Table of Contents
Advertisement
16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series
Configuration of a deny action is not supported in QoS ACLs on the 16- and 36-port Ethernet switch
•
network modules.
•
System-defined masks are allowed in class maps with these restrictions:
–
–
–
Note
For more information on the system-defined mask, see the
Parameters" section on page
For more information on ACL restrictions, see the
•
Ethernet Switch Network Module" section on page
After a traffic class has been defined with the ACL, you can attach a policy to it. A policy might contain
multiple classes with actions specified for each one of them. A policy might include commands to
rate-limit the class. This policy is then attached to a particular port on which it becomes effective.
You implement IP ACLs to classify IP traffic by using the access-list global configuration command.
Classification Based on Class Maps and Policy Maps
A class map is a mechanism that you use to isolate and name a specific traffic flow (or class) from all
other traffic. The class map defines the criteria used to match against a specific traffic flow to further
classify it; the criteria can include matching the access group defined by the ACL. If you have more than
one type of traffic that you want to classify, you can create another class map and use a different name.
After a packet is matched against the class-map criteria, you further classify it through the use of a policy
map.
A policy map specifies which traffic class to act on. Actions can include setting a specific DSCP value
in the traffic class or specifying the traffic bandwidth limitations and the action to take when the traffic
is out of profile. Before a policy map can be effective, you must attach it to an interface.
You create a class map by using the class-map global configuration command or the class policy-map
configuration command. You should use the class-map global configuration command when the map is
shared among many ports. When you enter the class-map global configuration command, the switch
enters the class-map configuration mode. In this mode, you define the match criterion for the traffic by
using the match class-map configuration command.
You create and name a policy map by using the policy-map global configuration command. When you
enter this command, the switch enters the policy-map configuration mode. In this mode, you specify the
actions to take on a specific traffic class by using the class policy-map configuration command and the
police policy-map class configuration command. To make the policy map effective, you attach it to an
interface by using the service-policy interface configuration command.
The policy map can also contain commands that define the policer, the bandwidth limitations of the
traffic, and the action to take if the limits are exceeded. For more information, see the
Marking" section on page
A combination of system-defined and user-defined masks cannot be used in the multiple class
maps that are a part of a policy map.
System-defined masks that are a part of a policy map must all use the same type of system mask.
For example, a policy map cannot have a class map that uses the permit tcp any any ACE and
another that uses the permit ip any any ACE.
A policy map can contain multiple class maps that all use the same user-defined mask or the
same system-defined mask.
28.
34.
"Understanding Access Control
"Guidelines for Configuring ACLs on the
29.
Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ
Feature Overview
"Policing and
33
Hide quick links:
Advertisement
Chapters
Table of Contents
