5 Replies Latest reply: Mar 12, 2012 5:02 AM by Antonio Knox - CCNP R&S, CCNA R&S/Security RSS

    define class map and police map

    gaurav

      i have some confusion

       

      my Q is

       

      what is class map and police map,what is use of this,i know this is part of qos but i am not able to learn that how can i use this..can you please define in depth.

        • 1. Re: define class map and police map
          Jonny7_2002

          A class map defines the traffic and the policy map creates a policy for the classes, with rules to follow. Sample config below:

           

          DEFINES THE TRAFFIC

           

          class-map match-any VOICE_TRAFFIC

          match access-group name VOICE_TRAFFIC

          class-map match-any FTP_INHOURS

          match access-group name FTP_TO_MAGENTA

          class-map match-any RDP_TRAFFIC

          match access-group name RDP_TRAFFIC

          !

          !

          ip access-list extended FTP_TO_SERVER

          permit ip host 10.2.1.2 host 10.1.1.23 time-range WORKING_HOURS

          ip access-list extended RDP_TRAFFIC

          permit tcp 10.2.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 3389

          ip access-list extended VOICE_TRAFFIC

          permit ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255

           

          POLICY TO TELL THE ROUTER HOW TO TREAT THE TRAFFIC

           

          policy-map QOS_OUT_OVER_VPN

          class VOICE_TRAFFIC

            set dscp ef

              priority percent 38

          class RDP_TRAFFIC

              bandwidth remaining percent 65

          class FTP_INHOURS

             police rate 314500 bps peak-rate 314500 bps

               conform-action transmit

               exceed-action drop

               violate-action drop

          class class-default

              fair-queue

           

           

          I am not by any means a QOS expert but this config works fo my setup.

           

          Jon

          • 2. Re: define class map and police map
            gaurav

            thankyou for reply but i want to know what is functionilaty of class map..i little bit confuse that about it.

            i mean when we make a access-list and define it in a class map so what is deferent be

            i mean if we want to prevent any for port 80 so we can use access-list why should we use class map

            • 3. Re: define class map and police map
              Antonio Knox - CCNP R&S, CCNA R&S/Security

              gaurav,

              I used to wrestle with this idea when I first got started with service policies.  I'm no QoS expert either, but I work with policy maps often.  Let me give you a scenario.

               

              Try to think of class-map as traffic "classification"-map that doesn't bind exclusively to individual ACLs, though that is one common usage.  A class-map can include many categories of traffic, referenced in many ways including matching one or multiple existing ACLs, IP precedence values, CoS values, DSCP marks, even other class maps, etc.

               

              Take a look here at the 'match' commands as a reference to some possibilities:

              http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html

               

              You will notice that not all class-maps only reference an ACL (or 'access-group name').  Class maps simply create a 'class' of traffic that will be acted upon in a similar way by the policy map, and it adds various references to certain traffic by using the 'match' command.  An ACL and a class map are not one in the same.  Class maps can reference objects that would otherwise have nothing in common.  Just to give you an example of what this could look like (using Jon's sample above):

               

              Let's assume that 'randomhosts' is an old ACL (42 lines long) that was used as an inbound vlan ACL or something, but I wanted to treat that same permitted traffic as I did traffic matching the VOICE_TRAFFIC ACL by marking it as EF.  Why add extra lines to the VOICE_TRAFFIC ACL when I can just add the randomhosts ACL to the existing class map in one line (match access-group name randomhosts)? In a large configuration with many LONG ACL's, adding those lines manually and correctly could cause excessive admin overhead if many ACLs were referenced by copying existing rules from some ACLs to other ACLs.  Along with 'randomhosts' traffic, I want to take any traffic seen by the service policy that is marked DSCP AF41 and chage their marking to EF.  How would I do add this to my interesting traffic?  You guessed it, add it to the class map.  See below:

               

              class-map match-any VOICE_TRAFFIC

              match access-group name VOICE_TRAFFIC

              match access-group name randomhosts

              match dscp af41

               

              ip access-list extended VOICE_TRAFFIC

              permit ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255

              ip access-list extended randomhosts

              permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

              .........

              !---40 lines of randomhosts ACL)---

              .........

              permit ip host 172.16.31.17 host 172.16.32.50

               

              policy-map QOS_OUT_OVER_VPN

              class VOICE_TRAFFIC

                 set dscp ef

                 priority percent 38

               

              Adding the extra match statements changed the whole idea of what the class-map is without adding much to the config.  When using a class map in a small scale, you don't really see the benefit, but when you start saving admin time in classifying traffic by simply referencing existing resources (or even new ones), class maps make sense.

               

              I hope that this helps your understanding.

              • 4. Re: define class map and police map
                gaurav

                and what is dscp .what is use of this

                • 5. Re: define class map and police map
                  Antonio Knox - CCNP R&S, CCNA R&S/Security

                  DSCP is a QoS marking that used based on ToS.  See below:

                   

                  http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a00800949f2.shtml

                   

                  Hope that helps.