- define a class-map - type of traffic, application, etc, to be match
- define a policy-map - define what to do with the matched traffic
- service policy - apply the policy map to the interface
R2(config)#class-map ?we have two option here, say we want to match two kind of traffic, citrix and http
WORD class-map name
match-all Logical-AND all matching statements under this classmap
match-any Logical-OR all matching statements under this classmap
R2(config-cmap)#match protocol httpif previously we choose all, then only http traffic that coming from fa0/0 will fall into this class-map
R2(config-cmap)#match input-interface fastEthernet 0/0
if we choose any, then any http traffic or any traffic from fa0/0 or both kind of traffic will fall into this class-map
if you don't configure any, by default is match-all. Create a class-map named MATCH-HTTP
R2(config)#class-map MATCH-HTTPa lot of option we have here, you can define an access group in global config mode and apply it here.
R2(config-cmap)#match ?
access-group Access group
any Any packets
class-map Class map
cos IEEE 802.1Q/ISL class of service/user priority values
destination-address Destination address
discard-class Discard behavior identifier
dscp Match DSCP in IP(v4) and IPv6 packets
fr-de Match on Frame-relay DE bit
fr-dlci Match on fr-dlci
input-interface Select an input interface to match
ip IP specific values
mpls Multi Protocol Label Switching specific values
not Negate this match result
packet Layer 3 Packet length
precedence Match Precedence in IP(v4) and IPv6 packets
protocol Protocol
qos-group Qos-group
source-address Source address
R2(config-cmap)#match access-group ?
<1-2699> Access list index
name Named Access Lis
also can filter by source and destination interface, but remember, this is not base on IP address, but base on MAC address.
for ip address you can define inside the ACL, and apply it to this class-map.
i'm not going into every option, but let me show you the biggest feature we have, protocol
if you type the question mark, there's a lot of types of protocol that already define for you.
i'm not gonna print everything in here, but just want to show you a few interesting type of traffic
using this feature, you don't need to hard coded every single port, type of protocol and so on in ACL, just one line should be enough because everything is already there for you to choose
R2(config-cmap)#match protocol ?now let's create one to match http
..
fasttrack FastTrack Traffic - KaZaA, Morpheus, Grokster...
irc Internet Relay Chat
kazaa2 Kazaa Version 2
..
telnet Telnet
..
R2(config-cmap)#match protocol httpverify this
R2(config-cmap)#do sh class-mapwe only configure two class-map so far, but from the show command there’s are 3 of them. Yes, there’s always the default one, every traffic or packet that didn’t match any group will fall under this class-map. Since we didn’t configure anything for the match type, so both are under type of match-all
Class Map match-any class-default (id 0)
Match any
Class Map match-all LAB (id 1)
Match protocol http
Match protocol citrix
Match input-interface FastEthernet0/0
Class Map match-all MATCH-HTTP (id 2)
Match protocol http
2.define a policy map
now we’ll define a policy map named LAB_POLICY, and apply the class-map MATCH-HTTP, and force this group to only use rate of 20% of the interface bandwidth
R2(config)#policy-map LAB_POLICYwhat happen to the other traffic? we’ll define this under the default class-map. under the same policy map, configure the rest of the traffic to only use 10000kbps of the bandwidth
R2(config-pmap)#class MATCH-HTTP
R2(config-pmap-c)#police rate 20 pps
R2(config)#policy-map LAB_POLICYverify
R2(config-pmap)#class class-default
R2(config-pmap-c)#police 10000
R2#show policy-map
Policy Map LAB_POLICY
Class MATCH-HTTP
police rate 20 pps burst 4 packets
conform-action transmit
exceed-action drop
Class class-default
police cir 10000 bc 1500
conform-action transmit
exceed-action drop
*remember, you can only apply 1 policy per interface per direction at 1 time. you can only apply multiple class-map inside a policy
3.service policy
we gonna apply the policy to the traffic that coming into the router thru interface fast 0/0
R2(config)#interface fastEthernet 0/0verify
R2(config-if)#service-policy input LAB_POLICY
R2#show policy-map interface
FastEthernet0/0
Service-policy input: LAB_POLICY
Class-map: MATCH-HTTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
police:
cir 12000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 10000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
No comments:
Post a Comment