Cisco IOS Quality of Service Solutions Command Reference

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco IOS Quality of Service Solutions Command Reference

Chapter Title

match access-group through mls ip pbr

Results

Updated:
April 8, 2014

Chapter: match access-group through mls ip pbr

match access-group through mls ip pbr

mac packet-classify

To classify Layer 3 packets as Layer 2 packets, use the macpacket-classify command in interface configuration mode. To return to the default settings, use the no form of this command.

mac packet-classify [bpdu]

no mac packet-classify [bpdu]

Syntax Description

bpdu

(Optional) Specifies Layer 2 policy enforcement for BPDU packets.

Command Default

Layer 3 packets are not classified as Layer 2 packets.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.2(18)SXD

Support for this command was introduced on the Supervisor Engine 720.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(50)SY

Added support for MAC ACLs on BPDU packets.

Usage Guidelines

This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.

You can configure these interface types for multilayer MAC access control list (ACL) quality of service (QoS) filtering:

  • VLAN interfaces without Layer 3 addresses

  • Physical LAN ports that are configured to support Ethernet over Multiprotocol Label Switching (EoMPLS)

  • Logical LAN subinterfaces that are configured to support EoMPLS

The ingress traffic that is permitted or denied by a MAC ACL on an interface configured for multilayer MAC ACL QoS filtering is processed by egress interfaces as MAC-layer traffic. You cannot apply egress IP ACLs to traffic that was permitted or denied by a MAC ACL on an interface configured for multilayer MAC ACL QoS filtering.

Microflow policing does not work on interfaces that have the macpacket-classify command enabled.

The macpacket-classify command causes the Layer 3 packets to be classified as Layer 2 packets and disables IP classification.

Traffic is classified based on 802.1Q class of service (CoS), trunk VLAN, EtherType, and MAC addresses.

Examples

This example shows how to classify incoming and outgoing Layer 3 packets as Layer 2 packets: 


Router(config-if)# mac packet-classify
Router(config-if)#

This example shows how to disable the classification of incoming and outgoing Layer 3 packets as Layer 2 packets: 


Router(config-if)# no mac packet-classify
Router(config-if)#

This example shows how to enforce Layer 2 policies on BPDU packets: 


Router(config-if)# mac packet-classify bpdu
Router(config-if)#

This example shows how to disable Layer 2 policies on BPDU packets: 


Router(config-if)# no mac packet-classify bpdu
Router(config-if)#

Related Commands

Command

Description

mac packet-classify use vlan

Enables VLAN-based QoS filtering in the MAC ACLs.

mac packet-classify use vlan

To enable VLAN-based quality of service (QoS) filtering in the MAC access control lists (ACLs), use the macpacket-classifyusevlan command in global configuration mode. To return to the default settings, use the no form of this command.

mac packet-classify use vlan

no mac packet-classify use vlan

Syntax Description

This command has no arguments or keywords.

Command Default

VLAN-based QoS filtering in the MAC ACLs is disabled.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.2(18)SXD

Support for this command was introduced on the Supervisor Engine 720 and the Supervisor Engine 2.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

This command is supported in PFC3BXL or PFC3B mode only.

This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.

You must use the nomacpacket-classifyusevlan command to disable the VLAN field in the Layer 2 key if you want to apply QoS to the Layer 2 Service Advertising Protocol (SAP)-encoded packets (for example, Intermediate System-to-Intermediate System [IS-IS] and Internet Packet Exchange [IPX]).

QoS does not allow policing of non-Advanced Research Protocol Agency (ARPA) Layer 2 packets (for example, IS-IS and IPX) if the VLAN field is enabled.

Examples

This example shows how to enable Layer 2 classification of IP packets: 


Router(config)# mac packet-classify use vlan
Router(config)

This example shows how to disable Layer 2 classification of IP packets: 


Router(config)# no mac packet-classify use vlan
Router(config)

Related Commands

Command

Description

mac packet-classify

Classifies Layer 3 packets as Layer 2 packets.

map ip

T o classify either all the IPv4 packets, or the IPv4 packets based on either differentiated service code point (DSCP) values or precedence values into high priority or low priority for POS, channelized, and clear-channel SPAs, use the following forms of the mapip command in ingress class-map mode. Use the no forms of this command listed here to remove the IPv4 settings.

Command to Classify all the IPv4 Packets

map ip all queue {strict-priority | 0}

no map ip all queue {strict-priority | 0}

Command to Classify IPv4 Packets Based on DSCP Values

map ip {dscp-based | dscp {dscp-value | dscp-range} queue {strict-priority | 0}}

no map ip {dscp-based | dscp {dscp-value | dscp-range} queue {strict-priority | 0}}

Command to Classify IPv4 Packets Based on Precedence Values

map ip {precedence-based | precedence {precedence-value | precedence-range} queue strict-priority | 0}

no map ip {precedence-based | precedence {precedence-value | precedence-range} queue strict-priority | 0}

Syntax Description

all queue

Implies the high priority or low priority configuration of all the IPv4 packets.

strict-priority

Classifies all the IPv4 packets as high priority (strict-priority).

0

Classifies all the IPv4 packets as low priority.

dscp-based

Enables classification based on DSCP value in IPv4.

dscp

Allows you to configure the DSCP value or range as high priority or low priority for IPv4 packets.

dscp-value

DSCP value for which the priority is to be configured as high or low.

dscp-range

Range of dscp-values for which the priority is to be configured as high or low.

queue

Enables the classification of an entire queue, DSCP values, or precedence values as high priority or low priority.

precedence-based

Enables the classification based on IPv4 precedence values.

precedence

Allows you to configure an IPv4 precedence value or range as high priority or low priority for IPv4 packets.

precedence-value

Precedence-value for which the priority is to be configured as high or low.

precedence-range

Range of precedence-values for which the priority is to be configured as high or low.

Command Default

If there is no configuration of IPv4 DSCP value or precedence values map to high priority specified, the system treats packets with DSCP range EF as high priority and precedence range 6-7 as high priority.

Command Modes


Ingress-class-map configuration mode

Command History

Release

Modification

3.1S

This command was introduced to classify either all the IPv4 packets, or the IPv4 packets based on either DSCP value or precedence values as high or low for POS, channelized, and clear-channel SPAs.

Usage Guidelines

To classify all IPv4 packets as high or low for POS, channelized, or clear-channel SPA, use the mapipallqueue command,

To classify IPv4 packets with specific DSCP values, enable the DSCP classification using the mapipdscp-based command. To classify IPV4 packets with specific DSCP values as high or low, use the mapipdscp {{dscp-value | dscp-range } queue {strict-priority | 0 }} command.

To classify IPv4 packets with specific precedence values, enable the precedence classification using the mapipprecedence-based command. To classify IPv4 packets with specific precedence values as high or low, use the mapipprecedence {{precedence-value | precedence-range } queue {strict-priority | 0 }} command.

Examples

The following example shows how to classify all the IPv4 Packets as high priority using the mapipallqueuestrict-priority command: 


Router# config
Router(config)# ingress-class-map 1
Router(config-ing-class-map)# map ip all queue strict-priority

The following example shows how to classify IPv4 Packets with DSCP value of cs1 as high priority: 


Router# config
Router(config)# ingress-class-map 1
Router(config-ing-class-map)# map ip dscp-based
Router(config-ing-class-map)# map ip dscp cs1 queue strict-priority

The following example shows how to classify IPv4 Packets with a precedence value 3 and 5 as high priority: 


Router# config
Router(config)# ingress-class-map 1
Router(config-ing-class-map)# map ip precedence-based
Router(config-ing-class-map)# map ip precedence 3 5 queue strict-priority

Related Commands

Command

Description

plim qos input class-map

Attaches the classification template to an interface.

map ipv6

T o classify either all the IPv6 packets, or IPv6 packets based on specific traffic class (TC) values as high priority or low priority in the context of POS, channelized, and clear-channel SPAs use the following forms of mapipv6 commands in ingress class-map mode. Use the no forms of this command listed here to remove the IPv6 settings.

Command to Classify all the IPv6 Packets

map ipv6 all queue {strict-priority | 0}

no map ipv6 all queue {strict-priority | 0}

Command to Classify IPv6 Traffic-Class values as High Priority or Low Priority

map ipv6 tc {tc-value | tc-range} queue {strict-priority | 0}

no map ipv6 tc {tc-value | tc-range} queue {strict-priority | 0}

Syntax Description

all queue

Implies the high priority or low priority configuration of all the IPv6 packets.

strict-priority

Classifies all the IPv6 packets as high priority (strict-priority).

0

Classifies all the IPv6 Packets as low priority.

tc

Allows you to configure the traffic class value or range as high priority or low priority for IPv6 packets.

tc-value

Specific traffic-class value for which the priority is to be configured as either high or low(0).

tc-range

Range of traffic-class values for which the priority is to be configured as either high or low(0).

queue

Enables classification of the entire queue, traffic-class values, or range of traffic-class values as either high priority or low priority.

Command Default

If a user does not configure which IPv6 traffic class values map to high priority, the system treats packets the packets with traffic class EF as high priority.

Command Modes


Ingress-class-map configuration mode

Command History

Release

Modification

3.1S

This command was introduced to classify, all the IPv6 packets or the IPv6 packets based on traffic class values as high priority or low priority for POS, channelized, and clear-channel SPAs.

Usage Guidelines

To classify all the IPv6 packets as high priority or low priority in the context of POS, channelized, or clear-channel SPAs, use the mapipv6allqueue command.

To classify the IPv6 packets with specific traffic class values, use the mapipv6tccs2queuestrict-priority command.

Examples

The following example shows how to classify all the IPv6 packets as high priority using the mapipv6allqueuestrict-priority command: 


Router# config
Router(config)# ingress-class-map 1
Router(config-ing-class-map)# map ipv6 all queue strict-priority

The following example shows how to classify the IPv6 packets with traffic-class values cs2 as high priority: 


Router# config
Router(config)# ingress-class-map 1
Router(config-ing-class-map)# map ip tc cs2 queue strict-priority

Related Commands

Command

Description

plim qos input class-map

Attaches the classification template to an interface.

map mpls

T o classify either all the Multiprotocol Label Switching (MPLS) packets or MPLS packets with specified EXP values or range as high priority or low priority for POS, channelized, and clear-channel SPAs the following forms of the mapmpls command are used in ingress class-map mode. Use the no forms of this command listed here to remove the MPLS settings.

Command to Classify all the MPLS EXP Values as High Priority or Low Priority

map mpls all queue {strict-priority | 0}

no map mpls all queue

Command to Classify the MPLS EXP Values as High Priority or Low Priority

map mpls exp {exp-value | exp-range} queue {strict-priority | 0}

no map mpls exp {exp-value | exp-range} queue {strict-priority | 0}

Syntax Description

all queue

Implies the high priority or low priority configuration of all the MPLS Packets.

strict-priority

Classifies either all the MPLS packets or the MPLS packets with specific EXP values as high priority (strict priority).

0

Classifies MPLS packets as low priority.

exp

Allows you to configure an EXP value or a range of EXP values as high priority or low priority for MPLS packets. The valid range for EXP values is 0 to 7.

exp-value

A specific EXP value for which the priority is to be configured as high or low(0).

exp-range

A range of EXP values for which the priority is to be configured as high or low(0). The valid range for EXP values is 0 to 7.

queue

Enables the classification priority of an entire queue, EXP values, or range of EXP values as high priority or low priority.

