The class-map command is used to classify a set
of traffic with which security actions may be associated. Configuring a class
map is a two step process. The steps are to name a class of traffic and define
the attributes of the traffic. A name is assigned to each individual class of
traffic. For example in Figure
, there are four
traffic classes named. The class-map se command identifies
the system engineer remote VPN traffic from the system engineers. The
class-map s2s command identifies the remote VPN traffic
from the system engineers.
The syntax of the
class-map commands is as follows:
class-map class_map_name
After a class of traffic is named, the characteristics of the traffic flow
are identified. To be considered part of a named class, a traffic flow must
match a defined set of attributes. There are various types of match criteria in
a class map. One example of match criteria is an access list that defines all
traffic from the Internet to the DMZ. Another match is VPN tunnel-group. This
includes all members of the SE and EXEC tunnel-groups. Another such match is a
TCP or UDP port number. This could be used to define all HTTP or FTP
traffic.
The following is the class matching criteria
:
-
match access-list – This keyword specifies to match an
entry in an access-list.
-
match any – This keyword specifies that all traffic is
to be matched. Match any is used in the class-default class-map.
-
match dcsp – This keyword specifies to match the IETF
defined Differentiated Service Code Point (DSCP) value in the IP header. This
allows the administrator to define classes based on the DCSP values defined
within the TOS byte in the IP header.
-
match flow – This keyword specifies to match each IP
flow within a tunnel-group. This match command must be used in conjunction with
the match tunnel-group command.
-
match port – This keyword specifies to match traffic
using a TCP or UDP destination port.
-
match precedence – This keyword specifies to match the
precedence value represented by the TOS byte in the IP header. This allows the
administrator to define classes based on the precedence defined within the TOS
byte in the IP header.
-
match rtp – This keyword specifies to match Real-Time
Transport Protocol (RTP) destination port. This allows the administrator to
match on a UDP port number within the specified range. The allowed range is
targeted at capturing applications likely to be using RTP.
-
match tunnel-group – This keyword specifies to match
tunnel traffic.
A traffic class is a set of traffic that is identifiable by its packet
content. For example, TCP traffic with a port value of 21 and 80 may be
classified as an Internet traffic class.
More information about the
syntax of the class-map commands is available in the
Command Reference.