Basic Classification and How to Build Classification Filters

Basic Classification and How to Build Classification Filters

An Introduction to Classification 

The process of Classification is one which takes all Ingress Packets on a particular interface and filters those packets according to a user defined set of filters otherwise known as Ingress Flow Classes and channels the resulting packets into one or many bandwidth partitions. This process allows a user to define different bandwidth partitions to handle traffic appropriately which might be Best Effort or Guaranteed with or without Priorities.

In its simplest form a classification filter or rule comprises of a standard Address Based Access Control List which contains one or many Entries each of which defines a standard 5 tuple of Source Address, Source Port, Destination Address, Destination Port and Protocol.

Thus when an ingress packet matches the ACL it can then be managed according to the bandwidth available in the bandwidth partitions to which it has been assigned. Other more complex “Matching” criteria can be defined and included in an STM classification filter some of which will be covered later in this document.

In terms of the STM there are five major components to creating and successfully implementing a classification filter or rule, which are:
  1. Access Control Lists – the STM has a default ACL that looks for ANY address and port with a protocol of IP, others can be defined by a user at any time.
  2. Egress Flow Classes – an Egress Flow Class when defined is simply a name which becomes a bandwidth partition name when added as a policy entry to an Egress Policy Map. There may be as few as two Egress Flow Classes in an Egress Policy Map or many when bandwidth partitions are required for different traffic types or applications.
  3. Egress Policy Maps – into which policies are defined where each policy contain an Egress Flow Class, it is the definition of an Egress Policy that creates a Bandwidth Partition with upstream and downstream rate together with priorities and guarantees.
  4. Ingress Flow Classes – which are the actual matching criteria definitions containing a link to the Bandwidth Partition to be used when the classification filter or rule returns a match
  5. Ingress Policy Maps – contains a sequence based set of classification filters or rules evaluated by sequence number starting with the lowest and working to the highest. Care is required here to ensure all rules are configured as Ingress Policies in the correct sequential order.
In general the order of creation is important since certain elements cannot be created without the existence of the other prerequisite items. The order of creation in the list shown above would be a good reference model to follow.

The diagram below gives a diagrammatic representation of what is actually happened after rules have been created and deployed.


Example – Classify a Specific Subnet

As an example we will create an ACL to manage ALL data from the subnet 192.168.10.0/24 and pass it through a Best Effort Bandwidth Partition of 50Mbps Upstream and Downstream using the default Priority while sharing the available bandwidth between hosts equally.

Creating an Access Control List

From the GUI perspective creating an ACL is achieved by selecting the “ACLs” entry in the Navigation tree and from the right mouse click menu choose the “New ACL” option:


Once the new ACL name has been created the ACL can be expanded in the Navigation tree and a “New ACL Entry” containing the subnet details can be configured:


As can be seen there are several options available:
  1. Source Subnet – defines the source IP addresses that will match the entry, the subnet mask is define as a bit count using the /xx format as shown – above we see a Class C subnet with individual hosts being defined by using a /32 count.
  2. Source Ports – a list of port number comma separated, a blank entry indicates that ALL source port numbers will match.
  3. Destination Subnet – defined using the same syntax as the Source Subnet and when left blank indicates that ANY destination is acceptable.
  4. Destination Ports – acts in the same way as Source Ports but in connection to the Destinaion Subnet and when left blank means ALL or ANY port number is acceptable.
  5. DSCP – is an STM enhancement to standard ACL’s allowing the user to match on a specific Diff Serve Code Point value.
Although the above definition appears to only define a single direction for the Access Control List Entry this is actually NOT the case as the STM simplifies the definition, by default it will create the reverse direction automatically for the user meaning that this ACL Entry will not only look into a packet header for a Source IP Address belonging to the required subnet but it will also do a symmetrical search for packet going to an IP address in the subnet as a Destination address.

Creating an Egress Flow Class

Egress Flow Classes are the prerequisite elements required to link a classification filter known as Ingress Flow Classes in the STM to the filters bandwidth partition on the Egress interface. The intial definition is achieved by selecting the Egress Flow Classes entry in the Navigation tree followed by the “New Egress Flow Class” menu option:


It s worth mentioning at this point that choosing the right naming convention will help when reviewing a configuration, in this example I am using the same name or variations of since each collection in the Navigation tree has it’s own name space allowing the same name to be used in each collection.

Creating an Egress Policy Map

An Egress Policy Map is a container for the Bandwidth Partitions or Policies that are in use on each interface defined to be peer interfaces within the STM. Once defined an Egress Policy Map can be populated with individual policies containing the bandwidth definitions, priorities and associated guarantees linked to the defined Egress Flow Classes.

As with everything in the GUI we start by selecting the Egress Policy Maps entry in the Navigation tree and choose the “New Egress Polcy Map” menu option, this will then display a configuration window. For this example we will create a policy map called “ExampleEPM”:


Now that the Egress Policy Map has been defined we can move to adding policies, while this example will add a policy to the newly created Egress Policy Map the same method is used to add to an existing Egress Policy Map.