Command Default

If a user does not configure which MPLS EXP values map to high priority, the system treats packets with an EXP value of 6-7 as high priority.

Command Modes


Ingress-class-map configuration mode

Command History

Release

Modification

3.1S

This command was introduced to classify either all the MPLS packets or MPLS packets based on EXP values as high priority or low priority for POS, channelized, and clear-channel SPAs.

Usage Guidelines

To classify all the MPLS packets as high priority or low priority for POS, channelized, or clear-channel SPA, use the mapmplsallqueue command.

To classify the MPLS packets with specific EXP values, use the mapmplsexp{exp-value|exp-range}queue{strict-priority|0} command.

Examples

The following example shows how to classify all the MPLS packets as high priority using the mapmplsallqueuestrict-priority command: 


Router# config
Router(config)# ingress-class-map 1
Router(config-ing-class-map)# map mpls all queue strict-priority

The following example shows how to classify the MPLS packets with EXP value of 4 as high priority: 


Router# config
Router(config)# ingress-class-map 1
Router(config-ing-class-map)# map mpls exp 4 queue strict-priority

Related Commands

Command

Description

plim qos input class-map

Attaches the classification template to an interface.

match access-group

To configure the match criteria for a class map on the basis of the specified access control list (ACL), use the match access-group command in QoS class-map configuration or policy inline configuration mode. To remove the ACL match criteria from a class map, use the no form of this command.

match access-group {access-group | name access-group-name}

no match {access-group | name access-group-name}

Syntax Description

access-group

A numbered ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the same class. The range is from 1 to 2699.

name access-group-name

Specifies a named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the same class. The name can be up to 40 alphanumeric characters.

Command Default

No match criteria are configured.

Command Modes

QoS class-map configuration (config-cmap)

Policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.0(5)T

This command was introduced.

12.0(5)XE

This command was integrated into Cisco IOS Release 12.0(5)XE.

12.0(7)S

This command was integrated into Cisco IOS Release 12.0(7)S.

12.0(17)SL

This command was modified. This command was enhanced to include matching of access lists on the Cisco 10000 series routers.

12.1(1)E

This command was integrated into Cisco IOS Release 12.1(1)E.

12.4(6)T

This command was modified. This command was enhanced to support the zone-based policy firewall.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB

This command was integrated into Cisco IOS Release 12.2(31)SB.

12.2SX

This command was integrated into the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

Usage Guidelines

The match access-group command specifies a numbered or named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.

A traffic rate is generated for packets that match an access group. In zone-based policy firewalls, only the first packet that creates a session matches the configured policy. Subsequent packets in the flow do not match the filters in the configured policy, but instead match the session directly. The statistics related to subsequent packets are shown as part of the inspect action.

Zone-based policy firewalls support only the match access-group , match class-map , and match protocol commands. If you specify more than one match command in a class map, only the last command that you specified will be applied to the class map. The last match command overrides the previously entered match commands.

The match access-group command specifies the numbered access list against whose contents packets are checked to determine if they match the criteria specified in the class map. Access lists configured with the log keyword of the access-list command are not supported when you configure the match criteria. For more information about the access-list command, refer to the Cisco IOS IP Application Services Command Reference.

When this command is configured in Cisco IOS Release 15.0(1)M and later releases, the firewall inspects only Layer 4 policy maps. In releases prior to Cisco IOS Release 15.0(1)M, the firewall inspects both Layer 4 and Layer 7 policy maps.

For class-based weighted fair queueing (CBWFQ), you can define traffic classes based on the match criteria that include ACLs, experimental (EXP) field values, input interfaces, protocols, and quality of service (QoS) labels. Packets that satisfy the match criteria for a class constitute the traffic for that class.


Note

In zone-based policy firewalls, this command is not applicable for CBWFQ.

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration modes in which you can issue this command.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

To use the match access-group command, you must configure the service-policy type performance-monitor inline command.

Supported Platforms Other than Cisco 10000 Series Routers

To use the match access-group command, you must configure the class-map command to specify the name of the class whose match criteria you want to establish. After you identify the class, you can use one of the following commands to configure its match criteria:

  • match access-group

  • match input-interface

  • match mpls experimental

  • match protocol

Cisco 10000 Series Routers

To use the match access-group command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish.


Note

The match access-group command specifies the numbered access list against whose contents packets are checked to determine if they match the criteria specified in the class map. Access lists configured with the log keyword of the access-list command are not supported when you configure the match criteria.

Cisco ASR 1000 Series Aggregation Services Routers

Cisco ASR 1000 Series Routers do not support more than 16 match statements per class map. An interface with more than 16 match statements rejects the service policy.

Examples

The following example shows how to specify a class map named acl144 and to configure the ACL numbered 144 to be used as the match criterion for that class: 

Device(config)# class-map acl144 
Device(config-cmap)# match access-group 144
The following example shows how to define a class map named c1 and configure the ACL numbered 144 to be used as the match criterion for that class: 

Device(config)# class-map type inspect match-all c1
Device(config-cmap)# match access-group 144

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

The following example shows how to configure a service policy for the Performance Monitor in policy inline configuration mode. The policy specifies that packets traversing Ethernet interface 0/0 must match ACL144. 


Device(config)# interface ethernet 0/0 
Device(config-if)# service-policy type performance-monitor inline input
Device(config-if-spolicy-inline)# match access-group name ACL144 
Device(config-if-spolicy-inline)# exit

Related Commands

Command

Description

access-list (IP extended)

Defines an extended IP access list.

access-list (IP standard)

Defines a standard IP access list.

class-map

Creates a class map to be used for matching packets to a specified class.

match access-group

Configures the match criteria for a class map on the basis of the specified ACL.

match class-map

Uses a traffic class as a classification policy.

match input-interface

Configures a class map to use the specified input interface as a match criterion.

match mpls experimental

Configures a class map to use the specified EXP field value as a match criterion.

match protocol

Configures the match criteria for a class map on the basis of the specified protocol.

service-policy type performance-monitor

Associates a Performance Monitor policy with an interface.

match application (class-map)

To use the metadata application as a match criterion for control plane classification, use the match application command in QoS class-map configuration mode. To remove a previously configured metadata application from being used as a match criterion for control plane classification, use the no form of this command.

match application {application-group application-group-name | attribute {category {business-and-productivity-tools | voice-and-video} | device-class device-class-type | media-type media-type | sub-category {remote-access-terminal | voice-video-chat-collaboration}} | application-name [source {msp | nbar | rsvp} | vendor vendor-name version version-number]}

no match application {application-group application-group-name | attribute {category {business-and-productivity-tools | voice-and-video} | device-class device-class-type | media-type media-type | sub-category {remote-access-terminal | voice-video-chat-collaboration}} | application-name [source {msp | nbar | rsvp} | vendor vendor-name version version-number]}

Syntax Description

application-group application-group-name

Specifies the application group that the control plane classification engine must match. Use one of the following values to specify the relevant application group: telepresence-group, vmware-group, webex-group.

attribute

Specifies the relevant attribute to match.

category

Specifies the category type that the control plane classification engine must match.

business-and-productivity-tools

Specifies the business and productivity tools.

voice-and-video

Specifies the voice and video category.

device-class device-class-type

Specifies the device class to match. Use one of the following values to specify the relevant device class: desktop-conferencing, desktop-virtualisation, physical-phone, room-conferencing, software-phone, surveillance.

media-type media-type

Specifies the type of media to match. Use one of the following values to specify the relevant media type: audio, audio-video control, data, andvideo.

sub-category

Specifies the subcategory to match.

remote-access-terminal

Specifies the remote access terminal subcategory.

voice-video-chat-collaboration

Specifies the voice, video, and collaboration subcategory.

application-name

Name of the application that the control plane classification engine must match. The following applications are supported: cisco-phone , citrix , h323 , jabber , rtp , rtsp , sip , telepresence-control , telepresence-data , telepresence-media , vmware-view , webex-data , webex-meeting , webex-streaming , webex-video , webex-voice , wyze-zero-client .

source

(Optional) Specifies the source of the application.

msp

Specifies the application source as Media-Proxy Services (MSP).

nbar

Specifies the application source as Network Based Application Recognition (NBAR).

rsvp

Specifies the application source as the Resource Reservation Protocol (RSVP).

vendor vendor-name

(Optional) Specifies the name of the vendor. Enter ? after the vendor keyword to get a list of supported vendors for the respective application name.

version version-number

(Optional) Specifies the version number.

Command Default

Metadata-based control plane classification is disabled.

Command Modes

QoS class-map configuration (config-cmap)

Command History

Release

Modification

15.2(1)T

This command was introduced.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

15.3(1)T

This command was modified. The source , msp , nbar , and rsvp keywords were added.

Cisco IOS XE Bengaluru 17.4.1

This command has been deprecated.

Usage Guidelines

Enabling metadata-based control plane classification on a per-platform, per-line card basis for Quality of Service (QoS) policies involves the following key steps:

  • Creating a class map with metadata-based filters.

  • Creating a policy map that uses classes.

  • Attaching a policy map to the target.

You can use the match application command to enable metadata-based filters that can be applied to a class map. Specifying the required application name ensures that the respective policies can be applied only to those flows that match the application name. The classification engine makes its first match.

You can use the match application command in conjunction with the any other match commands for specifying match criteria for classes. For example, you can use the match dscp command along with the match application command as the classification criteria for flows.

You can use the show metadata flow classification table command to check the metadata-based classification information.

You can use the debug metadata flow all command to check if a particular classification has been successfully created.


Note

With CSCub24690, the webex-data , webex-streaming , webex-video , and webex-voice keywords are not supported in the match application application-name command.

Examples

The following example shows how to configure a class map c1 and specify metadata application webex-meeting as the matching criterion, thus achieving control plane classification. Only those flows that match the metadata application webex-meeting will be considered for the appropriate action. 


Device(config)# class-map c1
Device(config-cmap)# match application webex-meeting

The following configuration is provided for the completeness of the example.

A policy map p1 that uses the previously configured class c1 is created. The requirement in this example is to provide a guaranteed bandwidth of 1 Mb/s to all the flows that match the criterion defined for class c1: 

Device(config)# policy-map p1
Device(config-pmap)# class c1
Device(config-pmap-c)# priority 1

The following configuration example shows how to attach a policy to a target interface: 

Device(config)# interface gigabitethernet 0/0
Device(config-if)# service-policy output p1

Related Commands

Command

Description

class (policy-map)

Specifies the name of the class whose policy you want to create or change.

class-map

Creates a class map to be used for matching packets to a specified class.

debug metadata

Enables debugging for metadata flow.

metadata application-params

Enters metadata application entry configuration mode and creates new metadata application parameters.

policy-map

Enters policy-map configuration mode and creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

priority

Gives priority to a class of traffic belonging to a policy map.

service-policy

Attaches a policy map to an input interface, a VC, an output interface, or a VC that will be used as the service policy for the interface or VC.

show metadata flow

Displays metadata flow information.

match any

To configure the match criteria for a class map to be successful match criteria for all packets, use the matchany command in class-map configuration or policy inline configuration mode. To remove all criteria as successful match criteria, use the no form of this command.

match any

no match any

Syntax Description

This command has no arguments or keywords.

Command Default

No match criteria are specified.

Command Modes


Class-map configuration (config-cmap)
Policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.0(5)XE

This command was introduced.

