![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
Table Of Contents
Network-Based Application Recognition
Network-Based Application Recognition
Network-Based Application Recognition (NBAR) is a classification engine that recognizes and classifies a wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate quality of service (QoS) for that application or traffic with that protocol.
Configuration Information
Configuration information begins with the "Classifying Network Traffic Using NBAR Roadmap" module of the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4T, at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcg/tqos_c/part_05/qsnbarrm.htm
For a complete list of NBAR-related features included in the Cisco IOS Quality of Service Solutions Configuration Guide, see the Supported NBAR-Related Features table located toward the end of the roadmap.
New or Modified Commands
The following commands are new or modified for this feature:
match protocol
To configure the match criterion for a class map on the basis of the specified protocol, use the match protocol command in class-map configuration mode. To remove the protocol-based match criterion from a class map, use the no form of this command.
match protocol protocol-name
no match protocol protocol-name
Syntax Description
protocol-name
Name of the protocol (for example, bgp) used as a matching criterion. See the "Usage Guidelines" for a list of protocols supported by most routers.
Command Default
No match criterion is configured.
Command Modes
Class-map configuration
Command History
Usage Guidelines
Supported Platforms Other Than Cisco 7600 Routers and Cisco 10000 Series Routers
For class-based weighted fair queueing (CBWFQ), you define traffic classes based on match criteria protocols, access control lists (ACLs), input interfaces, Quality of Service (QoS) labels, and Experimental (EXP) field values. Packets satisfying the match criteria for a class constitute the traffic for that class.
The match protocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.
The match protocol ipx command matches packets in the output direction only.
To use the match protocol command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish. After you identify the class, you can use one of the following commands to configure its match criteria:
•
match access-group
•
match input-interface
•
match mpls experimental
If you specify more than one command in a class map, only the last command entered applies. The last command overrides the previously entered commands.
To configure network-based application recognition (NBAR) to match protocol types that are supported by NBAR traffic, use the match protocol (NBAR) command.
Cisco 7600 Routers
The match protocol command in QoS class-map configuration configures NBAR and sends all traffic on the port, both ingress and egress, to be processed in the software on the MSFC2.
For class-based weighted fair queuing (CBWFQ), you define traffic classes based on match criteria like protocols, ACLs, input interfaces, QoS labels, and Multiprotocol Label Switching (MPLS) EXP field values. Packets satisfying the match criteria for a class constitute the traffic for that class.
The match protocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.
If you want to use the match protocol command, you must first enter the class-map command to specify the name of the class to which you want to establish the match criteria.
If you specify more than one command in a class map, only the last command entered applies. The last command overrides the previously entered commands.
This command can be used to match protocols that are known to the NBAR feature. For a list of protocols supported by NBAR, see the "Classification" part of the Cisco IOS Quality of Service Solutions Configuration Guide.
Cisco 10000 Series Routers
For CBWFQ, you define traffic classes based on match criteria including protocols, ACLs, input interfaces, QoS labels, and EXP field values. Packets satisfying the match criteria for a class constitute the traffic for that class.
The match protocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.
The match protocol ipx command matches packets in the output direction only.
To use the match protocol command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish.
If you are matching NBAR protocols, use the match protocol (NBAR) command.
Supported Protocols
Table 1 lists the protocols supported by most routers. Some routers support a few additional protocols. For example, the Cisco 7600 router supports the aarp and decnet protocols, while the Cisco 7200 router supports the directconnect and pppoe protocols. For a complete list of supported protocols, see the online help for the match protocol command on the router that you are using.
* This protocol is not supported on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine.Match Protocol Command Restrictions (Catalyst 6500 Series Switches Only)
Policy maps contain traffic classes. Traffic classes contain one or more match commands that can be used to match packets (and organize them into groups) on the basis of a protocol type or application. You can create as many traffic classes as needed.
Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. For this release and platform, note the following restrictions for using policy maps and match protocol commands:
•
A single traffic class can be configured to match a maximum of 8 protocols or applications.
•
Multiple traffic classes can be configured to match a cumulative maximum of 95 protocols or applications.