Creating New Egress Policy Entries or Bandwidth Partitions

We start by expanding the Egress Policy Maps entry in the Navigation tree followed by expanding the desired Policy Map entry until the Policies entry is seen, once visible we once again select the high level Policies entry then choose the “New Egress Policy” menu option resulting in: 


While there are many options the ones of interest for this Basic Tech Tip are as follows:
  1. Assured – this check box changes a policy from Best Effort when not checked to Guaranteed when checked. This also defines how any of the Rate parameters are handled. When check the Rate values become guaranteed MINIMUMS meaning that the rate will always be available to flows using the partition or policy and if extra is available the rule can use it. While if not checked, the defined rates become the absolute MAXIMUM bandwidth that the classification rule can use.
  2. Downstream Rate – this defines the rate available to traffic from the Internet to the User, qualified by the Assured parameter.
  3. Egress Flow Class – is the name of the previously defined Egress Flow Class that this Policy is being created to allocate and manage bandwidth for, it will be seen later that this parameter links to and is called out by an Ingress Flow Class.
  4. Host Equalization – when checked this causes the available bandwidth for the Policy to be shared equally to all host currently using the Policy which means hosts with few flows have the same bandwidth available to them as the hosts with many more flows. When unchecked bandwidth n the Policy will be allocated based on the number of active flows using the Policy which means a host with say 20 flows will be allocated 20 times the bandwidth of a host with a single flow.
  5. Rate – this is allows the user to specify a single bandwidth value and in the absence of the Upstream and Downstream Rate values it will be used in for both directions.
  6. Rate Multiplier – defines the priority for bandwidth allocation, the default is 1 with a range of 0.1 to 10. In simple terms the higher the value the more bandwidth will be allocated to the partition when congestion occurs.
  7. Upstream Rate – this defines the rate available to traffic from the User to the Internet, qualified by the Assured parameter.

Creating an Ingress Flow Class or Classification Rule

Ingress Flow Classes are basically a list of “Match” requirements which for the most part are AND'ED together and if the result is true causes a flow matching the test to be allocated bandwidth from the Bandwidth Partition defined by the Egress Flow Class that the rule contains.

To configure a new Ingress Flow Class we once again select an entry in the Navigation tree in this case it is the Ingress Flow Classes entry and from here we choose the “New Ingress Flow Class” menu item which ultimately causes the configuration window to be displayed:


As far as this “Basic Classification” example goes we will concentrate on a limited number of the optional parameters displayed in the New Ingress Flow Class windows as follows:
  1. ACL – this is the address filter to be applied, each ACL can have one or many entries and while in this example we are using the 192.168.10.0/24 subnet the field can be left blank which is a special case that causes the STM to use the built in default ACL for IP ANY ANY which means ANY IPv4 or IPv6 address will match.
  2. Application – while not used in this example can be defined to match on a specific application known to the system, as an example a user may want to handle SIP traffic in a special way, in this case since we may not know the host IP address running SIP we would use the built in ACL and leave the ACL field blank while adding the “sip” application to the Application field. Note when entering the name of an application into the field the system will offer a filtered list based on the characters entered.
  3. Egress Flow Class – defines the Egress Flow Class name that MUST exist within an Egress Policy contained in the Egress Policy Map attached to the Physical Interface or sub-interface if defined and used. This is how the STM knows where find allocate bandwidth from with associated guarantees and priority.
See other Tech Tips for understanding other parameters in this window.

Creating an Ingress Policy Map

An Ingress Policy Map is a container for the Classification Filters or Rules that all traffic is evaluated against that are in use on each interface defined to be peer interfaces within the STM. Once defined an Ingress Policy Map can be populated with individual policies containing the Rule definition together with other optional parameters.

As with everything in the GUI we start by selecting an entry in the Navigation tree, in this case it is the Ingress Policy Maps entry in the Navigation tree and choose the “New Ingress Policy Map” menu option, this will then display a configuration window. For this example we will create a policy map called “ExampleIPM”:



Now that the Ingress Policy Map has been defined we can move to adding policies, while this example will add a policy to the newly created Ingress Policy Map the same method is used to add to an existing Ingress Policy Map.

Creating New Ingress Policy Entries or Classification Filters/Rules

We start by expanding the Ingress Policy Maps entry in the Navigation tree followed by expanding the desired Policy Map entry until the Policies entry is seen, once visible we now the high level Policies entry and choose the “New Ingress Policy” menu option resulting in:


Of the parameters listed we are interested in the following:
  1. Ingress Flow Class – the name of the Classification Rule created previously.
  2. Sequence – this is a numeric value used to order the Policy Map into the correct sequence for classification, in other words the order the rules are evaluated in. Care needs to be exercised here since the STM will use the first match it finds from within the rule set. Sequence numbers are evaluated starting with the lowest numerically and ending with the highest. This means that if you have a generic ALL data rule for a specific subnet which this example is then if you create a separate rule for the same subnet to carry VOIP traffic then that rule would need a lower sequence number than the ALL data rule
All other parameters will be covered in a separate Tech Tip on Ingress Flow Class and Ingress Policy Map definitions and configurations.

In Conclusion

The above steps will guarantee that any new rule becomes active with the final step of adding the rule to the active policy maps, if new Policy Maps have been defined then it will be necessary to reconfigure the interface to which the policy maps apply.

Have more questions? Please submit a ticket to support@saisei.com