Configuring a traffic class
To configure a traffic class to be used in one or more policies, follow these steps:
-
Enter the
class
command from the global configuration context.Context: Global configuration
Syntax
no class [ipv4 | ipv6 | mac] classname
Defines a traffic class and specifies whether a policy is to be applied to IPv4 or IPv6 packets, where classname is a text string (64 characters maximum).
After you enter the
class
command, you enter the class configuration context to specify match criteria. A traffic class contains a series ofmatch
andignore
commands, which specify the criteria used to classify packets.The
no
form of the command removes the existing class . -
Enter one or more
match
orignore
commands from the traffic class configuration context to filter traffic and determine the packets on which policy actions will be performed.Context: Class configuration
Syntax
no [seq—number] [match | ignore] igmp source—address destination—address [igmp—type] [ip—dscp codepoint] [precedence precedence—value] [tos tos—value] [vlan vlan—id]
seq-number
(Optional) Sequentially orders the match/ignore statements that you enter in a traffic class configuration. Packets are checked by the statements in numerical order.
Default: Match/ignore statements are numbered in increments of 10, starting at 10. To re-number the match/ignore statements in a class configuration, use the
resequence
command.match | ignore
Defines the classifier criteria used to determine which packets belong to the traffic class.
If a packet matches a
match
criterion, it becomes a member of the traffic class and is forwarded according to the actions configured with thepolicy
command. If a packet matches anignore
criterion, no policy action is performed on the packet. You can enter one or more match/ignore statements in a traffic class.To remove a match/ignore statement from a class configuration, enter the
no seq-number
command or the complete form of ano match
orno ignore
command.ip-protocol
Specifies an IP protocol to be matched in packet fields of IPv4 or IPv6 traffic, where
ip-protocol
is one of the values described below.When entering a match/ignore command in an IPv4 or IPv6 class, enter ? to display a list of valid
ip-protocol
entries.In an IPv4 class, you can enter any of the following IPv4 protocol match criteria:
ahesp
gre
icmp1
igmp1
ipip-in-ip
ipv6–in-ip
ospf
pim
sctptcp1
udp1
vrrp
To specify an IPv4 protocol as match criteria, you can also enter its protocol number. Valid values are from 0 to 255.
For example, 8 means Exterior Gateway Protocol; 121 means Simple Message Protocol. For a list of IPv4 protocol numbers and corresponding protocol names, see the IANA "Protocol Number Assignment Services" at www.iana.com.
In an IPv6 class, you can enter any of the following IPv6 protocol match criteria:
ahesp
icmp2
ipv6
sctptcp2
udp2
source-address
destination-address
Defines the source IP address (SA) and destination IP address (DA) that a packet must contain to match a match/ignore statement in an IPv4 or IPv6 traffic class. Both the source and destination address parameters are required entries in a match/ignore statement.
Valid values forsource-address
anddestination-address
are as follows:any
: Matches IPv4 or IPv6 packets from, or destined to, any SA or DA.host [ SA | DA ]
: Matches only packets from a specified IPv4 or IPv6 host address. Use this match criterion when you want to match IP packets from only one SA/DA.SAv4 mask | DAv4 mask
: Matches packets received from, or destined to, a subnet or a group of IP4 addresses defined by the IPv4 mask. Enter an IPv4 mask in dotted-decimal format for an IPv4 address (for example, 10.28.31.1 0.0.0.255).
NOTE:An IPv6 address and mask are not supported as
SAv6 mask
andDAv6 mask
match criteria.SAv4/mask-length | DAv4/mask-length
: Matches packets received from, or destined to, an IPv4 subnet or a group of IPv4 addresses defined by the mask length. Enter the mask length for an IPv4 SA or DA mask in CIDR format by using the number of significant bits. (for example, 10.28.31.3/24).An IPv4 mask-length is applied to an SA or DA in a match/ignore statement to define which bits in a packet's SA/DA must exactly match the specified SA/DA and which bits need not match. For example, 10.28.31.3/24 means that the leftmost 24 bits in an IPv4 source or destination address in a packet header must match the same bit set in the specified IPv4 address (in this case, 10.28.3.3).
An IPv4 mask-length is applied from right to left, starting from the rightmost bits. For example, 10.10.10.1/24 and 10.10.10.1 0.0.0.255 both match IPv4 addresses in the range 10.10.10.(1 to 255).
NOTE:Specifying a group of non-contiguous IP source addresses may require more than one match/ignore statement.
SAv6/prefix-length | DAv6/prefix-length
: Matches packets received from, or destined to, an IPv6 subnet or a group of IPv6 addresses defined by the prefix length. Enter the prefix length for an IPv6 SA/DA in CIDR format by using the number of significant bits; for example: 2001:db8:2620:212::01b4/64.An IPv6 prefix-length is applied to an SA/DA in a match/ignore statement to define which bits in a packet's SA/DA must exactly match the specified SA/DA and which bits need not match. For example, 2001:db8:2620:212::01b4/64 means that the leftmost 64 bits in a 128-bit IPv6 source or destination address in a packet header must match the same bit set in the specified IPv6 address (in this case, 2001:db8:2620:212::01b4).