Examples
The following example specifies a class map called ftp and configures the File Transfer Protocol (FTP) protocol as match criteria:
Router(config)# class-map ftp
Router(config-cmap)
#
match protocol ftp
Related Commands
match protocol (NBAR)
To configure Network-Based Application Recognition (NBAR) to match traffic by a protocol type known to NBAR, use the match protocol command in class-map configuration mode. To disable NBAR from matching traffic by a known protocol type, use the no form of this command.
match protocol protocol-name [variable-field-name value]
no match protocol protocol-name [variable-field-name value]
Syntax Description
protocol-name
Particular protocol type known to NBAR. These known protocol types can be used to match traffic. For a list of protocol types known to NBAR, see Table 2 in "Usage Guidelines."
variable-field-name
(Optional and usable only with custom protocols) Predefined variable that was created when you created a custom protocol. The variable-field-name will match the field-name variable entered when you created the custom protocol.
value
(Optional and usable only with custom protocols) Specific value in the custom payload to match. A value can be entered along with a variable-field-name only. The value can be expressed in decimal or hexadecimal format.
Defaults
Traffic is not matched by a protocol type known to NBAR.
Command Modes
Class-map configuration
Command History
Usage Guidelines
Use the match protocol (NBAR) command to match protocol types that are known to NBAR. NBAR is capable of classifying the following types of protocols:
•
Non-UDP and non-TCP IP protocols
•
TCP and UDP protocols that use statically assigned port numbers
•
TCP and UDP protocols that dynamically assign port numbers and therefore require stateful inspection.
Table 2 lists the protocols that NBAR can classify. This table organizes the NBAR-supported protocols by category.
Table 2 NBAR-Supported Protocols
Category Protocol Type Well-Known Port Number Description Syntax Cisco IOS Release1Enterprise Application
Citrix ICA
TCP/
UDPDynamically Assigned
Citrix ICA traffic by application name
citrix
citrix app12.1(2)E
12.1(5)TPCAnywhere
TCP
5631, 65301
Symantic pcAnywhere
pcanywhere
12.0(5)XE2
12.1(1)E
12.1(5)TPCAnywhere
UDP
22, 5632
Symantic pcAnywhere
pcanywhere
12.0(5)XE2
12.1(1)E
12.1(5)TNovadigm
TCP/ UDP
3460-3465
Novadigm Enterprise Desktop Manager (EDM)
novadigm
12.1(2)E
12.1(5)TSAP
TCP
3300-3315 (sap-pgm. pdlm)
3200-3215 (sap-app. pdlm)
3600-3615 (sap-msg. pdlm)Application server to application server traffic (sap-pgm.pdlm)
Client to application server traffic (sap-app.pdlm)
Client to message server traffic (sap-msg.pdlm)
sap
12.3
12.3T
12.2T
12.1ERouting Protocol
BGP
TCP/ UDP
179
Border Gateway Protocol
bgp
12.0(5)XE2
12.1(1)E
12.1(5)TEGP
IP
8
Exterior Gateway Protocol
egp
12.0(5)XE2
12.1(1)E
12.1(5)TEIGRP
IP
88
Enhanced Interior Gateway Routing Protocol
eigrp
12.0(5)XE2
12.1(1)E
12.1(5)TOSPF
TCP
Dynamically Assigned
