Creating Classifier Control Lists

Use the following commands to create or modify CLACLs:

• frame-relay classifier-list
• gre-tunnel classifier-list
• ip classifier-list
• ipv6 classifier-list
• l2tp classifier-list
• mpls classifier-list
• vlan classifier-list

frame-relay classifier-list

• Use to create or modify a Frame Relay classifier control list.
  

  NOTE: Do not use the asterisk (*) for the name of a classifier list. The asterisk is used as a wildcard for the classifier-group command.

  
  
• Use the following keywords to configure the list:

• traffic-class—Matches packets with a class that you defined using the traffic-class command
• color

• green—Matches packets with color green, indicating a low drop preference
• yellow—Matches packets with color yellow, indicating a medium drop preference
• red—Matches packets with color red, indicating a high drop preference

• user-packet-class—Matches packets with the specified user packet class value
• de-bit—Matches Frame Relay packets with the specified DE bit value, either 0 or 1

• Example

host1(config)#frame-relay classifier-list frclassifier color red user-packet-class 10 
de-bit 1

• Use the no version to remove the classifier control list.

gre-tunnel classifier-list

• Use to create or modify a GRE tunnel classifier control list.
  

  NOTE: Do not use the asterisk (*) for the name of a classifier list. The asterisk is used as a wildcard for the classifier-group command.

  
  
• Use the following keywords to configure the list:

• traffic-class—Matches traffic with a class that you defined using the traffic-class command
• color

• green—Matches packets with color green, indicating a low drop preference
• yellow—Matches packets with color yellow, indicating a medium drop preference
• red—Matches packets with color red, indicating a high drop preference

• tos, dsfield, and precedence specify the ToS byte in the IP header

• tos—Specifies the use of the whole 8 bits of the ToS byte; range is 0-255
• dsfield—Specifies the use of the upper 6 bits of the ToS byte; range is 0-63
• precedence—Specifies the use of the upper 3 bits of the ToS byte; range is 0-7

• user-packet-class—Matches packets with the specified user packet class value

• Example

host1(config)#gre-tunnel classifier-list greClassifier50 color yellow 
user-packet-class 7 dsfield 40

• Use the no version to remove the classifier control list.

ip classifier-list

• Use to create or modify an IP classifier control list.

host1(config)#ip classifier-list YourListName ip any any

 NOTE: Do not use the asterisk (*) for the name of a classifier list. The asterisk is used as a wildcard for the classifier-group command.



 

• Use the user-packet-class keyword to match packets with the specified user packet class value.
• Use the notProtocol, notSourceIpAddr, and notDestinationIpAddr options to cause a match when those attributes in the packet being compared have different values. For example, to match a non-TCP packet originating from IP address 172.28.100.52:

host1(config)#ip classifier-list YourListName not tcp host 172.28.100.52 any

• Use the protocol option to match a specific protocol number or to match only packets of one of the following protocol types:

• ip—IP protocol attributes, such as source and destination IP address and mask
• icmp—ICMP protocol attributes, such as source and destination IP address and mask, ICMP type and code
• igmp—IGMP protocol attributes, such as source and destination IP address and mask, and IGMP type
• tcp—TCP protocol attributes, such as source and destination IP address and mask, and source and destination TCP operator and port
• udp—UDP protocol attributes, such as source and destination IP address and mask, and source and destination UDP operator and port

• Use the sourceAddress and destinationAddress options to classify traffic based on source and destination addresses. You can specify the address as a host address, a subnet, or a wildcard. If you specify the address as a subnet, the mask, in binary notation, must be a series of contiguous zeros, followed by a series of contiguous ones. The any keyword is the address wildcard, matching traffic for any address.