12.0(5)T

This command was integrated into Cisco IOS Release 12.0(5)T.

12.1(1)E

This command was integrated into Cisco IOS Release 12.1(1)E.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB

This command was integrated into Cisco IOS Release 12.2(31)SB and implemented on the Cisco 10000 series routers.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter the service-policytypeperformance-monitorinline command.

Examples

In the following configuration, all packets traversing Ethernet interface 1/1 will be policed based on the parameters specified in policy-map class configuration mode: 


Router(config)# class-map matchany
Router(config-cmap)# match any
Router(config-cmap)# exit
Router(config)# policy-map policy1
Router(config-pmap)# class class4
Router(config-pmap-c)# police 8100 1500 2504 conform-action transmit exceed-action set-qos-transmit 4
Router(config-pmap-c)# exit
Router(config)# interface ethernet1/1
Router(config-if)# service-policy output policy1

Examples

The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that all packets traversing Ethernet interface 0/0 will be matched and monitored based on the parameters specified in the flow monitor configuration namedfm-2 : 


Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match any
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

service-policy type performance-monitor

Associates a Performance Monitor policy with an interface.

match input-interface

Configures a class map to use the specified input interface as a match criterion.

match protocol

Configures the match criteria for a class map on the basis of the specified protocol.

match atm-clp

To enable packet matching on the basis of the ATM cell loss priority (CLP), use the matchatm-clp command in class-map configuration mode. To disable packet matching on the basis of the ATM CLP, use the no form of this command.

match atm-clp

no match atm-clp

Syntax Description

This command has no arguments or keywords.

Command Default

Packets are not matched on the basis of the ATM CLP.

Command Modes


Class-map configuration (config-cmap)

Command History

Release

Modification

12.0(28)S

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRB

This command was integrated into Cisco IOS Release 12.2(33)SRB.

12.2(33)SRC

Support for the Cisco 7600 series router was added.

12.4(15)T2

This command was integrated into Cisco IOS Release 12.4(15)T2.

12.2(33)SB

Support for the Cisco 7300 series router was added.

Cisco IOS XE Release 2.3

This command was integrated into Cisco IOS XE Release 2.3.

Usage Guidelines

This command is supported on policy maps that are attached to ATM main interfaces, ATM subinterfaces, or ATM permanent virtual circuits (PVCs). However, policy maps (containing the matchatm-clp command) that are attached to these types of ATM interfaces can be input policy maps only .

This command is supported on the PA-A3 adapter only .

Examples

In the following example, a class called “class-c1” has been created using the class-map command, and the match atm-clp command has been configured inside that class. Therefore, packets are matched on the basis of the ATM CLP and are placed into this class. 


Router> enable
Router# configure terminal
Router(config)# class-map class-c1
 
Router(config-cmap)# match atm-clp
Router(config-cmap)# end

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

show atm pvc

Displays all ATM PVCs and traffic information.

show policy-map interface

Displays the packet statistics of all classes that are configured for all service policies either on the specified interface or subinterface or on a specific PVC on the interface.

match atm oam

To enable the control traffic classification on an ATM interface, use the matchatmoam command in class-map configuration mode. To disable the control traffic classification, use the no form of this command.

match atm oam

no match atm oam

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values

Command Modes


Class-map configuration

Command History

Release

Modification

12.0(30)S

This command was introduced.

Usage Guidelines

Use this command for policy maps attached to ATM interfaces or ATM permanent virtual circuits (PVCs). Policy maps containing the matchatmoam command attached to ATM interfaces or ATM PVCs can be input policy maps only.

Examples

The following example shows the control traffic classification being configured as the match criterion in a class map. The policy map containing this class map is then applied to the ATM interface. 


Router# configure terminal
 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# class-map class-oam
 
Router(config-cmap)# match atm oam
 
Router(config-cmap)# exit

Related Commands

Command

Description

show class-map

Displays all class maps and their matching criteria.

show policy-map

Displays all policy maps.

show policy-map interface

Displays the packet statistics of all classes that are configured for all service policies either on the specified ATM interface or on a specific PVC on the interface.

match atm-vci

To enable packet matching on the basis of the ATM virtual circuit interface (VCI), use the matchatm-vci command in class map configuration mode. To disable packet matching on the basis of the ATM VCI, use the no form of this command.

match atm-vci vc-id [-vc-id]

no match atm-vci

Syntax Description

vc-id

The VC number assigned to the virtual circuit between two provider edge routers. You can specify one VC or a range of VCs.

- vc-id

(Optional) The second VC number, separated from the first by a hyphen. If two VC numbers are specified, the range is 32 to 65535.

Command Default

No match criteria are configured.

Command Modes


Class map configuration (config-cmap)

Command History

Release

Modification

Cisco IOS XE Release 2.3

This command was introduced.

12.2(33)SRE

This command was modified. This command was integrated into Cisco IOS Release 12.2(33)SRE.

Usage Guidelines

When you configure the matchatm-vci command in class map configuration mode, you can add this class map to a policy map that can be attached only to an ATM permanent virtual path (PVP).


Note

On the Cisco 7600 series router, the matchatm-vci command is supported only in the ingress direction on an ATM VP.

You can use the matchnot command to match any VC except those you specify in the command.

Examples

The following example enables matching on VC ID 50: 


Router(config)# class-map map1
Router(config-cmap)# match atm-vci 50

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

match not

Specifies a single match criterion value to use as an unsuccessful match criterion.

match class-map

To use a traffic class as a classification policy, use the match class-map command in class-map or policy inline configuration mode. To remove a specific traffic class as a match criterion, use the no form of this command.

match class-map class-map-nam e

no match class-map class-map-name

Syntax Description

class-map-name

Name of the traffic class to use as a match criterion.

Command Default

No match criteria are specified.

Command Modes


Class-map configuration (config-cmap)

Command History

Release

Modification

12.0(5)XE

This command was introduced.

12.1(1)E

This command was integrated into Cisco IOS Release 12.1(1)E.

12.1(5)T

This command was integrated into Cisco IOS Release 12.1(5)T.

12.4(6)T

This command was enhanced to support Zone-Based Policy Firewall.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB

This command was implemented on the Cisco 10000 series.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Cisco IOS XE Release 3.2S

This command was integrated into Cisco IOS XE Release 3.2S.

Usage Guidelines

The only method of including both match-any and match-all characteristics in a single traffic class is to use the match class-map command. To combine match-any and match-all characteristics into a single class, do one of the following:

  • Create a traffic class with the match-any instruction and use a class configured with the match-all instruction as a match criterion (using the match class-map command).

  • Create a traffic class with the match-all instruction and use a class configured with the match-any instruction as a match criterion (using the match class-map command).

You can also use the match class-map command to nest traffic classes within one another, saving users the overhead of re-creating a new traffic class when most of the information exists in a previously configured traffic class.

When packets are matched to a class map, a traffic rate is generated for these packets. In a zone-based firewall policy, only the first packet that creates a session matches the policy. Subsequent packets in this flow do not match the filters in the configured policy, but instead match the session directly. The statistics related to subsequent packets are shown as part of the 'inspect' action.

Examples

Examples

In the following example, the traffic class called class1 has the same characteristics as traffic class called class2, with the exception that traffic class class1 has added a destination address as a match criterion. Rather than configuring traffic class class1 line by line, you can enter the match class-map class2 command. This command allows all of the characteristics in the traffic class called class2 to be included in the traffic class called class1, and you can simply add the new destination address match criterion without reconfiguring the entire traffic class. 


Router(config)# class-map match-any class2
Router(config-cmap)# match protocol ip
Router(config-cmap)# match qos-group 3
Router(config-cmap)# match access-group 2
Router(config-cmap)# exit
Router(config)# class-map match-all class1
Router(config-cmap)# match class-map class2
Router(config-cmap)# match destination-address mac 1.1.1
Router(config-cmap)# exit

The following example shows how to combine the characteristics of two traffic classes, one with match-any and one with match-all characteristics, into one traffic class with the match class-map command. The result of traffic class called class4 requires a packet to match one of the following three match criteria to be considered a member of traffic class called class 4: IP protocol and QoS group 4, destination MAC address 1.1.1, or access group 2. Match criteria IP protocol and QoS group 4 are required in the definition of the traffic class named class3 and included as a possible match in the definition of the traffic class named class4 with the match class-map class3 command.

In this example, only the traffic class called class4 is used with the service policy called policy1. 


Router(config)# class-map match-all class3
Router(config-cmap)# match protocol ip
Router(config-cmap)# match qos-group 4
Router(config-cmap)# exit
Router(config)# class-map match-any class4
Router(config-cmap)# match class-map class3
Router(config-cmap)# match destination-address mac 1.1.1
Router(config-cmap)# match access-group 2
Router(config-cmap)# exit
Router(config)# policy-map policy1
Router(config-pmap)# class class4
Router(config-pmap-c)# police 8100 1500 2504 conform-action transmit exceed-action set-qos-transmit 4
Router(config-pmap-c)# exit

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

match cos

To match a packet on the basis of a Layer 2 class of service (CoS)/Inter-Switch Link (ISL) marking, use the matchcos command in class-map configuration or policy inline configuration mode. To remove a specific Layer 2 CoS/ISL marking as a match criterion, use the no form of this command.

match cos cos-value [cos-value [cos-value [cos-value]]]

no match cos cos-value [cos-value [cos-value [cos-value]]]

Syntax Description

Supported Platforms Other Than the Cisco 10000 Series Routers

cos-value

Specific IEEE 802.1Q/ISL CoS value. The cos-value is from 0 to 7; up to four CoS values, separated by a space, can be specified in one matchcos statement.

Cisco 10000 Series Routers

cos-value

Specific packet CoS bit value. Specifies that the packet CoS bit value must match the specified CoS value. The cos-value is from 0 to 7; up to four CoS values, separated by a space, can be specified in one matchcos statement.

Command Default

Packets are not matched on the basis of a Layer 2 CoS/ISL marking.

Command Modes


Class-map configuration (config-cmap)
Policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.1(5)T

This command was introduced.

12.0(25)S

This command was integrated into Cisco IOS Release 12.0(25)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB

This command was integrated into Cisco IOS Release 12.2(31)SB and implemented on the Cisco 10000 series routers.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.2(33)SRC

This command was integrated into Cisco IOS Release 12.2(33)SRC and support for the Cisco 7600 series routers was added.

12.4(15)T2

This command was integrated into Cisco IOS Release 12.4(15)T2.

12.2(33)SB

This command was integrated into Cisco IOS Release 12.2(33)SB and support for the Cisco 7300 series router was added.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

12.2(33)SCF

This command was integrated into Cisco IOS Release 12.2(33)SCF.

3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

15.1(2)SNG

This command was integrated into Cisco ASR 901 Series Aggregation Services Routers.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter the service-policytypeperformance-monitorinline command.

Examples

In the following example, the CoS values of 1, 2, and 3 are successful match criteria for the interface that contains the classification policy named cos: 


Router(config)# class-map cos
Router(config-cmap)# match cos 1 2 3

In the following example, classes named voice and video-n-data are created to classify traffic based on the CoS values. QoS treatment is then given to the appropriate packets in the CoS-based-treatment policy map (in this case, the QoS treatment is priority 64 and bandwidth 512). The service policy configured in this example is attached to all packets leaving Fast Ethernet interface 0/0.1. The service policy can be attached to any interface that supports service policies. 