Open Shortest Path First
ospf
12.3(8)T
RIP
UDP
520
Routing Information Protocol
rip
12.0(5)XE2
12.1(1)E
12.1(5)TDatabase
SQL*NET
TCP/ UDP
Dynamically Assigned
SQL*NET for Oracle
sqlnet
12.0(5)XE2
12.1(1)E
12.1(5)TMS- SQLServer
TCP
1433
Microsoft SQL Server Desktop Videocon-
ferencingsqlserver
12.0(5)XE2
12.1(1)E
12.1(5)TSecurity and Tunneling
GRE
IP
47
Generic Routing Encapsulation
gre
12.0(5)XE2
12.1(1)E
12.1(5)TIPINIP
IP
4
IP in IP
ipinip
12.0(5)XE2
12.1(1)E
12.1(5)TIPsec
IP
50, 51
IP Encapsulating Security Payload/
Authentication-
Headeripsec
12.0(5)XE2
12.1(1)E
12.1(5)TL2TP
UDP
1701
L2F/L2TP Tunnel
l2tp
12.0(5)XE2
12.1(1)E
12.1(5)TMS-PPTP
TCP
1723
Microsoft Point-to-Point Tunneling Protocol for VPN
pptp
12.0(5)XE2
12.1(1)E
12.1(5)TSFTP
TCP
990
Secure FTP
secure-ftp
12.0(5)XE2
12.1(1)E
12.1(5)TSecurity and Tunneling (continued)
SHTTP
TCP
443
Secure HTTP
secure-http
12.0(5)XE2
12.1(1)E
12.1(5)TSIMAP
TCP/
UDP585, 993
Secure IMAP
secure-imap
12.0(5)XE2
12.1(1)E
12.1(5)TSIRC
TCP/
UDP994
Secure IRC
secure-irc
12.0(5)XE2
12.1(1)E
12.1(5)TSLDAP
TCP/
UDP636
Secure LDAP
secure-ldap
12.0(5)XE2
12.1(1)E
12.1(5)TSNNTP
TCP/
UDP563
Secure NNTP
secure-nntp
12.0(5)XE2
12.1(1)E
12.1(5)TSPOP3
TCP/
UDP995
Secure POP3
secure-pop3
12.0(5)XE2
12.1(1)E
12.1(5)TSTELNET
TCP
992
Secure Telnet
secure-telnet
12.0(5)XE2
12.1(1)E
12.1(5)TSOCKS
TCP
1080
Firewall Security Protocol
socks
12.0(5)XE2
12.1(1)E
12.1(5)TSSH
TCP
22
Secured Shell
ssh
12.0(5)XE2
12.1(1)E
12.1(5)TNetwork Management
ICMP
IP
1
Internet Control Message Protocol
icmp
12.0(5)XE2
12.1(1)E
12.1(5)TSNMP
TCP/
UDP161, 162
Simple Network Management Protocol
snmp
12.0(5)XE2
12.1(1)E
12.1(5)TSyslog
UDP
514
System Logging Utility
syslog
12.0(5)XE2
12.1(1)E
12.1(5)TNetwork Mail Services
IMAP
TCP/
UDP143, 220
Internet Message Access Protocol
imap
12.0(5)XE2
12.1(1)E
12.1(5)TPOP3
TCP/
UDP110
Post Office Protocol
pop3
12.0(5)XE2
12.1(1)E
12.1(5)TExchange
TCP
135
MS-RPC for Exchange
exchange
12.0(5)XE2
12.1(1)E
12.1(5)TNotes
TCP/
UDP1352
Lotus Notes
notes
12.0(5)XE2
12.1(1)E
12.1(5)TSMTP
TCP
25
Simple Mail Transfer Protocol
smtp
12.0(5)XE2
12.1(1)E
12.1(5)TDirectory
DHCP/
BOOTPUDP
67, 68
Dynamic Host Configuration Protocol/ Bootstrap Protocol
dhcp
12.0(5)XE2
12.1(1)E
12.1(5)TFinger
TCP
79
Finger User Information Protocol
finger
12.0(5)XE2
12.1(1)E
12.1(5)TDNS
TCP/
UDP53
Domain Name System
dns
12.0(5)XE2
12.1(1)E
12.1(5)TKerberos
TCP/
UDP88, 749
Kerberos Network Authentication Service
kerberos
12.0(5)XE2
12.1(1)E
12.1(5)TLDAP
TCP/
UDP389
Lightweight Directory Access Protocol
ldap
12.0(5)XE2
12.1(1)E
12.1(5)TStreaming Media
CU-SeeMe
TCP/
UDP7648, 7649
Desktop Video Conferencing
cuseeme
12.0(5)XE2
12.1(1)E
12.1(5)TCU-SeeMe
UDP
24032
Desktop Video Conferencing
cuseeme
12.0(5)XE2
12.1(1)E
12.1(5)TNetshow
TCP/ UDP
Dynamically Assigned
Microsoft Netshow
netshow
12.0(5)XE2
12.1(1)E
12.1(5)TRealAudio
TCP/ UDP
Dynamically Assigned
RealAudio Streaming Protocol
realaudio
12.0(5)XE2
12.1(1)E
12.1(5)TStreamWorks
UDP
Dynamically Assigned
