Professional Documents
Culture Documents
Classifier
Behavior
Traffic-policy
We have possibility to configure many rules in an ACL. If the ACL is specified in if-match
clause, then a packet is matched against multiple rules. If the packet matches a rule in the
ACL, then it stops checking against the next rules.
In a case of DENY action in the ACL, the matched packet is denied, regardless of
what traffic behavior defines.
When PERMIT action is defined in the ACL, then traffic behavior is applied to the
matched packet.
Lets focus on if-match clauses now and matching order between them.
START
Check first
classifier
NO Is there If-
match?
YES
NO NO PERMIT
YES
Is there
Check next If-
another If-
match
match?
NO
Is there
Check next YES
another
classifier
classifier?
NO
END
Notice that traffic behavior is applied for the packets that match any one of the if-match
clauses. In this situation, packet is matched against If-match clauses, in the order of the If-
match clauses configuration. This kind of traffic classifier is commonly used.
In logic AND implementation, the device combines all if-match clauses and then processes
the combination of if-match clauses according to the procedure of logic OR. If one of the if-
match clauses is applied with ACL, each rule of the ACL is combined with all of the other if-
match clauses. In this situation, the order of if-match clauses does not impact on the final
matching result.
As you know, one or more classifiers and behaviors can be configured in a traffic policy. A
packet is matched against traffic classifiers in the order, in which those classifiers have been
configured. If the packet matches a traffic classifier, no further match operation is performed.
If not, the packet is matched against the following traffic classifiers one by one. If the packet
does not match traffic classifiers at all, the packet is forwarded with no traffic policy executed.
Anyway, the order of traffic classifier can be changed by the following command:
packets coming from source IP address 10.1.1.0/24, with DSCP 18, are then
remarked as AF31
packets coming from source IP address 172.16.1.0/24, with DSCP 18, are discarded
other packets are forwarded directly.
#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 dscp af21
rule 10 deny ip source 172.16.1.0 0.0.0.255 dscp af21
#
traffic classifier labnario operator or
if-match acl 3000
#
traffic behavior labnario
remark dscp af31
#
traffic policy labnario
classifier labnario behavior labnario
#
interface GigabitEthernet0/0/0
traffic-policy labnario inbound
I have a home task for you. Try to configure the same policy but using logic AND. Your traffic
policy must do the same like the one configured.