Router(config)# class-map voice
Router(config-cmap)# match cos 7
Router(config)# class-map video-n-data
Router(config-cmap)# match cos 5
Router(config)# policy-map cos-based-treatment
Router(config-pmap)# class voice
Router(config-pmap-c)# priority 64
Router(config-pmap-c)# exit
Router(config-pmap)# class video-n-data
Router(config-pmap-c)# bandwidth 512
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface fastethernet0/0.1
Router(config-if)# service-policy output cos-based-treatment

Examples

The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 that match the criteria of a CoS value of 2 will be monitored based on the parameters specified in the flow monitor configuration namedfm-2 : 


Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match cos 2
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit

Examples

The following example shows how to match traffic classes for the 802.1p domain with packet CoS values: 


Router> enable
Router# config terminal
Router(config)# class-map cos7
Router(config-cmap)# match cos 2
Router(config-cmap)# exit

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

service-policy type performance-monitor

Associates a Performance Monitor policy with an interface.

policy-map

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

service-policy

Attaches a policy map to an input interface or VC, or an output interface or VC, to be used as the service policy for that interface or VC.

set cos

Sets the Layer 2 CoS value of an outgoing packet.

show class-map

Displays all class maps and their matching criteria.

match cos inner

To match the inner cos of QinQ packets on a Layer 2 class of service (CoS) marking, use the matchcosinner command in class-map configuration mode. To remove a specific Layer 2 CoS inner tag marking, use the no form of this command.

match cos cos-value

no match cos cos-value

Syntax Description

cos-value

Specific IEEE 802.1Q/ISL CoS value. The cos-value is from 0 to 7; up to four CoS values can be specified in one matchcos statement.

Command Default

No match criteria are specified.

Command Modes


Class-map configuration

Command History

Release

Modification

12.2(18)SXE

This command was introduced.

12.2(33)SRB

This command was integrated into Cisco IOS Release 12.2(33)SRB.

Examples

In the following example, the inner CoS-values of 1, 2, and 3 are successful match criteria for the interface that contains the classification policy called cos: 


Router(config)# class-map cos

Router(config-cmap)# match cos inner 1 2 3

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

policy-map

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

service-policy

Attaches a policy map to an input interface or VC, or an output interface or VC, to be used as the service policy for that interface or VC.

set cos

Sets the Layer 2 CoS value of an outgoing packet.

show class-map

Displays all class maps and their matching criteria.

match destination-address mac

To use the destination MAC address as a match criterion, use the matchdestination-addressmac command in class-map configuration or policy inline configuration mode. To remove a previously specified destination MAC address as a match criterion, use the no form of this command.

match destination-address mac address

no match destination-address mac address

Syntax Description

address

Destination MAC address to be used as a match criterion.

Command Default

No destination MAC address is specified.

Command Modes


Class-map configuration (config-cmap)
Policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.0(5)XE

This command was introduced.

12.1(1)E

This command was integrated into Cisco IOS Release 12.1(1)E.

12.1(5)T

This command was integrated into Cisco IOS Release 12.1(5)T.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB

This command was integrated into Cisco IOS Release 12.2(31)SB and implemented on the Cisco 10000 series.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter the service-policytypeperformance-monitorinline command.

Examples

The following example specifies a class map named macaddress and specifies the destination MAC address to be used as the match criterion for this class: 


Router(config)# class-map macaddress
Router(config-cmap)# match destination-address mac 00:00:00:00:00:00

Examples

The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 that match the specified destination MAC address will be monitored based on the parameters specified in the flow monitor configuration namedfm-2 : 


Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match 
destination-address mac 00:00:00:00:00:00
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

service-policy type performance-monitor

Associates a Performance Monitor policy with an interface.

match discard-class

To specify a discard class as a match criterion, use the matchdiscard-class command in class-map configuration or policy inline configuration mode. To remove a previously specified discard class as a match criterion, use the no form of this command.

match discard-class class-number

no match discard-class class-number

Syntax Description

class-number

Number of the discard class being matched. Valid values are 0 to 7.

Command Default

Packets will not be classified as expected.

Command Modes


Class-map configuration (config-cmap)
Policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.2(13)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB

This command was integrated into Cisco IOS Release 12.2(31)SB and implemented on the Cisco 10000 series routers.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.

A discard-class value has no mathematical significance. For example, the discard-class value 2 is not greater than 1. The value simply indicates that a packet marked with discard-class 2 should be treated differently than a packet marked with discard-class 1.

Packets that match the specified discard-class value are treated differently from packets marked with other discard-class values. The discard-class is a matching criterion only, used in defining per hop behavior (PHB) for dropping traffic.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter the service-policytypeperformance-monitorinline command.

Examples

The following example shows that packets in discard class 2 are matched: 


Router(config)# class-map d-class-2
Router(config-cmap)# match discard-class 2

Examples

The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 that match the criteria specified by discard-class 2 will be monitored based on the parameters specified in the flow monitor configuration namedfm-2 : 


Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match 
discard-class 2
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

service-policy type performance-monitor

Associates a Performance Monitor policy with an interface.

set discard-class

Marks a packet with a discard-class value.

match dscp

To identify one or more differentiated service code point (DSCP), Assured Forwarding (AF), and Certificate Server (CS) values as a match criterion, use the match dscp command in class-map configuration or policy inline configuration mode. To remove a specific DSCP value from a class map, use the no form of this command.

match [ip] dscp dscp-value [dscp-value dscp-value dscp-value dscp-value dscp-value dscp-value dscp-value]

no match [ip] dscp dscp-value

Syntax Description

ip

(Optional) Specifies that the match is for IPv4 packets only. If not used, the match is on both IPv4 and IPv6 packets.

Note 

For the Cisco 10000 series routers, the ip keyword is required.

dscp-value

The DSCP value used to identify a DSCP value. For valid values, see the “Usage Guidelines” section.

Command Default

No match criteria are configured.

Command Modes


class-map configuration (config-cmap)
policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.2(13)T

This command was introduced. This command replaces the match ip dscp command.

12.0(28)S

This command was integrated into Cisco IOS Release 12.0(28)S for support in IPv6.

12.0(17)SL

This command was integrated into Cisco IOS Release 12.0(17)SL and implemented on the Cisco 10000 series routers.

12.2(31)SB

This command was integrated into Cisco IOS Release 12.2(31)SB.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1 and implemented on Cisco ASR 1000 Series Routers.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter the service-policy type performance-monitor inline command.

DSCP Values

You must enter one or more differentiated service code point (DSCP) values. The command may include any combination of the following:

  • Numbers (0 to 63) representing differentiated services code point values

  • AF numbers (for example, af11) identifying specific AF DSCPs

  • CS numbers (for example, cs1) identifying specific CS DSCPs

  • default —Matches packets with the default DSCP.

  • ef —Matches packets with EF DSCP.

For example, if you wanted the DCSP values of 0, 1, 2, 3, 4, 5, 6, or 7 (note that only one of the IP DSCP values must be a successful match criterion, not all of the specified DSCP values), enter the match dscp 01234567 command.

This command is used by the class map to identify a specific DSCP value marking on a packet. In this context, dscp-value arguments are used as markings only and have no mathematical significance. For instance, the dscp-value of 2 is not greater than 1. The value simply indicates that a packet marked with the dscp-value of 2 is different than a packet marked with the dscp-value of 1. The treatment of these marked packets is defined by the user through the setting of Quality of Service (QoS) policies in policy-map class configuration mode.

Match Packets on DSCP Values

To match DSCP values for IPv6 packets only, the match protocol ipv6 command must also be used. Without that command, the DSCP match defaults to match both IPv4 and IPv6 packets.

To match DSCP values for IPv4 packets only, use the ip keyword. Without the ip keyword the match occurs on both IPv4 and IPv6 packets. Alternatively, the match protocol ip command may be used with match dscp to classify only IPv4 packets.

After the DSCP bit is set, other QoS features can then operate on the bit settings.

The network can give priority (or some type of expedited handling) to marked traffic. Typically, you set the precedence value at the edge of the network (or administrative domain); data is then queued according to the precedence. Weighted fair queueing (WFQ) can speed up handling for high-precedence traffic at congestion points. Weighted Random Early Detection (WRED) can ensure that high-precedence traffic has lower loss rates than other traffic during times of congestion.

Cisco 10000 Series Routers

The Cisco 10000 series routers support DSCP matching of IPv4 packets only. You must include the ip keyword when specifying the DSCP values to use as match criterion.

You cannot use the set ip dscp command with the set ip precedence command to mark the same packet. DSCP and precedence values are mutually exclusive. A packet can have one value or the other, but not both.

Examples

The following example shows how to set multiple match criteria. In this case, two IP DSCP values and one AF value. 



Router(config)# class-map map1
Router(config-cmap)# match dscp 1 2 af11

Examples

The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 that match the criterion specified by DSCP value 2 will be monitored based on the parameters specified in the flow monitor configuration named fm-2: 


Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match dscp 2
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# end

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

match protocol ip

Matches DSCP values for packets.

match protocol ipv6

Matches DSCP values for IPv6 packets.

policy-map

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

service-policy

Attaches a policy map to an input interface or VC, or an output interface or VC, to be used as the service policy for that interface or VC.

service-policy type performance-monitor

Associates a Performance Monitor policy with an interface.

set dscp

Marks the DSCP value for packets within a traffic class.

show class-map

Displays all class maps and their matching criteria.

match field


Note

Effective with Cisco IOS Release 15.2(4)M, the match field command is not available in Cisco IOS software.

To configure the match criteria for a class map on the basis of the fields defined in the protocol header description files (PHDFs), use the match field command in class-map configuration mode. To remove the specified match criteria, use the no form of this command.

match field protocol protocol-field {eq [mask] | neq [mask] | gt | lt | range range | regex string} value [next next-protocol]

no match field protocol protocol-field {eq [mask] | neq [mask] | gt | lt | range range | regex string} value [next next-protocol]

Syntax Description

protocol

Name of protocol whose PHDF has been loaded onto a router.

protocol field

Match criteria is based upon the specified f ield within the loaded protocol.

eq

Match criteria is met if the packet is equal to the specified value or mask.

neq

Match criteria is met if the packet is not equal to the specified value or mask.

mask mask

(Optional) Can be used when the eq or the neq keywords are issued.

gt

Match criteria is met if the packet does not exceed the specified value.

lt

Match criteria is met if the packet is less than the specified value.

range range

Match criteria is based upon a lower and upper boundary protocol field range.

regex string

Match criteria is based upon a string that is to be matched.

value

Value for which the packet must be in accordance with.

next next-protocol

Specify the next protocol within the stack of protocols that is to be used as the match criteria.

Command Default

No match criteria are configured.

Command Modes


Class-map configuration

Command History

Release

Modification

12.4(4)T

This command was introduced.

12.2(18)ZY

This command was integrated into Cisco IOS Release 12.2(18)ZY on the Catalyst 6500 series of switches equipped with the Programmable Intelligent Services Accelerator (PISA).

Cisco IOS XE 2.2

This command was integrated into Cisco IOS XE Release 2.2.

15.2(4)M

This command was removed from the Cisco IOS software.

Usage Guidelines

Before issuing the match-field command, you must load a PHDF onto the router via the load protocol command. Thereafter, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish.

Match criteria are defined via a start point, offset, size, value to match, and mask. A match can be defined on a pattern with any protocol field.