Xing Technology Stream Works Audio and Video
streamwork
12.0(5)XE2
12.1(1)E
12.1(5)TVDOLive
TCP/ UDP
Dynamically Assigned
VDOLive Streaming Video
vdolive
12.0(5)XE2
12.1(1)E
12.1(5)TStreaming Media/ Multimedia
RTSP
TCP/ UDP
Dynamically Assigned
Real Time Streaming Protocol
rtsp
12.3(11)T
MGCP
TCP/ UDP
2427, 2428, 2727
Media Gateway Control Protocol
mgcp
12.3(7)T
Internet
FTP
TCP
Dynamically Assigned
File Transfer Protocol
ftp
12.0(5)XE2
12.1(1)E
12.1(5)TGopher
TCP/ UDP
70
Internet Gopher Protocol
gopher
12.0(5)XE2
12.1(1)E
12.1(5)THTTP
TCP
802
Hypertext Transfer Protocol
http
12.0(5)XE2
12.1(1)E
12.1(5)TIRC
TCP/ UDP
194
Internet Relay Chat
irc
12.0(5)XE2
12.1(1)E
12.1(5)TTelnet
TCP
23
Telnet Protocol
telnet
12.0(5)XE2
12.1(1)E
12.1(5)TInternet (continued)
TFTP
UDP
Dynamically Assigned
Trivial File Transfer Protocol
tftp
12.0(5)XE2
12.1(1)E
12.1(5)TNNTP
TCP/ UDP
119
Network News Transfer Protocol
nntp
12.0(5)XE2
12.1(1)E
12.1(5)TSignaling
RSVP
UDP
1698, 1699
Resource Reservation Protocol
rsvp
12.0(5)XE2
12.1(1)E
12.1(5)TRPC
NFS
TCP/ UDP
2049
Network File System
nfs
12.0(5)XE2
12.1(1)E
12.1(5)TSunrpc
TCP/ UDP
Dynamically Assigned
Sun Remote Procedure Call
sunrpc
12.0(5)XE2
12.1(1)E
12.1(5)TNon-IP and LAN/
LegacyNetBIOS
TCP/ UDP
137, 138, 139
NetBIOS over IP (MS Windows)
netbios
12.0(5)XE2
12.1(1)E
12.1(5)TMisc.
NTP
TCP/ UDP
123
Network Time Protocol
ntp
12.0(5)XE2
12.1(1)E
12.1(5)TPrinter
TCP/ UDP
515
Printer
printer
12.1(2)E
12.1(5)TX Windows
TCP
6000-6003
X11, X Windows
xwindows
12.0(5)XE2
12.1(1)E
12.1(5)Tr-commands
TCP
Dynamically Assigned
rsh, rlogin, rexec
rcmd
12.0(5)XE2
12.1(1)E
12.1(5)TVoice
H.323
TCP
Dynamically Assigned
H.323 Teleconferencing Protocol
h323
12.3(7)T
RTCP
TCP/ UDP
Dynamically Assigned
Real-Time Control Protocol
rtcp
12.1E
12.2T
12.3
12.3T
12.3(7)TRTP
TCP/ UDP
Dynamically Assigned
Real-Time Transport Protocol Payload Classification
rtp
12.2(8)T
SIP
TCP/UPD
5060
Session Initiation Protocol
sip
12.3(7)T
SCCP/ Skinny
TCP
2000, 2001, 2002
Skinny Client Control Protocol
skinny
12.3(7)T
Skype3
TCP/UDP
Dynamically Assigned
Peer-to-Peer VoIP Client Software.
Note
Cisco currently supports Skype version 1 only.
skype
12.4(4)T
Peer-to-Peer File-Sharing Applications
BitTorrent
TCP
Dynamically Assigned, or
6881-6889BitTorrent File Transfer Traffic
bittorrent
12.4(2)T
Direct Connect
TCP/ UDP
411
Direct Connect File Transfer Traffic
directconnect
12.4(4)T
eDonkey/ eMule
TCP
4662
eDonkey File- Sharing Application
eMule traffic is also classified as eDonkey traffic in NBAR.
edonkey
12.3(11)T
FastTrack
N/A
Dynamically Assigned
FastTrack
fasttrack
12.1(12c)E
Gnutella
TCP
Dynamically Assigned
Gnutella
gnutella
12.1(12c)E
KaZaA
TCP/ UPD
Dynamically Assigned
KaZaA
Note that earlier KaZaA version 1 traffic can be classified using FastTrack.
kazaa2
12.2(8)T
WinMX
TCP
6699
WinMX Traffic
winmx
12.3(7)T
1 Indicates the Cisco IOS maintenance release that first supported the protocol. This table is updated when a protocol is added to a new Cisco IOS release train.