An IPv6 prefix-length is applied from left to right, starting from the leftmost bits. For example, 2001:db8::0001: 2620:a03:e102:127/64 and 2001:db8::1: 244:17ff:feb6:d37d/64 both match IPv6 addresses with a network prefix of 2001:db8:0000:0001.
ip-dscp codepoint
(Optional) Matches the six-bit DSCP codepoint DSCP codepoint in IPv4 or IPv6 packets to further define match criteria. Valid values for
codepoint
are one of the following:Numeric equivalent of a binary DSCP bit set from
0
(low priority) to63
(high priority)ASCII standard name for a binary DSCP bit set
af11 (001010) af42 (100100)
af12 (001100) af43 (100110)
af13 (001110) ef
(101110) af21 (010010) cs1 (001000)=precedence 1
af22 (010100) cs2 (010000)= precedence 2
af23 (010110) cs3 (011000)= precedence 3
af31 (011010) cs4 (100000)= precedence 4
af32 (011100) cs5 (101000)= precedence 5
af33 (011110) cs6 (110000)= precedence 6
af41 (100010) cs7 (111000) = precedence 7
default (000000)
To display a list of valid
codepoint
entries when you enterip-dscp
in a match/ignore statement, enter ?.The DSCP codepoints are the leftmost six bits of the ToS/Traffic Class byte.
precedence precedence-value
(Optional) Matches the three-bit IP precedence value in IPv4 or IPv6 packets to further define match criteria. Valid values for precedence-value are either the numeric value (0 to 7) or corresponding name of an IP precedence bit set:
0 routine
1 priority
2 immediate
3 flash
4 flash-override
5 critical
6 internet (for internetwork control)
7 network (for network control)
To display a list of valid
precedence-value
entries when you enterprecedence
in a match/ignore statement, enter ?.NOTE:When used as a match criteria, the IP precedence value is applied to all other criteria configured in the match/ignore statement. You can enter a match/ignore statement either with or without a precedence-value.
The IP precedence bits are the leftmost three bits of the ToS/Traffic Class byte. The numeric value (0 to 7) of the IP precedence bits corresponds to the hexadecimal equivalent of the three binary 0 and 1 bits in the IP precedence field. For example if the IP precedence-bit binary values are
1 1 1
, the numeric value is 7 (1+2+4). Similarly, if the IP precedence bits are0 1 0
, the numeric value is2
(0+2+0).tos tos-value
(Optional) Matches the Delay Throughput Reliability (DTR) bit set in the IPv4 Type-of-Service or IPv6 Traffic Class byte to further define match criteria.
Valid values are the numeric value or corresponding name of the DTR bit set. Some useful values are as follows:
0 — normal
2 — max-reliability
4 — max-throughput
8 — minimize-delay
Default: 0 or
normal
.To display a list of valid
tos-value
entries when you entertos
in a match/ignore statement, enter ?.NOTE:When used as a match criteria, the ToS/Traffic Class byte entry is applied to all other criteria configured in the match/ignore statement. You can enter a match/ignore statement either with or without a
tos-value
.vlan vlan-id
(Optional) Matches the VLAN ID number in the Layer 2 header of 802.1Q VLAN packets to further define match criteria. Valid VLAN IDs are from 1 to 4094.
The image below, shows a sample ToS/Traffic Class field of
10101000
to show the differences between the IP precedence (101
), DSCP (101010
), and ToS/Traffic Class (10101000
) bits. The rightmost two bits are reserved as00
.1For IPv4 ICMP, IGMP, TCP, and UDP packets, you can enter additional match criteria.
2For IPv6 ICMP, TCP, and UDP packets, you can enter additional match criteria; see
Defining the ICMP match criteria,
Defining the IGMP match criteria, and
Defining TCP and UDP match criteria -
To display a class configuration, enter the following command.
show class [ipv4 | ipv6] [classname]
To edit a class configuration, re-enter the class configuration context (
class
command) and enter new match/ignore statements as follows:If you do not enter a sequence number, a new statement is inserted at the end of the class configuration.
To remove a match/ignore statement from a class configuration, enter the
no sequence-number
command or the complete form of theno match
orno ignore
command.To
resequence
the order in which match/ignore statements are listed, include theresequence
option in the class command.To replace an existing match/ignore statement, enter the
no sequence-number
command to delete the entry and re-enter a completesequence-number match
orsequence-number ignore
command.
When exiting the class configuration context, the changes are automatically saved and applied to existing policy configurations on the switch that use the class if the policies have not been applied to an interface. If a policy has already been applied to an interface, the editing changes are not accepted and an error message is displayed.
Class configurationsThe following example shows two class configurations:AdminTraffic
selects the administrative traffic sent to, and received from, the IPv4 address of an administrator's PC.
http
selects HTTP traffic sent to TCP ports 80, 443, and 8080, and excludes HTTP traffic sent to, and received from, TCP port 1214.switch(config)# class ipv4 AdminTraffic switch(config)# match ip 15.29.16.1/10 any switch(config-class)# match ip any 15.29.16.1/10 switch(config-class)# exit switch(config)# class ipv4 http switch(config-class)# match tcp any any eq 80 switch(config-class)# match tcp any any eq 443 switch(config-class)# match tcp any any eq 8080 switch(config-class)# ignore tcp any eq 1214 any switch(config-class)# ignore tcp any any eq 1214 switch(config-class)# exit