Examples

The following example shows how to configure FPM for blaster packets. The class map contains the following match criteria: TCP port 135, 4444 or UDP port 69; and pattern 0x0030 at 3 bytes from start of IP header. 


load protocol disk2:ip.phdf
load protocol disk2:tcp.phdf
load protocol disk2:udp.phdf 
class-map type stack match-all ip-tcp
 match field ip protocol eq 0x6 next tcp
class-map type stack match-all ip-udp
 match field ip protocol eq 0x11 next udp
class-map type access-control match-all blaster1
 match field tcp dest-port eq 135
 match start 13-start offset 3 size 2 eq 0x0030
class-map type access-control match-all blaster2
 match field tcp dest-port eq 4444
 match start 13-start offset 3 size 2 eq 0x0030
class-map type access-control match-all blaster3
 match field udp dest-port eq 69
 match start 13-start offset 3 size 2 eq 0x0030
policy-map type access-control fpm-tcp-policy
 class blaster1
 drop
 class blaster2
 drop
policy-map type access-control fpm-udp-policy
 class blaster3
 drop
policy-map type access-control fpm-policy
 class ip-tcp
 service-policy fpm-tcp-policy
 class ip-udp
 service-policy fpm-udp-policy
interface gigabitEthernet 0/1
 service-policy type access-control input fpm-policy

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

load protocol

Loads a PHDF onto a router.

match start

Configures the match criteria for a class map on the basis of the datagram header (Layer 2) or the network header (Layer 3).

match flow pdp

To specify a Packet Data Protocol (PDP) flow as a match criterion in a class map, use the matchflowpdp command in class-map configuration mode. To remove a PDP flow as a match criterion, use the no form of this command.

match flow pdp

no match flow pdp

Syntax Description

This command has no arguments or keywords.

Command Default

A PDP flow is not specified as a match criterion.

Command Modes


Class-map configuration (config-cmap)

Command History

Release

Modification

12.3(8)XU

This command was introduced.

12.3(11)YJ

This command was integrated into Cisco IOS Release 12.3(11)YJ.

12.3(14)YQ

This command was integrated into Cisco IOS Release 12.3(14)YQ.

12.3(14)YU

This command was integrated into Cisco IOS Release 12.3(14)YU.

12.4(2)XB

This command was integrated into Cisco IOS Release 12.4(2)XB.

12.4(9)T

This command was integrated into Cisco IOS Release 12.4(9)T.

Usage Guidelines

The matchflowpdp command allows you to match and classify traffic on the basis of a PDP flow.

The matchflowpdp command is included with the Flow-Based QoS for GGSN feature available with Cisco IOS Release 12.4(9)T. The Flow-Based QoS for GGSN feature is designed specifically for the Gateway General Packet Radio Service (GPRS) Support Node (GGSN).

Per-PDP Policing

The Flow-Based QoS for GGSN feature includes per-PDP policing (session-based policing).

The matchflowpdp command (when used in conjunction with the class-map command, the policy-map command, the policeratepdp command, and the service-policy command) allows you to configure per-PDP policing (session-based policing) for downlink traffic on a GGSN.

Note the following points related to per-PDP policing:

  • When using the class-map command to define a class map for PDP flow classification, do not use the match-any keyword.

  • Per-PDP policing functionality requires that you configure Universal Mobile Telecommunications System (UMTS) quality of service (QoS). For information on configuring UMTS QoS, see the “Configuring QoS on the GGSN” section of the Cisco GGSN Release 6.0 Configuration Guide , Cisco IOS Release 12.4(2)XB.

  • The policy map created to configure per-PDP policing cannot contain multiple classes within which only the matchflowpdp command has been specified. In other words, if there are multiple classes in the policy map, the matchflowpdp command must be used in conjunction with another match statement (for example, matchprecedence ) in at least one class.

For More Information

For more information about the GGSN, along with the instructions for configuring the Flow-Based QoS for GGSN feature, see the Cisco GGSN Release 6.0 Configuration Guide , Cisco IOS Release 12.4(2)XB.


Note

To configure the Flow-Based QoS for GGSN feature, follow the instructions in the section called “ Configuring Per-PDP Policing .”

For more information about the GGSN-specific commands, see the Cisco GGSN Release 6.0 Command Reference , Cisco IOS Release 12.4(2)XB.

Examples

The following example specifies PDP flows as the match criterion in a class map named “class-pdp”: 


class-map class-pdp
 match flow pdp

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

match precedence

Identifies IP precedence values as match criteria.

police rate pdp

Configures PDP traffic policing using the police rate.

policy-map

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

service-policy

Attaches a policy map to an interface.

match fr-dlci

To specify the Frame Relay data-link connection identifier (DLCI) number as a match criterion in a class map, use the matchfr-dlci command in class-map configuration or policy inline configuration mode. To remove a previously specified DLCI number as a match criterion, use the no form of this command.

match fr-dlci dlci-number

no match fr-dlci dlci-number

Syntax Description

dlci-number

Number of the DLCI associated with the packet.

Command Default

No DLCI number is specified.

Command Modes


Class-map configuration (config-cmap)
Policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.2(13)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.

This match criterion can be used in main interfaces and point-to-multipoint subinterfaces in Frame Relay networks, and it can also be used in hierarchical policy maps.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter the service-policytypeperformance-monitorinline command.

Examples

In the following example a class map named “class1” has been created and the Frame Relay DLCI number of 500 has been specified as a match criterion. Packets matching this criterion are placed in class1. 


Router(config)# class-map class1
Router(config-cmap)# match fr-dlci 500

Examples

The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 that match the Frame Relay DLCI number of 500 will be monitored based on the parameters specified in the flow monitor configuration namedfm-2 : 


Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match 
fr-dlci 500
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

service-policy type performance-monitor

Associates a Performance Monitor policy with an interface.

show class-map

Displays all class maps and their matching criteria.

show policy-map interface

Displays the packet statistics of all classes that are configured for all service policies either on the specified interface or subinterface or on a specific PVC on the interface.

match input vlan

To configure a class map to match incoming packets that have a specific virtual local area network (VLAN) ID, use the matchinputvlan command in class map configuration mode. To remove the matching of VLAN IDs, use the no form of this command.

match input vlan input-vlan-list

no match input vlan input-vlan-list

Syntax Description

input-vlan-list

One or more VLAN IDs to be matched. The valid range for VLAN IDs is from 1 to 4094, and the list of VLAN IDs can include one or all of the following:

  • Single VLAN IDs, separated by spaces. For example: 100 200 300

  • One or more ranges of VLAN IDs, separated by spaces. For example: 1-1024 2000-2499

Command Default

By default, no matching is done on VLAN IDs.

Command Modes


Class map configuration

Command History

Release

Modification

12.2(18)SXE

This command was introduced for Cisco Catalyst 6500 series switches and Cisco 7600 series routers.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

The matchinputvlan command allows you to create a class map that matches packets with one or more specific VLAN IDs, as they were received on the input (ingress) interface. This enables hierarchical Quality of Service (HQoS) for Ethernet over MPLS (EoMPLS) Virtual Circuits (VC), allowing parent and child relationships between QoS class maps and policy maps. This in turn enables service providers to easily classify and shape traffic for a particular EoMPLS network.

In EoMPLS applications, the parent class map typically specifies the maximum bandwidth for all of the VCs in a specific EoMPLS network. Then the child class maps perform other QoS operations, such as traffic shaping, on a subset of this traffic.

Do not confuse the matchinputvlan command with the matchvlan command, which is also a class-map configuration command.

  • The matchvlan command matches the VLAN ID on packets for the particular interface at which the policy map is applied. Policy maps using the matchvlan command can be applied to either ingress or egress interfaces on the router, using the service-policy {input | output } command.

  • The matchinputvlan command matches the VLAN ID that was on packets when they were received on the ingress interface on the router. Typically, policy maps using the matchinputvlan command are applied to egress interfaces on the router, using the service-policyoutput command.

The matchinputvlan command can also be confused with the matchinput-interfacevlan command, which matches packets being received on a logical VLAN interface that is used for inter-VLAN routing.


Tip

Because class maps also support the matchinput-interface command, you cannot abbreviate the input keyword when giving the matchinputvlan command.


Note

The matchinputvlan command cannot be used only on Layer 2 LAN ports on FlexWAN, Enhanced FlexWAN, and Optical Service Modules (OSM) line cards.

The following restrictions apply when using the matchinputvlan command:

  • You cannot attach a policy with matchinputvlan to an interface if you have already attached a service policy to a VLAN interface (a logical interface that has been created with the interfacevlan command).

  • Class maps that use the matchinputvlan command support only the match-any option. You cannot use the match-all option in class maps that use the matchinputvlan command.

  • If the parent class contains a class map with a matchinputvlan command, you cannot use a matchexp command in a child class map.

Examples

The following example creates a class map and policy map that matches packets with a VLAN ID of 1000. The policy map shapes this traffic to a committed information rate (CIR) value of 10 Mbps (10,000,000 bps). The final lines then apply this policy map to a specific gigabit Ethernet WAN interface. 


Router# configure terminal
 
Router(config)# class-map match-any vlan1000
 
Router(config-cmap)# match input vlan 1000
 
Router(config-cmap)# exit
 
Router(config)# policy-map policy1000
 
Router(config-pmap)# class vlan1000
 
Router(config-pmap-c)# exit
 
Router(config-pmap)# shape average 10000000
 
Router(config-pmap)# interface GE-WAN 3/0
 
Router(config-if)# service-policy output policy1000
 
Router(config-if)#

The following example shows a class map being configured to match VLAN IDs 100, 200, and 300: 


Router# configure terminal
 
Router(config)# class-map match-any hundreds
 
Router(config-cmap)# match input vlan 100 200 300
 
Router(config-cmap)#

The following example shows a class map being configured to match all VLAN IDs from 2000 to 2999 inclusive: 


Router# configure terminal
 
Router(config)# class-map match-any vlan2000s
 
Router(config-cmap)# match input vlan 2000-2999
 
Router(config-cmap)#

The following example shows a class map being configured to match both a range of VLAN IDs, as well as specific VLAN IDs: 


Router# configure terminal
 
Router(config)# class-map match-any misc
 
Router(config-cmap)# match input vlan 1 5 10-99 2000-2499
 
Router(config-cmap)#

Related Commands

Command

Description

clear cef linecard

Clears Cisco Express Forwarding (CEF) information on one or more line cards, but does not clear the CEF information on the main route processor (RP). This forces the line cards to synchronize their CEF information with the information that is on the RP.

match qos-group

Identifies a specified QoS group value as a match criterion.

mls qos trust

Sets the trusted state of an interface, to determine which incoming QoS field on a packet, if any, should be preserved.

policy-map

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

service-policy

Attaches a policy map to an input interface or VC, or an output interface or VC, to be used as the service policy for that interface or VC.

show policy-map

Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps.

show policy-map interface

Displays the configuration of all classes configured for all service policies on the specified interface or displays the classes for the service policy for a specific PVC on the interface.

show platform qos policy-map

Displays the type and number of policy maps that are configured on the router.

match input-interface

To configure a class map to use the specified input interface as a match criterion, use the match input-interface command in class-map configuration or policy inline configuration mode. To remove the input interface match criterion from a class map, use the no form of this command.

match input-interface interface-name

no match input-interface interface-name

Syntax Description

interface-name

Name of the input interface to be used as match criteria.

Command Default

No match criteria are specified.

