Class-Map Configuration Mode Commands


Class-Map Configuration Mode Commands
 
 
Class-Map is used to configure a packet classifier for flow-based Traffic Policing feature within destination context. It filters egress and/or ingress packets of a subscriber session based on rules configured in a subscriber context.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
end
Exits the context configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Change the mode back to the Exec mode.
 
exit
Exits the context configuration mode and returns to the global configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Return to the global configuration mode.
 
match any
This command allows all traffics in this class map.
Product
PDSN, HA, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
match any
Usage
Sets the match rule to allow all traffic flow for specific class map.
Example
The following commands allows all packets going to a system with this class map.
match any
 
match dst-ip-address
This command specifies a traffic classification rule based on the destination IP address of packets.
Product
PDSN, HA, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
match dst-ip-addressdst_ip_address subnet_mask
dst_ip_address
Specifies the destination IP address of the packets.
dst_ip_address must be specified using the standard IPv4 dotted decimal notation.
subnet_mask
Specifies the IP address mask bits to determine the number of IP addresses in the pool. ip_mask must be specified using the standard IPv4 dotted decimal notation.
1 bits in the ip_mask indicate that bit position in the ip_address must also have a value of 1.
0 bits in the ip_mask indicate that bit position in the ip_address does not need to match, i.e., the bit can be either a 0 or a 1.
For example, if the IP address and mask are specified as 172.168.10.0 and 255.255.255.224, respectively, the pool will contain IP addresses in the range 172.168.10.0 through 172.168.10.31 for a total of 32 addresses.
Usage
Sets the match rule based on the destination IP address of packets for specific Class Map.
Example
The following commands specifies the rule for packets going to a system having an IP address 10.1.2.6.
match dst-ip-address 10.1.2.6
 
match dst-port-range
This command specifies a traffic classification rule based on the range of destination ports of L4 packets.
Product
PDSN, HA, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
match dst-port-rangeinitial_port_number [ tolast_port_number ]
initial_port_number [ to last_port_number ]
Specifies the destination port or range of ports of L4 packets.
initial_port_number is the starting port number and must be an integer value in the range from 1 through 65535 but less than last_port_number, if specified.
last_port_number is the end port number and must be an integer value in the range from 1 through 65535 but more than initial_port_number.
Usage
Sets the match rule based on the destination port number or range of ports of L4 packets for specific Class Map.
Example
The following commands specifies the rule for packets having destination port number from 23 to 88.
match dst-port-range 23 to 88
 
match ip-tos
This command specifies a traffic classification rule based on the IP Type of Service value in ToS field of packet.
Product
PDSN, HA, ASN-GW
Privilege
Administrator
Syntax
match ip-tos { service_value [ ip-tos-mask mask_value ] | tos-range low_value to high_value }
service_value
Specifies the IP Type-of-Service value to match inside the ToS field of packets.
service_value must be an integer value in the range from 0 through 255.
ip-tos-mask mask_value
Specifies the IP Type-of-Service mask value to match inside the ToS field of packets.
mask_value must be an integer value in the range from 1 through 255.
tos-range low_value to high_value
Specifies a range that a ToS value in a received packet must fall within to be considered a match.
low_value and high_value must be an integer from 0 to 255.
Usage
Sets the match rule based on the IP ToS value in ToS field of packets for specific Class Map.
Example
The following commands specifies the IP ToS value of 3 is the value to match in a ToS field in received packets.
match ip-tos 3
 
match ipsec-spi
This command specifies a traffic classification rule based on the IPSec Security Parameter Index (SPI) value in SPI field of packet.
Product
PDSN, HA, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
match ipsec-spi index_value
index_value
Specifies the IPSec SPI value to match inside the SPI field of packets.
index_value must be an integer value in the range from 1 through 65535
Usage
Sets the match rule based on the IPSec SPI value in SPI field of packets for specific Class Map.
Example
The following commands specifies the IPsec SPI value to 1234 for SPI field in packets
match ipsec-spi 1234
 
match packet-size
This command specifies a traffic classification rule based on the size of packet.
Product
PDSN, HA, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
match packet-size [ gt | lt ] size
size
Specifies the packet length in bytes.
length must be an integer value in the range from 1 through 65535.
[ gt | lt ]
Applies operator to specify a range of packets having packet size greater than or less than the specified size size.
Usage
Sets the match rule based on the size of packets for specific Class Map. This command is only applicable for static policies; it is not available for dynamic policies.
Example
The following commands specifies the packet length to 1024 bytes.
match packet-size 1024
 
match protocol
This command specifies a traffic classification rule based on the protocol used for session flow.
Product
PDSN, HA, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
match protocol { tcp | udp | gre | ip-in-ip }
tcp
Sets the match rule for a session flow using Transmission Control Protocol (TCP). It matches the protocol field to tcp inside the packet.
udp
Sets the match rule for a session flow having User Datagram Protocol (UDP). It matches the protocol field to udp inside the packet.
gre
Sets the match rule for session flow using Generic Routing Encapsulation (GRE) Protocol. It matches the protocol field to gre inside the packet.
ip-in-ip
Sets the match rule for session flow using IP-in-IP encapsulation protocol. It matches the protocol field to ip-in-ip inside the packet.
Usage
Sets the match rule based on the protocol of packet flow for a specific Class Map.
Example
The following commands specifies the rule for packet flow using IP-in-IP as protocol.
match protocol ip-in-ip
 
match src-ip-address
This command specifies a traffic classification rule based on the source IP address of packets.
Product
PDSN, HA, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
match src-ip-addresssrc_ip_address subnet_mask
src_ip_address
Specifies the source IP address of the packets.
ip_address must be specified using the standard IPv4 dotted decimal notation.
subnet_mask
Specifies the IP address mask bits to determine the number of IP addresses in the pool. ip_mask must be specified using the standard IPv4 dotted decimal notation.
1 bits in the ip_mask indicate that bit position in the ip_address must also have a value of 1.
0 bits in the ip_mask indicate that bit position in the ip_address does not need to match, i.e., the bit can be either a 0 or a 1.
For example, if the IP address and mask are specified as 172.168.10.0 and 255.255.255.224, respectively, the pool will contain IP addresses in the range 172.168.10.0 through 172.168.10.31 for a total of 32 addresses.
Usage
Sets the match rule based on the source IP address of packets for specific Class Map.
Example
The following commands specifies the rule for packets coming from a system having an IP address 10.1.2.3.
match src-ip-address 10.1.2.3
 
match src-port-range
This command specifies a traffic classification rule based on the range of source ports of L4 packets.
Product
PDSN, HA, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
match src-port-rangeinitial_port_number [ tolast_port_number ]
initial_port_number [ to last_port_number ]
Specifies the source port or range of ports of the L4 packets.
initial_port_number is the starting port number and must be an integer value in the range from 1 through 65535 but less than last_port_number, if specified.
last_port_number is the end port number and must be an integer value in the range from 1 through 65535 but more than initial_port_number.
Usage
Sets the match rule based on source port number or range of ports of L4 packets for specific Class Map.
Example
The following commands specifies the rule for packets having source port number from 23 to 88.
match src-port-range 23 to 88
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883