© 2001, cisco systems, inc. modular qos cli classification

© 2001, Cisco Systems, Inc.

Modular QoS CLIClassification

© 2001, Cisco Systems, Inc. QOS v1.0—8-2

ObjectivesObjectives

Upon completing of this module, you will be able to: • Describe the classification part of the

Modular QoS CLI

• Describe and configure all currently supported classification options within the MQC

• Understand network-based application recognition (NBAR)

• Monitor and troubleshoot class maps

Introduction to Modular QoS CLIIntroduction to

Modular QoS CLI




Upon completing this lesson, you will be able to: • Describe MQC concepts and structure

• Configure class maps



Modular QoS CLIModular QoS CLI

• The Modular QoS CLI (MQC) provides a modular approach to configuration of QoS mechanisms.

• Classification is configured separately from the QoS service policy.

• MQC also provides modularity to implementation of QoS mechanisms in the Cisco IOS:–New QoS mechanisms can reuse old classification

options.

–New QoS classification options can also be used by older QoS mechanisms.


Separation of ClassificationSeparation of Classification

ClassificationClassification Traffic Policy

Class 1?Class 1?

Class 2?Class 2?

Class N?Class N?

CBWFQ

CBLLQ

Class-BasedPolicing

PacketPacket

Interfaceor

Forwarding


Class MapsClass Maps

• Each class is identified using a class map.

• Each class map is identified by a case-sensitive name.

• Class maps can operate in two modes:

–match-all–all conditions have to succeed

–match-any–at least one condition must succeed

• The default mode is Match all.


Classification Using Class MapsClassification Using Class Maps

MatchMode?

Match allconditions?

Match allconditions?

Match at least one

condition?

Match at least one

condition?

No

Yes

No MatchNo Match

MatchMatch

Class Mapname

Class Mapname

Yes

No

Match all

Match any


Classification Using the match-all Strategy

Classification Using the match-all Strategy

• match-all requires all conditions to return a positive answer.

• If one condition is not met, the class map will return a “no match” result.

MatchCondition?

MatchCondition?

No MatchNo Match

MatchMatchMoreConditions?

MoreConditions?

Yes NoClass Mapname

Class Mapname

No

Yes


Classification Using the match-any Strategy

Classification Using the match-any Strategy

• match-any requires at least one condition to return a positive answer.

• If no condition is met, the class map will return a “no match” result.

MatchCondition?

MatchCondition?

No MatchNo Match

MatchMatchClass Mapname

Class Mapname

No

Yes

MoreConditions?

MoreConditions?

Yes

No


Classification OptionsClassification Options

The main classification options include:• Access list (all access lists are available)

• IP Precedence value

• IP DSCP value

• QoS group number

• MPLS experimental bits

• Protocol (including NBAR)


Other Classification OptionsOther Classification Options

Other classification options include:• Using another class map

• Frame Relay DE bit

• IEEE 802.1Q CoS or ISL priority values

• Input interface

• Source MAC address

• Destination MAC address

• RTP (UDP) port range

• Any packet


Configuring Class MapsConfiguring Class Maps

class-map [{match-all | match-any}] nameclass-map [{match-all | match-any}] name

router(config)#

• Enter the class map configuration mode.• Specify the matching strategy.• match-all is the default matching strategy.

match conditionmatch condition

router(config-cmap)#

• Use at least one condition to match packets.

description descriptiondescription description


• It is recommended to use descriptions in large and complex configurations.

• The description has no operational meaning.


Configuring Class MapsConfiguring Class Maps

rename new-namerename new-name


• Complex class maps can easily be renamed by using the rename class map command.

• All references to the class map are also renamed.


Class Map ExampleClass Map Example

• This example illustrates how class maps are configured.• Class maps on their own have no function.

class-map match-any Test1 match access-group 101 match access-group 102class-map match-all Test2 match access-group 101 match access-group 102

class-map match-any Test1 match access-group 101 match access-group 102class-map match-all Test2 match access-group 101 match access-group 102


Monitoring and Troubleshooting Class Maps

Monitoring and Troubleshooting Class Maps

show class-map [class-map]show class-map [class-map]

router#

• Lists all class maps or the selected class map

Router#show class-map Class Map match-all Test2 (id 0) Match access-group 101 Match access-group 102

Class Map match-any Test1 (id 1) Match access-group 101 Match access-group 102Router#