Command Modes


Class-map configuration (config-cmap)

Policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.0(5)T

This command was introduced.

12.0(5)XE

This command was integrated into Cisco IOS Release 12.0(5)XE.

12.0(7)S

This command was integrated into Cisco IOS Release 12.0(7)S.

12.0(17)SL

This command was enhanced to include matching on the input interface.

12.1(1)E

This command was integrated into Cisco IOS Release 12.1(1)E.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB

This command was integrated into Cisco IOS Release 12.2(31)SB and implemented on the Cisco 10000 series routers.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.


Note

With CSCtx62310, the minimum string you must enter to uniquely identify this command is match input- . The device no longer accepts match input as an abbreviated version of this command.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

To enter policy inline configuration mode, you must first enter the service-policy type performance-monitor inline command.

Supported Platforms Other Than Cisco 10000 Series Routers

For class-based weighted fair queueing (CBWFQ), you define traffic classes based on match criteria including input interfaces, access control lists (ACLs), protocols, quality of service (QoS) labels, and experimental (EXP) field values. Packets satisfying the match criteria for a class constitute the traffic for that class.

The match input-interface command specifies the name of an input interface to be used as the match criterion against which packets are checked to determine if they belong to the class specified by the class map.

To use the match input-interface command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish. After you identify the class, you can use one of the following commands to configure its match criteria:

  • match access-group

  • match input-interface

  • match mpls experimental

  • match protocol

If you specify more than one command in a class map, only the last command entered applies. The last command overrides the previously entered commands.

Cisco 10000 Series Routers

For CBWFQ, you define traffic classes based on match criteria including input interfaces, ACLs, protocols, QoS labels, and EXP field values. Packets satisfying the match criteria for a class constitute the traffic for that class.

To use the match input-interface command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish.

Examples

The following example specifies a class map named ethernet1 and configures the input interface named ethernet1 to be used as the match criterion for this class: 


Router(config)# class-map ethernet1 
Router(config-cmap)# match input-interface ethernet1

Examples

The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 that match the criteria of the input interface named ethernet1 will be monitored based on the parameters specified in the flow monitor configuration named fm-2: 


Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match input-interface ethernet 1
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

match access-group

Configures the match criteria for a class map based on the specified ACL.

match mpls experimental

Configures a class map to use the specified EXP field value as a match criterion.

match protocol

Configures the match criteria for a class map on the basis of the specified protocol.

service-policy type performance-monitor

Associates a Performance Monitor policy with an interface.

match ip dscp

The matchipdscp command is replaced by the match dscp command. See the match dscp command for more information.

match ip precedence

The matchipprecedence command is replaced by the match precedence command. See the match precedence command for more information.

match ip rtp

To configure a class map to use the Real-Time Protocol (RTP) port as the match criterion, use the matchiprtp command in class-map configuration or policy inline configuration mode. To remove the RTP port match criterion, use the no form of this command.

match ip rtp starting-port-number port-range

no match ip rtp

Syntax Description

starting-port-number

The starting RTP port number. Values range from 2000 to 65535.

port-range

The RTP port number range. Values range from 0 to 16383.

Command Default

No match criteria are specified.

Command Modes


Class-map configuration (config-cmap)
Policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.1(2)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB

This command was integrated into Cisco IOS Release 12.2(31)SB and implemented on the Cisco 10000 series routers.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.

This command is used to match IP RTP packets that fall within the specified port range. It matches packets destined to all even User Datagram Port (UDP) port numbers in the range from the starting port number argument to the starting port number plus the port range argument.

Use of an RTP port range as the match criterion is particularly effective for applications that use RTP, such as voice or video.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter the service-policytypeperformance-monitorinline command.

Examples

The following example specifies a class map named ethernet1 and configures the RTP port number 2024 and range 1000 to be used as the match criteria for this class: 


Router(config)# class-map ethernet1 
Router(config-cmap)# match ip rtp 2024 1000

Examples

The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 that match the criteria of RTP port number 2024 and range 1000 will be monitored based on the parameters specified in the flow monitor configuration namedfm-2 : 


Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match 
ip rtp 2024 1000
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

service-policy type performance-monitor

Associates a Performance Monitor policy with an interface.

ip rtp priority

Reserves a strict priority queue for a set of RTP packet flows belonging to a range of UDP destination ports.

match access-group

Configures the match criteria for a class map based on the specified ACL number.

match mpls experimental

To configure a class map to use the specified value or values of the experimental (EXP) field as a match criteria, use the matchmplsexperimental command in class-map configuration mode. To remove the EXP field match criteria from a class map, use the no form of this command.

match mpls experimental number

no match mpls experimental number

Syntax Description

number

EXP field value (any number from 0 through 7) to be used as a match criterion. You can specify multiple values, separated by a space (for example, 3 4 7).

Command Default

No match criteria are specified.

Command Modes


Class-map configuration

Command History

Release

Modification

12.0(7)XE1

This command was introduced.

12.1(1)E

This command was integrated into Cisco IOS Release 12.1(1)E.

12.1(5)T

This command was integrated into Cisco IOS Release 12.1(5)T.

12.2(4)T

This command was implemented on the Cisco MGX 8850 switch and the MGX 8950 switch with a Cisco MGX RPM-PR card.

12.2(4)T2

This command was implemented on the Cisco 7500 series.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB

This command was integrated into Cisco IOS Release 12.2(31)SB and implemented on the Cisco 10000 series.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Supported Platforms Other Than the Cisco 10000 Series

For class-based weighted fair queueing (CBWFQ), you define traffic classes based on match criteria such as input interfaces, access control lists (ACLs), protocols, quality of service (QoS) labels, and experimental (EXP) field values. Packets satisfying the match criteria for a class constitute the traffic for that class.

The matchmplsexperimental command specifies the name of an EXP field value to be used as the match criterion against which packets are compared to determine if they belong to the class specified by the class map.

To use the matchmplsexperimental command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish. After you identify the class, you can use one of the following commands to configure its match criteria:

  • match access-group

  • match input-interface

  • match mpls experimental

  • match protocol

If you specify more than one command in a class map, only the last command entered applies. The last command overrides the previously entered commands.

Cisco 10000 Series

This command is available only on the ESR-PRE1 module.

For CBWFQ, you define traffic classes based on match criteria such as input interfaces, ACLs, protocols, QoS labels, and EXP field values. Packets satisfying the match criteria for a class constitute the traffic for that class.

To use the matchmplsexperimental command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish.

Examples

The following example specifies a class map called ethernet1 and configures the Multiprotocol Label Switching (MPLS) experimental values of 1 and 2 to be used as the match criteria for this class: 


Router(config)# class-map ethernet1  
Router(config-cmap)# match mpls experimental 1 2

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

match access-group

Configures the match criteria for a class map based on the specified ACL.

match input-interface

Configures a class map to use the specified input interface as a match criterion.

match mpls experimental topmost

Matches the EXP value in the topmost label.

match protocol

Matches traffic by a particular protocol.

match qos-group

Configures the match criteria for a class map based on the specified protocol.

match mpls experimental topmost

To match the experimental (EXP) value in the topmost label header, use the matchmplsexperimentaltopmost command in class-map configuration or policy inline configuration mode. To remove the EXP match criterion, use the no form of this command.

match mpls experimental topmost number

no match mpls experimental topmost number

Syntax Description

number

Multiprotocol Label Switching (MPLS) EXP field in the topmost label header. Valid values are 0 to 7.

Command Default

No EXP match criterion is configured for the topmost label header.

Command Modes


Class-map configuration (config-cmap)
Policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.2(13)T

This command was introduced.

12.2(31)SB

This command was integrated into Cisco IOS Release 12.2(31)SB.

Cisco IOS XE Release 2.3

This command was integrated into Cisco IOS XE Release 2.3.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

12.2(33)SCF

This command was integrated into Cisco IOS Release 12.2(33)SCF.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.

You can enter this command on the input interfaces and the output interfaces. It will match only on MPLS packets.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter the service-policytypeperformance-monitorinline command.

Examples

The following example shows that the EXP value 3 in the topmost label header is matched: 


Router(config)# class-map mpls exp
Router(config-cmap)# match mpls experimental topmost 3

Examples

The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 that match the criteria of a EXP value of 3 in the topmost label header will be monitored based on the parameters specified in the flow monitor configuration namedfm-2 : 


Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match mpls experimental topmost 3
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

service-policy type performance-monitor

Associates a Performance Monitor policy with an interface.

set mpls experimental topmost

Sets the MPLS EXP field value in the topmost MPLS label header at the input or output interfaces.

match not

To specify the single match criterion value to use as an unsuccessful match criterion, use the matchnot command in class-map configuration or policy inline configuration mode. To remove a previously specified source value to not use as a match criterion, use the no form of this command.

match not match-criterion

no match not match-criterion

Syntax Description

match-criterion

The match criterion value that is an unsuccessful match criterion. All other values of the specified match criterion will be considered successful match criteria.

Command Default

No unsuccessful match criterion is configured.

Command Modes


Class-map configuration (config-cmap)
Policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.0(5)XE

This command was introduced.

12.0(5)T

This command was integrated into Cisco IOS Release 12.0(5)T.

12.1(1)E

This command was integrated into Cisco IOS Release 12.1(1)E.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB

This command was integrated into Cisco IOS Release 12.2(31)SB and implemented on the Cisco 10000 series routers.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.

The matchnot command is used to specify a quality of service (QoS) policy value that is not used as a match criterion. When thematchnot command is used, all other values of that QoS policy become successful match criteria.

For instance, if the matchnotqos-group4 command is issued in QoS class-map configuration mode, the specified class will accept all QoS group values except 4 as successful match criteria.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter the service-policytypeperformance-monitorinline command.

Examples

In the following traffic class, all protocols except IP are considered successful match criteria: 


Router(config)# class-map noip
Router(config-cmap)# match not protocol ip

Examples

The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 for all protocols except IP will be monitored based on the parameters specified in the flow monitor configuration namedfm-2 : 


Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match not protocol ip
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

service-policy type performance-monitor

Associates a Performance Monitor policy with an interface.

match packet length (class-map)

To specify the Layer 3 packet length in the IP header as a match criterion in a class map, use the matchpacketlength command in class-map configuration or policy inline configuration mode. To remove a previously specified Layer 3 packet length as a match criterion, use the no form of this command.

match packet length {max maximum-length-value [min minimum-length-value] | min minimum-length-value [max maximum-length-value]}

no match packet length {max maximum-length-value [min minimum-length-value] | min minimum-length-value [max maximum-length-value]}

Syntax Description

max

Indicates that a maximum value for the Layer 3 packet length is to be specified.

maximum-length-value

Maximum length value of the Layer 3 packet length, in bytes. The range is from 1 to 2000.

min

Indicates that a minimum value for the Layer 3 packet length is to be specified.

minimum-length-value

Minimum length value of the Layer 3 packet length, in bytes. The range is from 1 to 2000.

Command Default

The Layer 3 packet length in the IP header is not used as a match criterion.

Command Modes


Class-map configuration (config-cmap)
Policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.2(13)T

This command was introduced.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

Cisco IOS XE Release 2.2

This command was integrated into Cisco IOS XE Release 2.2 and implemented on the Cisco ASR 1000 Series Routers.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.

This command considers only the Layer 3 packet length in the IP header. It does not consider the Layer 2 packet length in the IP header.

