Define Class Map Matches
With a class map defined and given a name, you must assign a match parameter to the class
map. This parameter will match traffic using the packet content, Layers 3 to 7. Examples of
content would be voice, video, or HTTP. When assigning a match criterion, you can assign
one match command to a class map, with the exception of the tunnel-group and defaultinspection-
traffic criteria. Use the match command to assign match criteria to a class map.
A class map can match to nine criteria. The match commands for each are as follows:
■ access-list {access-list name} —Match using a predefined access list. If a packet fails to
match an entry in the access list or matches a deny statement in the access list, the match
will result in a no-match. Otherwise, if the packet matches a permit statement in the
access list, the match results in a match.
■ any—Match on any traffic flow or content. The class-map class-default command uses
this match criterion as its default.
■ dscp {DSCP value}—Match on the IETF-defined Differential Service Code Point (DSCP)
field in the IP header defined in the ToS byte.
■ flow ip destination-address—Keyword pair specifies to match the destination address
within a tunnel group. This match criterion must be used with the tunnel group criteria.
■ port tcp | udp {eq n | range n1 n2}—Match using a TCP or UDP destination port.
■ precedent {precedent value}—Matches the precedence value in the TOS byte in the IP
header.
■ RTP — Match using RTP destination ports. This allows matching using a range of
destination UDP ports.
■ tunnel-group {tunnel-group name}—Matches tunnel traffic. This match criterion can
only be used with quality of service (QoS) configurations.
■ default-inspection-traffic—Matches default traffic for the inspect command in a policy
map.
The tunnel-group command, an exception to the single match statement rule, matches a
previously configured tunnel group as its first match criteria. An additional match criterion
can be added to the class map already configured to match tunnel groups. This second match
criteria will apply to traffic within that specific tunnel group.
Additionally, the default-inspection-traffic command can also be assigned a second match
criterion. In a class map with a default-inspection-traffic command and a second match
command, the class map will logically combine the two matches for use in an inspect
command assigned in a policy map. Example 8-1 provides several examples of class map
configurations.