2 In Release 12.3(4)T, the NBAR Extended Inspection for Hypertext Transfer Protocol (HTTP) Traffic feature was introduced. This feature allows NBAR to scan TCP ports that are not well known and identify HTTP traffic traversing these ports.
3 Skype was introduced in Cisco IOS Release 12.4(4)T. As a result of this introduction, Skype is now native in (included with) the Cisco IOS software and uses the NBAR infrastructure new to Cisco IOS Release 12.4(4)T.
Custom Protocols Created with the ip nbar custom Command
The variable-field-name value is used in conjunction with the variable field-name field-length options that are entered when you create a custom protocol using the ip nbar custom command. The variable option allows NBAR to match traffic on the basis of a specific value of a custom protocol. For instance, if ip nbar custom ftdd 125 variable scid 2 tcp range 5001 5005 is entered to create a custom protocol, and then a class map using the match protocol ftdd scid 804 is created, the created class map will match all traffic that has the value "804" at byte 125 entering or leaving TCP ports 5001 to 5000.
Up to 24 variable values per custom protocol can be expressed in class maps. For instance, in the following configuration, 4 variables are used and 20 more "scid" values could be used.
Router(config)# ip nbar custom ftdd field scid 125 variable 1 tcp range 5001 5005
Router(config)# class-map active-craft
Router(config-cmap)# match protocol ftdd scid 0x15
Router(config-cmap)# match protocol ftdd scid 0x21
Router(config)# class-map passive-craft
Router(config-cmap)# match protocol ftdd scid 0x11
Router(config-cmap)# match protocol ftdd scid 0x22
Match Protocol Command Restrictions (Catalyst 6500 Series Switches Only)
Policy maps contain traffic classes. Traffic classes contain one or more match commands that can be used to match packets (and organize them into groups) on the basis of a protocol type or application. You can create as many traffic classes as needed.
Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. For this release and platform, note the following restrictions for using policy maps and match protocol commands:
•
A single traffic class can be configured to match a maximum of 8 protocols or applications.
•
Multiple traffic classes can be configured to match a cumulative maximum of 95 protocols or applications.
Examples
The following example configures NBAR to match FTP traffic:
Router(config-cmap)# match protocol ftp
In the following example, custom protocol ftdd is created by using a variable. A class map matching this custom protocol based on the variable is also created. In this example, class map matchscidinftdd will match all traffic that has the value "804" at byte 125 entering or leaving TCP ports 5001 to 5005. The variable scid is 2 bytes in length.
Router(config)# ip nbar custom ftdd 125 variable scid 2 tcp range 5001 5005
Router(config)# class-map matchscidinftdd
Router(config-cmap)# match protocol ftdd scid 804
The same example above can also be done by using hexadecimal values in the class map as follows:
Router(config)# ip nbar custom ftdd 125 variable scid 2 tcp range 5001 5005
Router(config)# class-map matchscidinftdd
Router(config-cmap)# match protocol ftdd scid 0x324
In the following example, the variable keyword is used while you create a custom protocol, and class maps are configured to classify different values within the variable field into different traffic classes. Specifically, in the example below, variable scid values 0x15, 0x21, and 0x27 will be classified into class map active-craft, while scid values 0x11, 0x22, and 0x25 will be classified into class map passive-craft.
Router(config)# ip nbar custom ftdd field scid 125 variable 1 tcp range 5001 5005
Router(config)# class-map active-craft
Router(config-cmap)# match protocol ftdd scid 0x15
Router(config-cmap)# match protocol ftdd scid 0x21
Router(config-cmap)# match protocol ftdd scid 0x27
Router(config)# class-map passive-craft
Router(config-cmap)# match protocol ftdd scid 0x11
Router(config-cmap)# match protocol ftdd scid 0x22
Router(config-cmap)# match protocol ftdd scid 0x25
Related Commands
policy-map
To create or modify a policy map that can be attached to one or more interfaces to specify a service policy, use the policy-map command in global configuration mode. To delete a policy map, use the no form of this command. The policy-map command enters policy-map configuration mode in which you can configure or modify the class policies for that policy map.