• In the following example, traffic is classified on any source or destination address:

host1(config)#ip classifier-list YourListName ip any any 

• In the following example, traffic is classified on source host address 10.10.10.10 and any destination address:

host1(config)#ip classifier-list YourListName ip host 10.10.10.10 any 

• In the following example, traffic is classified on source address subnet 10.10.x.x and destination host address 10.10.10.2:

host1(config)#ip classifier-list YourListName ip 10.10.0.0 0.0.255.255 host 
10.10.10.2 

• Use the sourceQualifier option to specify a single TCP or UDP port or a range of ports. The sourceQualifier option is composed of:

• portNumber—Single port number or the beginning of a range of port numbers
• portOperator—One of the following:

• eq—equal to
• lt—less than
• gt—greater than
• neq—not equal to
• range—range of ports

• toPortNumber—End of a range of port numbers

For example, the following command matches packets with source address 198.168.30.100 and UDP source port numbers in the range 1-10:

host1(config)#ip classifier-list YourListName udp host 192.168.30.100 range 1 
10 any

• Use multiple elements in classifier lists to configure classification to match any of multiple field combinations. The behavior of multiple-element classifier-list classification is the logical OR of the elements in the CLACL. For example, to match all packets that have a source IP address of 192.168.30.100 or have a destination IP address of 192.168.30.200:

host1(config)#ip classifier-list boston5 ip host 192.168.30.100 any 

host1(config)#ip classifier-list boston5 ip any host 192.168.30.200 

The classifier control list boston5 matches all packets with the source IP address of 192.168.30.100 or with the destination IP address of 192.168.30.200.

• Use the following keywords to configure classification to match route-class values:

• source-route-class—Classifies on packets associated with a route class based on the packet's source address; route-class range is 0-255; default is 0.
• destination-route-class—Classifies on incoming packets associated with a route class based on the packet's destination address; route-class range is 0-255; default is 0.
• local true—Matches packets that are destined to a local interface.
• local false—Matches packets that are traversing the router; this is the default setting.

For example:

host1(config)#ip classifier-list svale20 source-route-class 1 ip any any 

host1(config)#ip classifier-list svale30 destination-route-class 1 ip any any tos 10

host1(config)#ip classifier-list svale40 source-route-class 1 local true ip any any 

host1(config)#ip classifier-list west25 source-route-class 1 local false ip any any 

In the previous example, classifier control lists match route-class values as follows:

• svale20 matches the source address lookup route-class value of 1.
• svale30 matches the destination address lookup route-class value of 1 and a ToS byte value of 10.
• svale40 matches the source address lookup route-class value of 1 and the packets destined to a local interface.
• west20 matches the source address lookup route-class value of 1 and packets that are not destined for a local interface (packets destined for remote interfaces).

• Use the following keywords to match the ToS byte in the IP header:

• tos—Specifies the use of the whole 8 bits of the ToS byte; range is 0-255; for example:

host1(config)#ip classifier-list tos128 ip any any tos 128

• dsfield—Specifies the use of the upper 6 bits of the ToS byte; range is 0-63; for example:

host1(config)#ip classifier-list low-drop-prec ip any any dsfield 10

• precedence—Specifies the use of the upper 3 bits of the ToS byte; range is 0-7; for example:

host1(config)#ip classifier-list priority ip any any precedence 1

• Use the destinationQualifier option to specify a single TCP or UDP port or range of ports, an ICMP code and optional type, or an IGMP type. The destinationQualifier option is composed of the following suboptions:

• portNumber—Single port number or the beginning of a range of port numbers (TCP and UDP only)
• portOperator—One of the following (TCP and UDP only):

• eq—Equal to
• lt—Less than
• gt—Greater than
• neq—Not equal to
• range—Range of ports

• toPortNumber—End of a range of port numbers (TCP and UDP only)
• icmpType—ICMP message type (ICMP only)
• icmpCode—ICMP message code (ICMP only)
• igmpType—IGMP message type (IGMP only)

For example, the following command matches packets with source address 198.168.30.100 and ICMP type 2 and code 10:

host1(config)#ip classifier-list YourListName icmp host 192.168.30.100 any 2 
10

• Use the tcp-flags keyword and a logical equation (a quotation-enclosed string using ! for NOT, & for AND) to match one or more of the following TCP flags: ack, fin, psh, rst, syn, urg. For example:

host1(config)#ip classifier-list telnetConnects tcp 192.168.10.0 0.0.0.255 host 
10.10.10.10 eq 23 tcp-flags "syn & !ack" 

• Use the ip-flags keyword and a logical equation (a quotation-enclosed string using ! for NOT, & for AND) to match one or more of the following IP flags: dont-fragment, more-fragments, reserved. For example:

host1(config)#ip classifier-list dontFragment ip any any ip-flags "dont-fragment"

• For both IP flags and TCP flags, if you specify only a single flag, the logical equation does not require quotation marks.
• Use the ip-frag-offset keyword and the eq or gt operator to match an IP fragmentation offset equal to 0, 1, or greater than 1.