Router#show class-map Class Map match-all Test2 (id 0) Match access-group 101 Match access-group 102

Class Map match-any Test1 (id 1) Match access-group 101 Match access-group 102Router#


SummarySummary

Upon completing this lesson, you should be able to:• Describe MQC concepts and structure

• Configure class maps



Lesson ReviewLesson Review

1. What are the benefits of the Modular QoS CLI?

2. Which two matching strategies do class maps support?

3. Which classification options do class maps support?


Classification OptionsClassification Options




Upon completing this lesson, you will be able to : • Describe and configure classification using access lists

• Describe and configure classification using the IP Precedence

• Describe and configure classification using the DSCP

• Describe and configure classification using the QoS group

• Describe and configure classification using the MPLS experimental bits

• Describe and configure classification based on the input interface

• Describe and configure classification based on the source MAC address

• Describe and configure classification based on the destination MAC address

• Describe and configure classification based on IEEE 802.1Q ISL CoS or ISL priority bits

• Describe and configure classification using another class map, a negation or any keyword

• Describe and configure classification based on the Frame Relay DE bit


Classification Using Access Lists

Classification Using Access Lists

• Access lists are the oldest classification tool that has been used with QoS mechanisms.

• Class maps support all types of access lists

• Class maps are multiprotocol.

• Class maps can use named access lists and numbered access lists (ranging from 1 to 2699) for all protocols.


Configuring Classification Using Access Lists

Configuring Classification Using Access Lists

match access-group {number | name}match access-group {number | name}


• Select an access list to be used for classification.

class-map Telnet match access-group 100!class-map IPX_Printers match access-group IPX_Printers!access-list 100 permit tcp any any eq 23access-list 100 permit tcp any eq 23 any! ipx access-list sap IPX_Printers permit -1 7!

class-map Telnet match access-group 100!class-map IPX_Printers match access-group IPX_Printers!access-list 100 permit tcp any any eq 23access-list 100 permit tcp any eq 23 any! ipx access-list sap IPX_Printers permit -1 7!


Configuring Classification UsingIP Precedence

Configuring Classification UsingIP Precedence

match ip precedence precedence [prec [prec [prec]]]match ip precedence precedence [prec [prec [prec]]]


• Select up to four IP Precedence values or names.• All packets marked with one of the selected IP

precedence values are matched by this class map.IP Precedence IP PrecedenceValue Name0 routine1 priority2 immediate3 flash4 flash-override5 critical6 internet7 network

IP Precedence IP PrecedenceValue Name0 routine1 priority2 immediate3 flash4 flash-override5 critical6 internet7 network

class-map VoIP match ip precedence 5!class-map Gold match ip precedence 3 4!class-map Silver match ip precedence 1 2!class-map Bronze match ip precedence routine!

class-map VoIP match ip precedence 5!class-map Gold match ip precedence 3 4!class-map Silver match ip precedence 1 2!class-map Bronze match ip precedence routine!


Configuring Classification UsingDSCP

Configuring Classification UsingDSCP

match ip dscp dscp [dscp ...]match ip dscp dscp [dscp ...]


• Select up to eight DSCP values or names.• All packets marked with one of the selected DSCP

values are matched by this class map.DSCP DSCP ClassValue Name

0 (000000) default1 (001000) cs12 (010000) cs23 (011000) cs34 (100000) cs45 (101000) cs56 (110000) cs67 (111000) cs746 (101110) ef

DSCP DSCP ClassValue Name

0 (000000) default1 (001000) cs12 (010000) cs23 (011000) cs34 (100000) cs45 (101000) cs56 (110000) cs67 (111000) cs746 (101110) ef


10 (001010) af1112 (001100) af1214 (001110) af1318 (010010) af2120 (010100) af2222 (010110) af2326 (011010) af3128 (011100) af3230 (011110) af3334 (100010) af4136 (100100) af4238 (100110) af43


10 (001010) af1112 (001100) af1214 (001110) af1318 (010010) af2120 (010100) af2222 (010110) af2326 (011010) af3128 (011100) af3230 (011110) af3334 (100010) af4136 (100100) af4238 (100110) af43


Configuring Classification UsingDSCP (cont.)

