Skip navigation
Cisco Learning Home > Certifications > Security (CCNP Security) > Discussions

_Communities

3831 Views 5 Replies Latest reply: Mar 12, 2012 5:02 AM by Antonio Knox - CCNP CCNA-SEC CIOSSS RSS

Currently Being Moderated

define class map and police map

Mar 9, 2012 3:22 AM

gaurav 81 posts since
May 23, 2011

i have some confusion

 

my Q is

 

what is class map and police map,what is use of this,i know this is part of qos but i am not able to learn that how can i use this..can you please define in depth.

  • Jonny7_2002 109 posts since
    Mar 23, 2009
    Currently Being Moderated
    1. Mar 9, 2012 3:29 AM (in response to gaurav)
    Re: define class map and police map

    A class map defines the traffic and the policy map creates a policy for the classes, with rules to follow. Sample config below:

     

    DEFINES THE TRAFFIC

     

    class-map match-any VOICE_TRAFFIC

    match access-group name VOICE_TRAFFIC

    class-map match-any FTP_INHOURS

    match access-group name FTP_TO_MAGENTA

    class-map match-any RDP_TRAFFIC

    match access-group name RDP_TRAFFIC

    !

    !

    ip access-list extended FTP_TO_SERVER

    permit ip host 10.2.1.2 host 10.1.1.23 time-range WORKING_HOURS

    ip access-list extended RDP_TRAFFIC

    permit tcp 10.2.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 3389

    ip access-list extended VOICE_TRAFFIC

    permit ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255

     

    POLICY TO TELL THE ROUTER HOW TO TREAT THE TRAFFIC

     

    policy-map QOS_OUT_OVER_VPN

    class VOICE_TRAFFIC

      set dscp ef

        priority percent 38

    class RDP_TRAFFIC

        bandwidth remaining percent 65

    class FTP_INHOURS

       police rate 314500 bps peak-rate 314500 bps

         conform-action transmit

         exceed-action drop

         violate-action drop

    class class-default

        fair-queue

     

     

    I am not by any means a QOS expert but this config works fo my setup.

     

    Jon

  • Antonio Knox - CCNP CCNA-SEC CIOSSS 211 posts since
    Mar 25, 2009
    Currently Being Moderated
    3. Mar 12, 2012 5:00 AM (in response to gaurav)
    Re: define class map and police map

    gaurav,

    I used to wrestle with this idea when I first got started with service policies.  I'm no QoS expert either, but I work with policy maps often.  Let me give you a scenario.

     

    Try to think of class-map as traffic "classification"-map that doesn't bind exclusively to individual ACLs, though that is one common usage.  A class-map can include many categories of traffic, referenced in many ways including matching one or multiple existing ACLs, IP precedence values, CoS values, DSCP marks, even other class maps, etc.

     

    Take a look here at the 'match' commands as a reference to some possibilities:

    http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html

     

    You will notice that not all class-maps only reference an ACL (or 'access-group name').  Class maps simply create a 'class' of traffic that will be acted upon in a similar way by the policy map, and it adds various references to certain traffic by using the 'match' command.  An ACL and a class map are not one in the same.  Class maps can reference objects that would otherwise have nothing in common.  Just to give you an example of what this could look like (using Jon's sample above):

     

    Let's assume that 'randomhosts' is an old ACL (42 lines long) that was used as an inbound vlan ACL or something, but I wanted to treat that same permitted traffic as I did traffic matching the VOICE_TRAFFIC ACL by marking it as EF.  Why add extra lines to the VOICE_TRAFFIC ACL when I can just add the randomhosts ACL to the existing class map in one line (match access-group name randomhosts)? In a large configuration with many LONG ACL's, adding those lines manually and correctly could cause excessive admin overhead if many ACLs were referenced by copying existing rules from some ACLs to other ACLs.  Along with 'randomhosts' traffic, I want to take any traffic seen by the service policy that is marked DSCP AF41 and chage their marking to EF.  How would I do add this to my interesting traffic?  You guessed it, add it to the class map.  See below:

     

    class-map match-any VOICE_TRAFFIC

    match access-group name VOICE_TRAFFIC

    match access-group name randomhosts

    match dscp af41

     

    ip access-list extended VOICE_TRAFFIC

    permit ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255

    ip access-list extended randomhosts

    permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

    .........

    !---40 lines of randomhosts ACL)---

    .........

    permit ip host 172.16.31.17 host 172.16.32.50

     

    policy-map QOS_OUT_OVER_VPN

    class VOICE_TRAFFIC

       set dscp ef

       priority percent 38

    

     

    Adding the extra match statements changed the whole idea of what the class-map is without adding much to the config.  When using a class map in a small scale, you don't really see the benefit, but when you start saving admin time in classifying traffic by simply referencing existing resources (or even new ones), class maps make sense.

     

    I hope that this helps your understanding.

  • Antonio Knox - CCNP CCNA-SEC CIOSSS 211 posts since
    Mar 25, 2009
    Currently Being Moderated
    5. Mar 12, 2012 5:02 AM (in response to gaurav)
    Re: define class map and police map

    DSCP is a QoS marking that used based on ToS.  See below:

     

    http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a00800949f2.shtml

     

    Hope that helps.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)