Supported Platforms Other Than Cisco 10000 Series Routers
policy-map [type {stack | access-control | port-filter | queue-threshold | logging log-policy}] policy-map-name
no policy-map [type {stack | access-control | port-filter | queue-threshold | logging log-policy}] policy-map-name
Cisco 10000 Series Router
policy-map [type {control | service}] policy-map-name
no policy-map [type {control | service}] policy-map-name
Syntax Description
Command Default
The policy map is not configured.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the policy-map command to specify the name of the policy map to be created, added to, or modified before you configure policies for classes whose match criteria are defined in a class map. The policy-map command enters policy-map configuration mode in which you can configure or modify the class policies for that policy map.
You can configure class policies in a policy map only if the classes have match criteria defined for them. You use the class-map and match commands to configure the match criteria for a class. Because you can configure a maximum of 64 class maps, no policy map can contain more than 64 class policies.
A single policy map can be attached to multiple interfaces concurrently. When you attempt to attach a policy map to an interface, the attempt is denied if the available bandwidth on the interface cannot accommodate the total bandwidth requested by class policies comprising the policy map. In this case, if the policy map is already attached to other interfaces, it is removed from them.
Whenever you modify class policy in an attached policy map, class-based weighted fair queueing (CBWFQ) is notified and the new classes are installed as part of the policy map in the CBWFQ system.
Class Queues (Cisco 10000 Series Routers Only)
The PRE2 allows you to configure 31 class queues in a policy map.
In a policy map, the PRE3 allows you to configure one priority level 1 queue, plus one priority level 2 queue, plus 12 class queues, plus one default queue.
Control Policies (Cisco 10000 Series Routers Only)
Control policies define the actions that your system will take in response to specified events and conditions.
A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed.
There are three steps involved in defining a control policy:
1.
Create one or more control class maps, by using the class-map type control command.
2.
Create a control policy map, using the policy-map type control command.
A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.
3.
Apply the control policy map to a context, using the service-policy type control command.
Service Policies (Cisco 10000 Series Routers Only)
Service policy maps and service profiles contain a collection of traffic policies and other functionality. Traffic policies determine which functionality will be applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, which is a specific type of traffic policy that determines how session data packets will be forwarded to the network.
Policy Map Restrictions (Catalyst 6500 Series Switches Only)
Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. For this release and platform, note the following restrictions for using policy maps and match commands:
•
You cannot modify an existing policy map if the policy map is attached to an interface. To modify the policy map, remove the policy map from the interface by using the no form of the service-policy command.
•
Policy maps contain traffic classes. Traffic classes contain one or more match commands that can be used to match packets (and organize them into groups) on the basis of a protocol type or application. You can create as many traffic classes as needed. However, the following restrictions apply:
–
A single traffic class can be configured to match a maximum of 8 protocols or applications.
–
Multiple traffic classes can be configured to match a cumulative maximum of 95 protocols or applications.
Examples
The following example creates a policy map called policy1 and configures two class policies included in that policy map. The class policy called class1 specifies policy for traffic that matches access control list (ACL) 136. The second class is the default class to which packets that do not satisfy configured match criteria are directed.
! The following commands create class-map class1 and define its match criteria:
class-map class1
match access-group 136
! The following commands create the policy map, which is defined to contain policy
! specification for class1 and the default class:
policy-map policy1
class class1
bandwidth 2000
queue-limit 40
class class-default
fair-queue 16
queue-limit 20
The following example creates a policy map called policy9 and configures three class policies to belong to that map. Of these classes, two specify policy for classes with class maps that specify match criteria based on either a numbered ACL or an interface name, and one specifies policy for the default class called class-default to which packets that do not satisfy configured match criteria are directed.
policy-map policy9
class acl136
bandwidth 2000
queue-limit 40
class ethernet101
bandwidth 3000
random-detect exponential-weighting-constant 10
class class-default
fair-queue 10
queue-limit 20
Examples for Cisco 10000 Series Routers Only
The following example shows the configuration of a control policy map named rule4. Control policy map rule4 contains one policy rule, which is the association of the control class named class3 with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.
class-map type control match-all class3
match access-type pppoe
match domain cisco.com
available nas-port-id
!
policy-map type control rule4
class type control class3
authorize nas-port-id
!
service-policy type control rule4
The following example shows the configuration of a service policy map named redirect-profile:
policy-map type service redirect-profile
class type traffic CLASS-ALL
redirect to group redirect-sg
Related Commands
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
Posted: Mon May 7 10:57:13 PDT 2007
All contents are Copyright © 1992--2007 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.