When using this command, you must at least specify the maximum or minimum value. However, you do have the option of entering both values.

If only the minimum value is specified, a packet with a Layer 3 length greater than the minimum is viewed as matching the criterion.

If only the maximum value is specified, a packet with a Layer 3 length less than the maximum is viewed as matching the criterion.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter the service-policytypeperformance-monitorinline command.

Examples

In the following example a class map named “class 1” has been created, and the Layer 3 packet length has been specified as a match criterion. In this example, packets with a minimum Layer 3 packet length of 100 bytes and a maximum Layer 3 packet length of 300 bytes are viewed as meeting the match criteria. 


Router(config)# class-map match-all class1
Router(config-cmap)# match packet length min 100 max 300

Examples

The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 that match the criteria of a minimum Layer 3 packet length of 100 bytes and a maximum Layer 3 packet length of 300 bytes will be monitored based on the parameters specified in the flow monitor configuration namedfm-2 : 


Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match packet length min 100 max 300
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

service-policy type performance-monitor

Associates a Performance Monitor policy with an interface.

show class-map

Displays all class maps and their matching criteria.

show policy-map interface

Displays the packet statistics of all classes that are configured for all service policies either on the specified interface or subinterface or on a specific PVC on the interface.

match port-type

To match the access policy on the basis of the port for a class map, use the matchport-type command in class-map configuration mode. To delete the port type, use the no form of this command.

match port-type {routed | switched}

no match port-type {routed | switched}

Syntax Description

routed

Matches the routed interface. Use this keyword if the class map has to be associated with only a routed interface.

switched

Matches the switched interface. Use this keyword if the class map has to be associated with only a switched interface.

Command Default

Access policy is not matched.

Command Modes


Class-map configuration

Command History

Release

Modification

12.4(6)T

This command was introduced.

Usage Guidelines

This command is used because, on the basis of the port on which a user is connecting, the access policies that are applied to it can be different.

Examples

The following example shows that an access policy has been matched on the basis of the port for a class map:

Router(config-cmap)# matchport-typerouted

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

match tag (class-map)

Specifies the tag to be matched for a tag type of class map.

match precedence

To identify IP precedence values to use as the match criterion, use the match precedence command in class-map configuration or policy inline configuration mode. To remove IP precedence values from a class map, use the no form of this command.

match [ip] precedence {precedence-criteria1 | precedence-criteria2 | precedence-criteria3 | precedence-criteria4}

no match [ip] precedence {precedence-criteria1 | precedence-criteria2 | precedence-criteria3 | precedence-criteria4}

Syntax Description

ip

(Optional) Specifies that the match is for IPv4 packets only. If not used, the match is on both IPv4 and IPv6 packets.

Note 

For the Cisco 10000 series routers, the ip keyword is required.

precedence-criteria1

precedence-criteria2

precedence-criteria3

precedence-criteria4

Identifies the precedence value. You can enter up to four different values, separated by a space. See the “Usage Guidelines” section for valid values.

Command Default

No match criterion is configured.

Command Modes


class-map configuration (config-cmap)
policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.2(13)T

This command was introduced. This command replaces the match ip precedence command.

12.0(17)SL

This command was integrated into Cisco IOS Release 12.0(17)SL and implemented on the Cisco 10000 series routers.

12.0(28)S

This command was integrated into Cisco IOS Release 12.0(28)S for IPv6.

12.2(31)SB

This command was integrated into Cisco IOS Release 12.2(31)SB.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

Cisco IOS XE Release 3.6

This command was implemented on the Cisco ASR 903 Router.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.

You can enter up to four matching criteria, a number abbreviation (0 to 7) or criteria names (critical, flash, and so on), in a single match statement. For example, if you wanted the precedence values of 0, 1, 2, or 3 (note that only one of the precedence values must be a successful match criterion, not all of the specified precedence values), enter the match ip precedence 0123 command. The precedence-criteria numbers are not mathematically significant; that is, the precedence-criteria of 2 is not greater than 1. The way that these different packets are treated depends upon quality of service (QoS) policies, set in policy-map configuration mode.

You can configure a QoS policy to include IP precedence marking for packets entering the network. Devices within your network can then use the newly marked IP precedence values to determine how to treat the packets. For example, class-based weighted random early detection (WRED) uses IP precedence values to determine the probability that a packet is dropped. You can also mark voice packets with a particular precedence. You can then configure low-latency queueing (LLQ) to place all packets of that precedence into the priority queue.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter the service-policy type performance-monitor inline command.

Matching Precedence for IPv6 and IPv4 Packets on the Cisco 7600 and 10000 and Series Routers

On the Cisco 7600 series and 10000 series routers, you set matching criteria based on precedence values for only IPv6 packets using the matchprotocol command with the ipv6 keyword. Without that keyword, the precedence match defaults to match both IPv4 and IPv6 packets. You set matching criteria based on precedence values for IPv4 packets only using the ip keyword. Without the ip keyword the match occurs on both IPv4 and IPv6 packets.

Precedence Values and Names

The following table lists all criteria conditions by value, name, binary value, and recommended use. You may enter up to four criteria, each separated by a space. Only one of the precedence values must be a successful match criterion. The table below lists the IP precedence values.

Table 1. IP Precedence Values

Precedence Value

Precedence Name

Binary Value

Recommended Use

0

routine

000

Default marking value

1

priority

001

Data applications

2

immediate

010

Data applications

3

flash

011

Call signaling

4

flash-override

100

Video conferencing and streaming video

5

critical

101

Voice

6

internet (control)

110

Network control traffic (such as routing, which is typically precedence 6)

7

network (control)

111

Do not use IP precedence 6 or 7 to mark packets, unless you are marking control packets.

Examples

Examples

The following example shows how to configure the service policy named priority50 and attach service policy priority50 to an interface, matching for IPv4 traffic only. In a network where both IPv4 and IPv6 are running, you might find it necessary to distinguish between the protocols for matching and traffic segregation. In this example, the class map named ipprec5 will evaluate all IPv4 packets entering Fast Ethernet interface 1/0/0 for a precedence value of 5. If the incoming IPv4 packet has been marked with the precedence value of 5, the packet will be treated as priority traffic and will be allocated with bandwidth of 50 kbps. 



Router(config)# class-map ipprec5
Router(config-cmap)# match ip precedence 5
Router(config)# exit
Router(config)# policy-map priority50
Router(config-pmap)# class ipprec5
Router(config-pmap-c)# priority 50
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface fa1/0/0
Router(config-if)# service-policy input priority50

Examples

The following example shows the same service policy matching on precedence for IPv6 traffic only. Notice that the match protocol command with the ipv6 keyword precedes the match precedence command. The match protocol command is required to perform matches on IPv6 traffic alone. 


Router(config)# class-map ipprec5
Router(config-cmap)# match protocol ipv6
Router(config-cmap)# match precedence 5
Router(config)# exit
Router(config)# policy-map priority50
Router(config-pmap)# class ipprec5
Router(config-pmap-c)# priority 50
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface fa1/0/0
Router(config-if)# service-policy input priority50

Examples

The following example shows how to use policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 that match the criterion of a match precedence of 4 will be monitored based on the parameters specified in the flow monitor configuration named fm-2: 


Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match precedence 4
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# end

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.

match protocol

Configures the match criteria for a class map on the basis of a specified protocol.

policy-map

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

service-policy

Attaches a policy map to an input interface or VC, or an output interface or VC, to be used as the service policy for that interface or VC.

service-policy type performance-monitor

Associates a Performance Monitor policy with an interface.

set ip precedence

Sets the precedence value in the IP header.

show class-map

Displays all class maps and their matching criteria, or a specified class map and its matching criteria.

match protocol

To configure the match criterion for a class map on the basis of a specified protocol, use the matchprotocol command in class-map configuration or policy inline configuration mode. To remove the protocol-based match criterion from the class map, use the no form of this command.

match protocol protocol-name

no match protocol protocol-name

Syntax Description

protocol-name

Name of the protocol (for example, bgp) used as a matching criterion. See the “Usage Guidelines” for a list of protocols supported by most routers.

Command Default

No match criterion is configured.

Command Modes


Class-map configuration (config-cmap)
Policy inline configuration (config-if-spolicy-inline)

Command History

Release

Modification

12.0(5)T

This command was introduced.

12.0(5)XE

This command was integrated into Cisco IOS Release 12.0(5)XE.

12.0(7)S

This command was integrated into Cisco IOS Release 12.0(7)S.

12.1(1)E

This command was integrated into Cisco IOS Release 12.1(1)E.

12.1(13)E

This command was integrated into Cisco IOS Release 12.1(13)E and implemented on Catalyst 6000 family switches without FlexWAN modules.

12.2(8)T

This command was integrated into Cisco IOS Release 12.2(8)T.

12.2(13)T

This command was modified to remove apollo , vines , and xns from the list of protocols used as matching criteria. These protocols were removed because Apollo Domain, Banyan VINES, and Xerox Network Systems (XNS) were removed in this release. The IPv6 protocol was added to support matching on IPv6 packets.

12.0(28)S

This command was integrated into Cisco IOS Release 12.0(28)S for IPv6.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(17a)SX1

This command was integrated into Cisco IOS Release 12.2(17a)SX1.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE and implemented on the Supervisor Engine 720.

12.4(6)T

This command was modified. The Napster protocol was removed because it is no longer supported.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2 and implemented on the Cisco 10000 series routers.

12.2(18)ZY

This command was integrated into Cisco IOS Release 12.2(18)ZY. This command was modified to enhance Network-Based Application Recognition (NBAR) functionality on the Catalyst 6500 series switch that is equipped with the Supervisor 32/programmable intelligent services accelerator (PISA) engine.

12.4(15)XZ

This command was integrated into Cisco IOS Release 12.4(15)XZ.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T and implemented on the Cisco 1700, Cisco 1800, Cisco 2600, Cisco 2800, Cisco 3700, Cisco 3800, Cisco 7200, and Cisco 7300 series routers.

Cisco IOS XE Release 2.2

This command was integrated into Cisco IOS XE Release 2.2 and implemented on the Cisco ASR 1000 Series Routers.

Cisco IOS XE Release 3.1S

This command was modified. Support for more protocols was added.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.

12.2(58)SE

This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.

3.16S Version 15.5(3)S

Added rtp-audio protocol.

3.17S Version 15.6(1)S

Added rtp-video protocol.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter the service-policytypeperformance-monitorinline command.

Supported Platforms Other Than Cisco 7600 Routers and Cisco 10000 Series Routers

For class-based weighted fair queueing (CBWFQ), you define traffic classes based on match criteria protocols, access control lists (ACLs), input interfaces, quality of service (QoS) labels, and Experimental (EXP) field values. Packets satisfying the match criteria for a class constitute the traffic for that class.

The matchprotocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.

The matchprotocolipx command matches packets in the output direction only.

To use the matchprotocol command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish. After you identify the class, you can use one of the following commands to configure its match criteria:

  • match access-group

  • match input-interface

  • match mpls experimental

If you specify more than one command in a class map, only the last command entered applies. The last command overrides the previously entered commands.

To configure NBAR to match protocol types that are supported by NBAR traffic, use the matchprotocol(NBAR) command.

Cisco 7600 Series Routers

The matchprotocol command in QoS class-map configuration configures NBAR and sends all traffic on the port, both ingress and egress, to be processed in the software on the Multilayer Switch Feature Card 2 (MSFC2).