Configuring Classification UsingDSCP (cont.)

class-map Voice match ip dscp ef!class-map Gold match ip dscp af11 af12 af13 cs3 cs4!class-map Silver match ip dscp af21 af22 af23 cs1 cs2!class-map Bronze match ip dscp af31 af32 af33!class-map Best-effort match ip dscp default!

class-map Voice match ip dscp ef!class-map Gold match ip dscp af11 af12 af13 cs3 cs4!class-map Silver match ip dscp af21 af22 af23 cs1 cs2!class-map Bronze match ip dscp af31 af32 af33!class-map Best-effort match ip dscp default!


Configuring Classification UsingQoS Group

Configuring Classification UsingQoS Group

match ip qos-group qos-groupmatch ip qos-group qos-group


• Select the QoS group identifying the class.• Allowed values are from 0 to 99.• All packets marked with the QoS group value are matched by

this class map.• The QoS group is a parameter local to the router; it has to be

set by some other QoS mechanism (CAR, PBR, class-based marking, class-based policing, QPPB).

class-map QoS1 match qos-group 1!class-map QoS2 match qos-group 2!

class-map QoS1 match qos-group 1!class-map QoS2 match qos-group 2!


Configuring Classification UsingMPLS Experimental Bits

Configuring Classification UsingMPLS Experimental Bits

match mpls experimental exp [exp ...]match mpls experimental exp [exp ...]


• Select up to eight MPLS experimental values.• Allowed values are from 0 to 7.• All MPLS-labeled packets marked with the selected

MPLS experimental bits are matched by this class map.

class-map MPLS1 match mpls experimental 3 4!class-map MPLS2 match mpls experimental 1 2!

class-map MPLS1 match mpls experimental 3 4!class-map MPLS2 match mpls experimental 1 2!


Configuring Classification Usingthe Input Interface

Configuring Classification Usingthe Input Interface

match input-interface intfmatch input-interface intf


• All packets received through the selected input interface are matched by this class map

class-map match-any Ethernets match input-interface Ethernet0/0 match input-interface Ethernet0/1!class-map match-any FastEthernets match input-interface FastEthernet1/0 match input-interface FastEthernet1/1!class-map match-any Serials match input-interface Serial2/0 match input-interface Serial2/1 match input-interface Serial2/2 match input-interface Serial2/3!

class-map match-any Ethernets match input-interface Ethernet0/0 match input-interface Ethernet0/1!class-map match-any FastEthernets match input-interface FastEthernet1/0 match input-interface FastEthernet1/1!class-map match-any Serials match input-interface Serial2/0 match input-interface Serial2/1 match input-interface Serial2/2 match input-interface Serial2/3!


Configuring Classification UsingMAC Addresses

Configuring Classification UsingMAC Addresses

match source-address mac mac-addressmatch source-address mac mac-address


• Classifies packets based on the source MAC address• This classification option can be used only on interfaces using MAC

addresses (e.g., Ethernet, FastEthernet)

match destination-address mac mac-addressmatch destination-address mac mac-address


• Classifies packets based on the destination MAC address• This classification option can be used only on interfaces using MAC

addresses (e.g., Ethernet, Fast Ethernet)

class-map RTR1_dst match destination-address mac 00f0.64e2.2860!class-map RTR2_src match source-address mac 00f0.64e2.3321!

class-map RTR1_dst match destination-address mac 00f0.64e2.2860!class-map RTR2_src match source-address mac 00f0.64e2.3321!


Configuring Classification Using802.1q COS or ISL Priority bits

Configuring Classification Using802.1q COS or ISL Priority bits

match cos cos [cos [cos [cos ]]]match cos cos [cos [cos [cos ]]]


• Select up to four CoS/priority values.• Allowed values are 0 to 7.• This classification option can be used only on interfaces using

802.1Q or ISL encapsulation.

class-map Strict-priority match cos 5!class-map High-priority match cos 4 6 7!class-map Low-priority match cos 0 1 2 3!

class-map Strict-priority match cos 5!class-map High-priority match cos 4 6 7!class-map Low-priority match cos 0 1 2 3!


Configuring Classification UsingSpecial Options

Configuring Classification UsingSpecial Options

match not conditionmatch not condition


• The not keyword inverts the condition.

match class-map class-mapmatch class-map class-map


• One class map can use another class map for classification.• Nested class maps allow generic template class maps to be

used in other class maps.

match anymatch any


• The any keyword can be used to match all packets.


Configuring Classification UsingSpecial Options (cont.)