For example, the following commands configure a policy to filter fragmentation offsets equal to 1:

host1(config)#ip classifier-list fragOffsetAttack ip any host 10.10.10.10 
ip-frag-offset eq 1

host1(config)#ip policy-list dosProtect

host1(config-policy-list)#filter classifier-group fragOffsetAttack

host1(config-policy-list)#forward

• Use the traffic-class keyword to match packets with a traffic class that you defined using the traffic-class command.
• Use the color keyword to match on one of the following:

• green—Matches packets with color green, indicating a low drop preference
• yellow—Matches packets with color yellow, indicating a medium drop preference
• red—Matches packets with color red, indicating a high drop preference
• user-packet-class—Matches packets with the specified user packet class value

• Use the no version to remove the classifier control list.

Examples: IP CLACLs

To set up a CLACL to accept IP traffic from all source addresses on the subnet of XYZ Corp:

host1(config)#ip classifier-list XYZCorpPermit ip 192.168.0.0 0.0.255.255 any

To create a CLACL that filters all ICMP echo requests headed toward an access link for XYZ Corp under a denial-of-service attack:

host1(config)#ip classifier-list XYZCorpIcmpEchoReqs icmp any any 8 0

To create a CLACL that matches all IGMP type 1 packets:

host1(config)#ip classifier-list XYZCorpIgmpType1 igmp any any 1

To create a CLACL that matches all traffic on UDP source ports greater than 100:

host1(config)#ip classifier-list XYZCorpUdp udp any gt 100 172.17.2.1 
0.0.255.255 

ipv6 classifier-list

• Use to create or modify an IPv6 classifier control list.
  

  NOTE: Do not use the asterisk (*) for the name of a classifier list. The asterisk is used as a wildcard for the classifier-group command.

  
  
• Use the following keywords to configure the list:

• traffic-class—Matches packets with a traffic class that you defined using the traffic-class command
• color

• green—Matches packets with color green, indicating a low drop preference
• yellow—Matches packets with color yellow, indicating a medium drop preference
• red—Matches packets with color red, indicating a high drop preference

• user-packet-class—Matches packets with the specified user packet class value

• Use the protocol option to match a specific protocol number and specify protocol attributes:

• icmpv6—ICMP type and code
• tcp—TCP protocol attributes, such as source and destination port, and source and destination TCP operator and port
• udp—UDP protocol attributes, such as source and destination port

• For TCP and UDP, use the portQualifier option to specify a single port or a range of source or destination ports. The portQualifier option is composed of:

• portNumber—Single port number or the beginning of a range of port numbers
• toPortNumber—End of a range of port numbers
• portOperator—One of the following:

• eq—equal to
• lt—less than
• gt—greater than
• neq—not equal to
• range—range of ports

For example, the following command matches packets from port 75:

host1(config)#ipv6 classifier-list YourListName udp destination-port eq 75 

• For TCP, use the tcp-flags keyword and a logical equation (a quotation-enclosed string using ! for NOT, & for AND) to match one or more of the following TCP flags: ack, fin, psh, rst, syn, urg. For example:

host1(config)#ipv6 classifier-list telnetConnects tcp destination-port eq 23 
tcp-flags "syn & !ack" 

• For ICMPv6, use the icmp-type option to specify the icmpType and icmpCode parameters:

• icmpType—ICMP message type; in the range 0-255
• icmpCode—ICMP message code; in the range 0-255

For example, the following command matches ICMPv6 packets with an ICMP type of 3 and code of 6:

host1(config)#ipv6 classifier-list listname icmpv6 icmp-type 3 icmp-code 6

• Use the following keywords to configure classification to match route-class values:

• source-route-class—Classifies on packets associated with a route class based on the packet's source address; route-class range is 0-255; default is 0.
• destination-route-class—Classifies on incoming packets associated with a route class based on the packet's destination address; route-class range is 0-255; default is 0.
• local true—Matches packets that are destined to a local interface.
• local false—Matches packets that are traversing the router; this is the default setting.

