2

It is very hard to find information on this topic. I would like to know: If traffic has a hit inside a class-map, is it immediately forwarded or does it get checked against all remaining match statements first? Example: given following configuration:

ip access-list extended QOS_CITRIX permit tcp any eq 2598 any permit tcp any any eq 2598 permit udp any eq 2598 any permit udp any any eq 2598 class-map match-any QOS_CITRIX match ip dscp 32 match access-group name QOS_CITRIX policy-map QOS class QOS_CITRIX set dscp 32 bandwidth percent 50

If a packet with DSCP32 arrives to be checked against this class-map, does it process the ACL?

Improve this question
9
  • Depending on your equipment, i only think you can have one match statement per class-map. Commented Apr 1, 2019 at 13:44
  • I seem to remember than within a class-map, it's match <protocol> XOR match access-group <someACL>. You can have multiple statements (else match-any wouldn't be very useful) of either but not both. On the other hand, nothing stops you from defining two class-maps (one matching on protocol, the other matching on ACL), and then making use of both in the policy map, applying the same set of actions to them. Commented Apr 1, 2019 at 13:53
  • 1
    Oh.. and a word of caution. Your example policy-map mixes two things I wouldn't do in the same PM. Marking traffic (set dscp 32) is typically something done on the ingress interface (service policy input ..) of a device, while applying something from the shaping/policing/queuing toolset (bandwidth percent 50) is meant for an egress interface of a device (service policy output ...). Many devices/Platforms won't even let you rewrite DSCP on the egress side. Commented Apr 1, 2019 at 14:02
  • @Cown I can match for DSCP and an ACL in the same class map (at least on a C3850 that is). You can only assign one ACL per class-map, though. Commented Apr 1, 2019 at 15:19
  • @Marc'netztier'Luethi I know about the policy-map at ingress, but I want to keep the configuration short. Thats why I try to catch everything (DSCP32 and protocol) with one class-map. Additionally, if i catch them in different class-maps, and assign bandwidth 25 to each of them, it is not the same as assigning bandwidth 50 to one class. Commented Apr 1, 2019 at 15:19

2 Answers 2

Reset to default
2

There are 2 different matching variations for class maps. Either match-any or match-all:

  • match-all = logical AND of all conditions all conditions must be true for a match
  • match-any = logical OR of all conditions if at least one condition is true there is a match

With match-any it reads them in order and stops once/if it finds a match.

With match-all it has to match against all the match statements so it needs to read them all as long as it keeps matching ie. it it doesn't match in one of the match statements there is no need to keep trying to match in the following match statements.

Source: https://community.cisco.com/t5/routing/qos-class-map-match-any/td-p/1401075

Improve this answer
1

If a packet with DSCP32 arrives to be checked against this class-map, does it process the ACL?

This is highly implementation-specific. For example, a particular software implementation on a particular router model might arrange these match criteria in a linked-list, and traverse the list to see if a given packet matches. There is no telling what order the criteria will be matched, and the loop exits when a match occurs. Another software implementation on another model might kick off parallel lookups on two threads (running on different CPU cores), in which case both criteria may be checked simultaneously. ASIC implementations may behave differently, and it is possible in theory that the two criteria are checked in two completely different pieces of silicon. You really cannot say.

I have to ask, though: why does this matter?

Improve this answer
1
  • It is just for performance reasons. I would like to make the rulebase as efficient as possible. So that a frame gets checked agains the ACL on the first switch, then gets marked and therefore never checked against an ACL again on its path to the destination. Commented Apr 8, 2019 at 8:23

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.