Configuring Classification UsingSpecial Options (cont.)

class-map Well-known-services match access-group 100!Class-map Unknown-services match not class-map Well-known-services!Class-map All-services match any!access-list 100 permit tcp any any lt 1024access-list 100 permit tcp any lt 1024 any

class-map Well-known-services match access-group 100!Class-map Unknown-services match not class-map Well-known-services!Class-map All-services match any!access-list 100 permit tcp any any lt 1024access-list 100 permit tcp any lt 1024 any


Configuring Classification Usingthe Frame Relay DE Bit

Configuring Classification Usingthe Frame Relay DE Bit

match fr-dematch fr-de


• Use this command to match all frames with the Frame Relay DE bit set.

class-map FR_Out_of_Contract match fr-de!class-map FR_Within_Contract match not fr-de!

class-map FR_Out_of_Contract match fr-de!class-map FR_Within_Contract match not fr-de!


Configuring Classification Using a UDP Port Range

Configuring Classification Using a UDP Port Range

match ip rtp starting-port port-rangematch ip rtp starting-port port-range


• Use this command to implement classification equal to IP RTP Prioritization.

• All UDP packets with source or destination port numbers within the specified range are matched.

• Range is between the starting-port (values from 2000 to 65535) and the sum of the starting-port and the port-range (values from 0 to 16383).

• The command should be used in combination with class-based low-latency queuing to implement IPRTP Prioritization using the Modular QoS CLI.

class-map RTP match ip rtp 16384 16383!

class-map RTP match ip rtp 16384 16383!


SummarySummary

Upon completing this lesson, you should be able to:• Describe and configure classification using access lists

• Describe and configure classification using the IP Precedence

• Describe and configure classification using the DSCP

• Describe and configure classification using the QoS group

• Describe and configure classification using the MPLS experimental bits

• Describe and configure classification based on the input interface

• Describe and configure classification based on the source MAC address

• Describe and configure classification based on destination MAC address

• Describe and configure classification based on IEEE 802.1Q CoS or ISL priority bits

• Describe and configure classification using another class map, a negation or any keyword

• Describe and configure classification based on the Frame Relay DE bit



1. Which classification options are available using class maps?

2. What command is used to configure classification?


Network BasedApplication Recognition (NBAR)

Network BasedApplication Recognition (NBAR)




Upon completing this lesson, you will be able to: • Describe and configure NBAR

• Describe and configure classification of FTP and TFTP

• Describe and configure complex classification of HTTP sessions



Network-Based Application Recognition (NBAR)

Network-Based Application Recognition (NBAR)

• The IntServ model uses RSVP to signal QoS requirements, including application definition.

• The DiffServ model relies on the network to recognize applications.

• Recognizing simple applications is possible by matching on the static source or destination TCP/UDP port numbers.

• Some applications use multiple sessions and dynamic port numbers.


NBAR CapabilitiesNBAR Capabilities

• NBAR was introduced to enable recognition of applications using dynamic port numbers (e.g., FTP, Exchange, SQL*net)

• NBAR supports a number of applications that use static port numbers (e.g.,Telnet)

• NBAR also allows recognition of sessions based on higher-layer information (e.g., HTTP by URL, host, or MIME, Citrix by application)


NBAR Support for Static Protocols

NBAR Support for Static Protocols

• NBAR supports a number of applications that are recognized based on a well-known destination port number.

• Such applications were previously matched by using extended IP access lists.


NBAR Support for Dynamic Protocols

NBAR Support for Dynamic Protocols

• NBAR is primarily used to recognize applications that use multiple sessions and dynamic port numbers:

–Such applications usually start with a control session on a well-known port number.

–Additional ports are negotiated through the control session.

• NBAR inspects the negotiation of additional ports.

• Most of these applications could previously not be matched by any mechanism.


Packet Description Language Modules

Packet Description Language Modules

• An external Packet Description Language Module (PDLM) can be loaded at run time to extend the NBAR list of recognized protocols.

• PDLMs can also be used to enhance an existing protocol recognition capability.

• PDLMs allow NBAR to recognize new protocols without requiring a new IOS image or a router reload.


Configuring NBARConfiguring NBAR

match protocol protocolmatch protocol protocol


• Use the protocol keyword and the name of the protocol to match.

• Static protocols are recognized based on the well-known destination port number.

• Dynamic protocols are recognized by inspecting the session.


Configuring NBAR (cont.)Configuring NBAR (cont.)

ip nbar pdlm pdlm-fileip nbar pdlm pdlm-file

router(config)#

• Enter the location of the Packet Description Language Module file to extend the NBAR capabilities of the router.

