, and UDP packets, you can enter additional match criteria.

    2

    For IPv6 ICMP, TCP, and UDP packets, you can enter additional match criteria; see

    Defining the ICMP match criteria

    ,

    Defining the IGMP match criteria

    , and

    Defining TCP and UDP match criteria
    A ToS class field
  3. To display a class configuration, enter the following command.
    
    show class [ipv4 | ipv6] [classname]
    

    To edit a class configuration, re-enter the class configuration context (class command) and enter new match/ignore statements as follows:

    • If you do not enter a sequence number, a new statement is inserted at the end of the class configuration.

    • To remove a match/ignore statement from a class configuration, enter the no sequence-number command or the complete form of the no match or no ignore command.

    • To resequence the order in which match/ignore statements are listed, include the resequence option in the class command.

    • To replace an existing match/ignore statement, enter the no sequence-number command to delete the entry and re-enter a complete sequence-number match or sequence-number ignore command.

    When exiting the class configuration context, the changes are automatically saved and applied to existing policy configurations on the switch that use the class if the policies have not been applied to an interface. If a policy has already been applied to an interface, the editing changes are not accepted and an error message is displayed.

    Class configurations
    The following example shows two class configurations:
    • AdminTraffic

      selects the administrative traffic sent to, and received from, the IPv4 address of an administrator's PC.

    • http
      selects HTTP traffic sent to TCP ports 80, 443, and 8080, and excludes HTTP traffic sent to, and received from, TCP port 1214.
      switch(config)# class ipv4 AdminTraffic
      switch(config)# match ip 15.29.16.1/10 any
      switch(config-class)# match ip any 15.29.16.1/10
      switch(config-class)# exit
      switch(config)# class ipv4 http
      switch(config-class)# match tcp any any eq 80
      switch(config-class)# match tcp any any eq 443
      switch(config-class)# match tcp any any eq 8080
      switch(config-class)# ignore tcp any eq 1214 any
      switch(config-class)# ignore tcp any any eq 1214
      switch(config-class)# exit