Reference Guide

ManualsBrandsDell ManualsComputer equipmentForce10 Z9000

651

652

653

654

655

656

657

658

659

660

Quality of Service (QoS) | 659

Figure 33-10. Using the Order Keyword in ACLs

Create a Layer 2 class map

All class maps are Layer 3 by default; you can create a Layer 2 class map by specifying the option layer2

with the

class-map command. A Layer 2 class map differentiates traffic according to 802.1p value and/or

characteristics defined in a MAC ACL.

1. Create a match-any class map using the command

class-map match-any or a match-all class map using

the command

class-map match-all from CONFIGURATION mode, and enter the keyword layer2.

2. Once you create a class-map, FTOS places you in CLASS MAP mode. From this mode, specify your

match criteria using the command

match mac. Match-any class maps allow up to five access-lists, and

match-all class-maps allow only one. You can match against only one VLAN ID.

3. After you specify your match criteria, link the class-map to a queue using the command

service-queue

from POLICY MAP mode.

Determine the order in which ACLs are used to classify traffic

When you link class-maps to queues using the command service-queue, FTOS matches the class-maps

according to queue priority (queue numbers closer to 0 have lower priorities). For example, in

Figure 33-10, class-map cmap2 is matched against ingress packets before cmap1.

ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.

Therefore, (without the keyword

order) packets within the range 20.1.1.0/24 match positive against cmap1

and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be

buffered in queue 4.

In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use

the

order keyword to specify the order in which you want to apply ACL rules, as shown in Figure 33-10.

The order can range from 0 to 254. FTOS writes to the CAM ACL rules with lower order numbers (order

numbers closer to 0) before rules with higher order numbers so that packets are matched as you intended.

By default, all ACL rules have an order of 254.

FTOS(conf)#ip access-list standard acl1

FTOS(config-std-nacl)#permit 20.0.0.0/8

FTOS(config-std-nacl)#exit

FTOS(conf)#ip access-list standard acl2

FTOS(config-std-nacl)#permit 20.1.1.0/24 order 0

FTOS(config-std-nacl)#exit

FTOS(conf)#class-map match-all cmap1

FTOS(conf-class-map)#match ip access-group acl1

FTOS(conf-class-map)#exit

FTOS(conf)#class-map match-all cmap2

FTOS(conf-class-map)#match ip access-group acl2

FTOS(conf-class-map)#exit

FTOS(conf)#policy-map-input pmap

FTOS(conf-policy-map-in)#service-queue 7 class-map cmap1

FTOS(conf-policy-map-in)#service-queue 4 class-map cmap2

FTOS(conf-policy-map-in)#exit

FTOS(conf)#interface gig 1/0

FTOS(conf-if-gi-1/0)#service-policy input pmap