For CBWFQ, you define traffic classes based on match criteria like protocols, ACLs, input interfaces, QoS labels, and Multiprotocol Label Switching (MPLS) EXP field values. Packets satisfying the match criteria for a class constitute the traffic for that class.

The matchprotocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.

If you want to use the matchprotocol command, you must first enter the class-map command to specify the name of the class to which you want to establish the match criteria.

If you specify more than one command in a class map, only the last command entered applies. The last command overrides the previously entered commands.

This command can be used to match protocols that are known to the NBAR feature. For a list of protocols supported by NBAR, see the “Classification” part of the Cisco IOS Quality of Service Solutions Configuration Guide.

Cisco 10000 Series Routers

For CBWFQ, you define traffic classes based on match criteria including protocols, ACLs, input interfaces, QoS labels, and EXP field values. Packets satisfying the match criteria for a class constitute the traffic for that class.

The matchprotocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.

The matchprotocolipx command matches packets in the output direction only.

To use the matchprotocol command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish.

If you are matching NBAR protocols, use the matchprotocol (NBAR) command.

Match Protocol Command Restrictions (Catalyst 6500 Series Switches Only)

Policy maps contain traffic classes. Traffic classes contain one or more match commands that can be used to match packets (and organize them into groups) on the basis of a protocol type or application. You can create as many traffic classes as needed.

Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. For this release and platform, note the following restrictions for using policy maps and match protocol commands:

  • A single traffic class can be configured to match a maximum of 8 protocols or applications.

  • Multiple traffic classes can be configured to match a cumulative maximum of 95 protocols or applications.

Supported Protocols

The table below lists the protocols supported by most routers. Some routers support a few additional protocols. For example, the Cisco 7600 router supports the AARP and DECnet protocols, while the Cisco 7200 router supports the directconnect and PPPOE protocols. For a complete list of supported protocols, see the online help for the matchprotocol command on the router that you are using.

Table 2. Supported Protocols

Protocol Name

Description

802-11-iapp

IEEE 802.11 Wireless Local Area Networks Working Group Internet Access Point Protocol

ace-svr

ACE Server/Propagation

aol

America-Online Instant Messenger

appleqtc

Apple QuickTime

arp *

IP Address Resolution Protocol (ARP)

bgp

Border Gateway Protocol

biff

Biff mail notification

bootpc

Bootstrap Protocol Client

bootps

Bootstrap Protocol Server

bridge *

bridging

cddbp

CD Database Protocol

cdp *

Cisco Discovery Protocol

cifs

CIFS

cisco-fna

Cisco FNATIVE

cisco-net-mgmt

cisco-net-mgmt

cisco-svcs

Cisco license/perf/GDP/X.25/ident svcs

cisco-sys

Cisco SYSMAINT

cisco-tdp

cisco-tdp

cisco-tna

Cisco TNATIVE

citrix

Citrix Systems Metaframe

citriximaclient

Citrix IMA Client

clns *

ISO Connectionless Network Service

clns_es *

ISO CLNS End System

clns_is *

ISO CLNS Intermediate System

clp

Cisco Line Protocol

cmns *

ISO Connection-Mode Network Service

cmp

Cluster Membership Protocol

compressedtcp *

Compressed TCP

creativepartnr

Creative Partner

creativeserver

Creative Server

cuseeme

CU-SeeMe desktop video conference

daytime

Daytime (RFC 867)

dbase

dBASE Unix

dbcontrol_agent

Oracle Database Control Agent

ddns-v3

Dynamic DNS Version 3

dhcp

Dynamic Host Configuration

dhcp-failover

DHCP Failover

directconnect

Direct Connect

discard

Discard port

dns

Domain Name Server lookup

dnsix

DNSIX Security Attribute Token Map

echo

Echo port

edonkey

eDonkey

egp

Exterior Gateway Protocol

eigrp

Enhanced Interior Gateway Routing Protocol

entrust-svc-handler

Entrust KM/Admin Service Handler

entrust-svcs

Entrust sps/aaas/aams

exec

Remote Process Execution

exchange

Microsoft RPC for Exchange

fasttrack

FastTrack Traffic (KaZaA, Morpheus, Grokster, and so on)

fcip-port

FCIP

finger

Finger

ftp

File Transfer Protocol

ftps

FTP over TLS/SSL

gdoi

Group Domain of Interpretation

giop

Oracle GIOP/SSL

gnutella

Gnutella Version 2 Traffic (BearShare, Shareeza, Morpheus, and so on)

gopher

Gopher

gre

Generic Routing Encapsulation

gtpv0

GPRS Tunneling Protocol Version 0

gtpv1

GPRS Tunneling Protocol Version 1

h225ras

H225 RAS over Unicast

h323

H323 Protocol

h323callsigalt

H323 Call Signal Alternate

hp-alarm-mgr

HP Performance data alarm manager

hp-collector

HP Performance data collector

hp-managed-node

HP Performance data managed node

hsrp

Hot Standby Router Protocol

http

Hypertext Transfer Protocol

https

Secure Hypertext Transfer Protocol

ica

ica (Citrix)

icabrowser

icabrowser (Citrix)

icmp

Internet Control Message Protocol

ident

Authentication Service

igmpv3lite

IGMP over UDP for SSM

imap

Internet Message Access Protocol

imap3

Interactive Mail Access Protocol 3

imaps

IMAP over TLS/SSL

ip *

IP (version 4)

ipass

IPASS

ipinip

IP in IP (encapsulation)

ipsec

IP Security Protocol (ESP/AH)

ipsec-msft

Microsoft IPsec NAT-T

ipv6 *

IP (version 6)

ipx

IPX

irc

Internet Relay Chat

irc-serv

IRC-SERV

ircs

IRC over TLS/SSL

ircu

IRCU

isakmp

ISAKMP

iscsi

iSCSI

iscsi-target

iSCSI port

kazaa2

Kazaa Version 2

kerberos

Kerberos

l2tp

Layer 2 Tunnel Protocol

ldap

Lightweight Directory Access Protocol

ldap-admin

LDAP admin server port

ldaps

LDAP over TLS/SSL

llc2 *

llc2

login

Remote login

lotusmtap

Lotus Mail Tracking Agent Protocol

lotusnote

Lotus Notes

mgcp

Media Gateway Control Protocol

microsoft-ds

Microsoft-DS

msexch-routing

Microsoft Exchange Routing

msnmsgr

MSN Instant Messenger

msrpc

Microsoft Remote Procedure Call

msrpc-smb-netbios

MSRPC over TCP port 445

ms-cluster-net

MS Cluster Net

ms-dotnetster

Microsoft .NETster Port

ms-sna

Microsoft SNA Server/Base

ms-sql

Microsoft SQL

ms-sql-m

Microsoft SQL Monitor

mysql

MySQL

n2h2server

N2H2 Filter Service Port

ncp

NCP (Novell)

net8-cman

Oracle Net8 Cman/Admin

netbios

Network Basic Input/Output System

netbios-dgm

NETBIOS Datagram Service

netbios-ns

NETBIOS Name Service

netbios-ssn

NETBIOS Session Service

netshow

Microsoft Netshow

netstat

Variant of systat

nfs

Network File System

nntp

Network News Transfer Protocol

novadigm

Novadigm Enterprise Desktop Manager (EDM)

ntp

Network Time Protocol

oem-agent

OEM Agent (Oracle)

oracle

Oracle

oracle-em-vp

Oracle EM/VP

oraclenames

Oracle Names

orasrv

Oracle SQL*Net v1/v2

ospf

Open Shortest Path First

pad *

Packet assembler/disassembler (PAD) links

pcanywhere

Symantec pcANYWHERE

pcanywheredata

pcANYWHEREdata

pcanywherestat

pcANYWHEREstat

pop3

Post Office Protocol

pop3s

POP3 over TLS/SSL

pppoe

Point-to-Point Protocol over Ethernet

pptp

Point-to-Point Tunneling Protocol

printer

Print spooler/ldp

pwdgen

Password Generator Protocol

qmtp

Quick Mail Transfer Protocol

radius

RADIUS & Accounting

rcmd

Berkeley Software Distribution (BSD) r-commands (rsh, rlogin, rexec)

rdb-dbs-disp

Oracle RDB

realmedia

RealNetwork’s Realmedia Protocol

realsecure

ISS Real Secure Console Service Port

rip

Routing Information Protocol

router

Local Routing Process

rsrb *

Remote Source-Route Bridging

rsvd

RSVD

rsvp

Resource Reservation Protocol

rsvp-encap

RSVP ENCAPSULATION-1/2

rsvp_tunnel

RSVP Tunnel

rtc-pm-port

Oracle RTC-PM port

rtelnet

Remote Telnet Service

rtp

Real-Time Protocol

rtp-audio

Real-Time Protocol - audio

rtp-video

Real-Time Protocol - video

rtsp

Real-Time Streaming Protocol

r-winsock

remote-winsock

secure-ftp

FTP over Transport Layer Security/Secure Sockets Layer (TLS/SSL)

secure-http

Secured HTTP

secure-imap

Internet Message Access Protocol over TLS/SSL

secure-irc

Internet Relay Chat over TLS/SSL

secure-ldap

Lightweight Directory Access Protocol over TLS/SSL

secure-nntp

Network News Transfer Protocol over TLS/SSL

secure-pop3

Post Office Protocol over TLS/SSL

secure-telnet

Telnet over TLS/SSL

send

SEND

shell

Remote command

sip

Session Initiation Protocol

sip-tls

Session Initiation Protocol-Transport Layer Security

skinny

Skinny Client Control Protocol

sms

SMS RCINFO/XFER/CHAT

smtp

Simple Mail Transfer Protocol

snapshot

Snapshot routing support

snmp

Simple Network Protocol

snmptrap

SNMP Trap

socks

Sockets network proxy protocol (SOCKS)

sqlnet

Structured Query Language (SQL)*NET for Oracle

sqlserv

SQL Services

sqlsrv

SQL Service

sqlserver

Microsoft SQL Server

ssh

Secure shell

sshell

SSLshell

ssp

State Sync Protocol

streamwork

Xing Technology StreamWorks player

stun

cisco Serial Tunnel

sunrpc

Sun remote-procedure call (RPC)

syslog

System Logging Utility

syslog-conn

Reliable Syslog Service

tacacs

Login Host Protocol (TACACS)

tacacs-ds

TACACS-Database Service

tarantella

Tarantella

tcp

Transport Control Protocol

telnet

Telnet

telnets

Telnet over TLS/SSL

tftp

Trivial File Transfer Protocol

time

Time

timed

Time server

tr-rsrb

cisco RSRB

tto

Oracle TTC/SSL

udp

User Datagram Protocol

uucp

UUCPD/UUCP-RLOGIN

vdolive

VDOLive streaming video

vofr *

Voice over Frame Relay

vqp

VLAN Query Protocol

webster

Network Dictionary

who

Who’s service

wins

Microsoft WINS

x11

X Window System

xdmcp

XDM Control Protocol

xwindows *

X-Windows remote access

ymsgr

Yahoo! Instant Messenger

* This protocol is not supported on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine.

Examples

The following example specifies a class map named ftp and configures the FTP protocol as a match criterion: 


Router(config)# class-map ftp
Router(config-cmap)
#
 match protocol ftp

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 for the IP protocol will be monitored based on the parameters specified in the flow monitor configuration namedfm-2 : 


Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match protocol ip
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit

Related Commands