• The file name is in the URL format (e.g., flash://citrix.pdlm).

ip nbar port-map protocol {tcp | udp} new-port [new-port ...]ip nbar port-map protocol {tcp | udp} new-port [new-port ...]

router(config)#

• Specify an additional port for a well-known protocol.• Up to 16 additional port numbers can be specified.


Configuring NBAR for HTTPConfiguring NBAR for HTTP

match protocol http url urlmatch protocol http url url


match protocol http mime mime-typematch protocol http mime mime-type


• Select the mime-type to be matched• Matches a packet containing the MIME type and all subsequent packets

until the next HTTP transaction

• Recognizes the HTTP GET packets containing the URL, and then matches all packets that are part of the HTTP GET request

• Include only the portion of the URL following the address or host name in the match statement

match protocol http host hostnamematch protocol http host hostname


• Performs a regular expression match on the host field contents inside an HTTP GET packet and classifies all packets from that host


NBAR for FTPCase Study

NBAR for FTPCase Study

• FTP control sessions can be recognized based on the well-known port number 21.

• FTP data sessions may be recognized by the well-known source port number 20.

• Not all implementations of FTP use port 20.

• NBAR recognizes FTP data sessions by inspecting the FTP control session.

Open control session to well-known port 21GET file; use port 1050

Open data session to negotiated port 1050Sending file

class-map FTP match protocol ftpclass-map FTP match protocol ftp

class-map FTP match protocol ftpclass-map FTP match protocol ftp


NBAR for TFTPCase Study

NBAR for TFTPCase Study

• TFTP uses UDP for transport.

• The first packet uses a well-known destination port number 69 and a random source port (>1023).

• The receiver responds to the received source port and uses a new source port for its packets (>1023).

• The session from then on uses those port numbers.

Send first packet to port 69, source port 1060GET file

Send packet to port 1060, source port 1035Sending file

class-map FTP match protocol tftpclass-map FTP match protocol tftp

class-map FTP match protocol tftpclass-map FTP match protocol tftp

Send packet to port 1035, source port 1060Acknowledge

Send packet to port 1060, source port 1035Sending file


NBAR for HTTPCase Study #1


• HTTP is a static protocol using a well-known port number 80.

• Some web servers are using HTTP on other ports.

• Use the ip nbar port-map command to inform the router that other ports are also used for HTTP.

Open HTTP session to port 80GET page

ip nbar port-map http tcp 80 8080!class-map HTTP match protocol http

ip nbar port-map http tcp 80 8080!class-map HTTP match protocol http

ip nbar port-map http tcp 80 8080 !class-map HTTP match protocol http

ip nbar port-map http tcp 80 8080 !class-map HTTP match protocol http

Open HTTP session to port 8080GET page




• The class map matches all HTTP requests that contain either xxx.gif or xxx.jpg.

• It does so on both ports 80 and 8080.

Open HTTP session to port 80GET /images/xxx.gif

ip nbar port-map http tcp 80 8080!class-map HTTP match protocol http url *xxx.(jpg|gif)

ip nbar port-map http tcp 80 8080!class-map HTTP match protocol http url *xxx.(jpg|gif)

Open HTTP session to port 8080GET /images/xxx.jpg




• The class map matches all HTTP requests containing a MIME type that contains jpeg (e.g. image/jpeg).

• It does so on both ports 80 and 8080.

Open HTTP session to port 80GET /html/pictures.html

ip nbar port-map http tcp 80 8080!class-map HTTP match protocol http mime *jpeg

ip nbar port-map http tcp 80 8080!class-map HTTP match protocol http mime *jpeg

Open HTTP session to port 8080GET /html/pictures.html


SummarySummary

Upon completing this lesson, you should be able to:• Describe and configure NBAR

• Describe and configure classification of FTP and TFTP

• Describe and configure complex classification of HTTP sessions




1. What is NBAR used for?

2. What types of applications can NBAR recognize?

3. How can support for recognizing new applications be included into existing IOS versions?

4. What additional classification options are available for HTTP?

5. Which special characters are available with regular expressions for matching HTTP flows?


Module SummaryModule Summary

Upon completing this module, you should be able to:• Describe the classification part of the Modular

QoS CLI

• Describe and configure all currently supported classification options within the MQC

• Describe and configure network-based application recognition (NBAR)


© 2001, cisco systems, inc. modular qos cli classification

Documents