For example:

host1(config)#ipv6 classifier-list svale20 source-route-class 1 

host1(config)#ipv6 classifier-list svale30 destination-route-class 1 tcfield 10

host1(config)#ipv6 classifier-list svale40 source-route-class 1 local true 

host1(config)#ipv6 classifier-list west25 source-route-class 1 local false

In the previous example, classifier control lists match route-class values as follows:

• svale20 matches the source address lookup route-class value of 1.
• svale30 matches the destination address lookup route-class value of 1 and a traffic-class value of 10.
• svale40 matches the source address lookup route-class value of 1 and the packets destined to the local interface.
• west25 matches the source address lookup route-class value of 1 and packets that are not destined for the local interface (packets destined for remote interfaces).

• Use the source-address, source-host, destination-address, and destination-host options to classify traffic based on source and destination addresses. You can specify the address as an IPv6 address or an IPv6 prefix. In the following example, traffic is classified on source host address 2001:db8:1::8001 and destination address 2001:db8:3::/48:

host1(config)#ipv6 classifier-list YourClaclList source-host 2001:db8:1::8001 
destination-address 2001:db8:3::/48

• Use the following keywords to specify traffic class information in the IPv6 header:

• tcfield—Specifies the use of the whole 8 bits of the traffic-class byte; range is 0-255
• dsfield—Specifies the use of the upper 6 bits of the traffic-class byte; range is 0-63
• precedence—Specifies the use of the upper 3 bits of the traffic-class byte; range is 0-7

• Example

host1(config)#ipv6 classifier-list ipv6classifier color red user-packet-class 5 
tcfield 10 

• Use the no version to remove the classifier control list.

l2tp classifier-list

• Use to create or modify an L2TP classifier control list.
  

  NOTE: Do not use the asterisk (*) for the name of a classifier list. The asterisk is used as a wildcard for the classifier-group command.

  
  
• Use the following keywords to configure the list:

• traffic-class—Matches packets with a traffic class that you defined using the traffic-class command
• color

• green—Matches packets with color green, indicating a low drop preference
• yellow—Matches packets with color yellow, indicating a medium drop preference
• red—Matches packets with color red, indicating a high drop preference

• user-packet-class—Matches packets with the specified user packet class value

• Example

host1(config)#l2tp classifier-list l2tpclassifier color red user-packet-class 7

• Use the no version to remove the classifier control list.

mpls classifier-list

• Use to create or modify an MPLS classifier control list.
  

  NOTE: Do not use the asterisk (*) for the name of a classifier list. The asterisk is used as a wildcard for the classifier-group command.

  
  
• Use the following keywords to configure the list:

• traffic-class—Matches packets with a traffic class that you defined using the traffic-class command
• color

• green—Matches packets with color green, indicating a low drop preference
• yellow—Matches packets with color yellow, indicating a medium drop preference
• red—Matches packets with color red, indicating a high drop preference

• user-packet-class—Matches packets with the specified user packet class value
• exp-bits—Specifies the value of the EXP bit to match in the range 0-7
• exp-mask—Specifies the mask applied to the EXP bits in the range 1-7

• Example

host1(config)#mpls classifier-list mplsClass user-packet-class 10 exp-bits 3 
exp-mask 5

• Use the no version to remove the classifier control list.

vlan classifier-list

• Use to create or modify a VLAN classifier control list.
  

  NOTE: Do not use the asterisk (*) for the name of a classifier list. The asterisk is used as a wildcard for the classifier-group command.

  
  
• Use the following keywords to configure the list:

• traffic-class—Matches packets with a traffic class that you defined using the traffic-class command
• color

• green—Matches packets with color green, indicating a low drop preference
• yellow—Matches packets with color yellow, indicating a medium drop preference
• red—Matches packets with color red, indicating a high drop preference

• user-packet-class—Matches packets with the specified user packet class value
• user-priority—Specifies the value of the user-priority bits, which you define in the policy list

• Example

host1(config)#vlan classifier-list lowLatencyLowDrop user-priority 7

host1(config)#vlan classifier-list lowLatencyLowDrop user-priority 6

host1(config)#vlan classifier-list lowLatency user-priority 5

host1(config)#vlan classifier-list excellentEffort user-priority 4

host1(config)#vlan classifier-list bestEffort user-priority 3

host1(config)#vlan classifier-list bestEffort user-priority 2

host1(config)#vlan classifier-list bestEffort user-priority 1

host1(config)#vlan classifier-list bestEffort user-priority 0

• Use the no version to remove the classifier control list.