## Overview

Cisco IOS-XE uses several different configuration structures to deploy dynamic configurations. These structures act as logical functions that evaluate traffic and return values used by other network features. Understanding how these structures work logically helps you design more effective network policies.


| Object      | Purpose                                                                                                                                       |
| ----------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
| Access-List | Identify traffic based on first match, then return true or false.                                                                             |
| Route-Map   | Matches based on an ACL then sets an L3 setting like for PBR, BGP Policy, or Redistribution.                                                  |
| Class-Map   | Classification structures that return true or false based on all or any conditions defined, which can be of types ACL, DSCP, CoS, NBAR2, etc. |
| Access-Map  | Functions like a class-map but includes actions forward or drop, for use with VACLs.                                                          |
| Policy-Map  | Takes action on traffic defined by class-maps. Most commonly used for QoS.                                                                    |

## Access List

Access lists are essentially functions that take in a packet and return a true or false value (permit or deny) based on a set of conditions.

#### Creating an Access List

```
ip access-list extended TELNET
 permit tcp 192.168.1.0 0.0.0.255 any eq 23
```

This access list permits TCP traffic from the 192.168.1.0/24 network to any destination on port 23 (Telnet). All other traffic is implicitly denied.

#### Applying to an Interface

```
interface GigabitEthernet1/1
 ip access-group TELNET in
```

Traffic that receives "PERMIT" is forwarded normally. Traffic that receives "DENY" is dropped.

> **Important:** When applied directly to interfaces, ACLs serve to forward or drop traffic. However, ACLs are also used by other features (route-maps, class-maps, NAT, etc.) where they simply return PERMIT or DENY as input for additional logic. The ACL itself doesn't forward or drop traffic in these cases - it just provides a match result.

## Route Map

Route-maps are structures that combine matching criteria with actions. Unlike ACLs which simply return permit or deny, route-maps evaluate conditions and then perform specific actions on matching traffic or routes.

#### Route-Map for PBR

```
ip access-list extended VOICE-TRAFFIC
 permit udp any any range 16384 32767

route-map PBR-EXAMPLE permit 10
 match ip address VOICE-TRAFFIC
 set ip next-hop 10.1.1.1

route-map PBR-EXAMPLE permit 20

interface GigabitEthernet0/1
 ip policy route-map PBR
```

#### Route-Map for BGP Policy

```
route-map BGP-IN permit 10
 match ip address prefix-list CUSTOMERS
 set local-preference 200

router bgp 65000
 neighbor 10.1.1.1 route-map BGP-IN in
```

#### Route-Map for BGP Route Redistribution

```
route-map REDIST-OSPF permit 10
 match ip address prefix-list INTERNAL
 set metric 100

router bgp 65000
 redistribute ospf 1 route-map REDIST-OSPF
```

## Class Map

Class-maps are classification structures that identify and group traffic based on specific criteria. Unlike ACLs which return permit or deny based on the first matching criteria, class-maps return "matches this class" or "does not match this class" for use by policy-maps.

When on the CLI, you'll notice there are multiple options to match against:

```
Router(config)#class-map CLI_CLASS

Router(config-cmap)#?
Class-map configuration commands:
  description  Class-Map description
  exit         Exit from class-map configuration mode
  match        classification criteria
  no           Negate or set default values of a command

Router(config-cmap)#match ?
  access-group         Access group
  any                  Any packets
  class-map            Class map
  cos                  IEEE 802.1Q/ISL class of service/user priority values
  dscp                 Match DSCP in IPv4 and IPv6 packets
  precedence           Match Precedence in IPv4 and IPv6 packets
  protocol             Protocol
  vlan                 VLANs to match
  ...
```

> Note that class-maps can be configured two ways, `match-all` or `match-any`, which correlate to Boolean logic operators. In the above example,  the access-map will return `true` if the traffic is either Telnet or SSH.

#### Class-Map using ACLs

```
ip access-list extended TELNET
 permit tcp any any eq 23
ip access-list extended SSH
 permit tcp any any eq 22

class-map match-any CLI_CLASS
 match access-group name TELNET
 match access-group name SSH
```

#### Class-Map using DSCP/CoS

```
class-map match-all VOICE_CLASS
 match dscp ef
 match cos 5
```

#### Class-Map using Protocol (NBAR2)

```
class-map match-all COLLABORATION_CLASS
 match protocol webex
 match protocol ms-teams
```

> **Important:** Class-maps cannot be applied to interfaces or protocols directly, rather they have to be used with a policy-map.

#### Access-Maps for VLANs

Access-Maps are special subsets of Class-Maps where they can be assigned an action.

```
vlan access-map DROP_TELNET 10
 match ip address TELNET
 action drop log

vlan access-map DROP_TELNET 20
 action forward

vlan filter DROP_TELNET vlan-list 10
```

This behavior is contrary to the normal function of Class-maps, but I have placed it here since the syntax matches that of Class-Maps.

## Policy Map

Policy-maps define actions to take on traffic classified by class-maps. While class-maps identify traffic, policy-maps specify what to do with that traffic. Policy-maps are the action engine of the Modular QoS CLI (MQC) framework.

#### Creating a Policy-Map

```
class-map VOICE
 match dscp ef

class-map VIDEO
 match dscp af41

policy-map QOS-POLICY
 class VOICE
  priority percent 20
  police rate 512000
   conform-action transmit
   exceed-action drop
 class VIDEO
  bandwidth remaining percent 40
 class class-default
  bandwidth remaining percent 60
  random-detect dscp-based
```

#### Policy-Map Actions

Policy-maps can apply various actions depending on the context:

**QoS Actions:**

- `priority` - Priority queueing (LLQ)
- `bandwidth` - Guarantee minimum bandwidth
- `police` - Rate limiting
- `set` - Mark or remark traffic
- `shape` - Traffic shaping
- `random-detect` - WRED configuration

#### Applying a Policy-Map

```
interface GigabitEthernet0/1
 service-policy output QOS-POLICY
```

1. Packet arrives on GigabitEthernet0/1
2. Evaluated against VOICE class-map (DSCP EF?)
	1. If match: Apply priority queueing and policing
3. If no match, evaluate against VIDEO class-map (DSCP AF41?)
	1. If match: Apply bandwidth allocation
4. If no match, traffic goes to class-default
	1. Apply default bandwidth allocation