match access-group name [acl]
Matches packets against a named or numbered access list to classify traffic for QoS policy application.
match access-group name [acl]When to Use This Command
- Classify HTTP traffic from a specific subnet for bandwidth prioritization
- Match VoIP traffic (e.g., RTP) based on ACL to apply low-latency queuing
- Identify and mark traffic from a specific host for traffic policing
- Classify management traffic (e.g., SSH) to ensure it is not dropped during congestion
Command Examples
Match HTTP traffic from subnet 192.168.1.0/24
match access-group name HTTP-ACLRouter(config-cmap)# match access-group name HTTP-ACL Router(config-cmap)#
The command is entered without any output confirmation. The ACL named HTTP-ACL must be pre-configured to permit HTTP traffic from 192.168.1.0/24. The class-map will then match packets that are permitted by that ACL.
Match VoIP traffic using a numbered ACL
match access-group 101Router(config-cmap)# match access-group 101 Router(config-cmap)#
This matches packets that are permitted by access-list 101. Typically, ACL 101 would permit UDP traffic on ports 16384-32767 (RTP range) from VoIP phones. No output is shown upon successful configuration.
Understanding the Output
The 'match access-group name [acl]' command does not produce any output when entered correctly; it simply configures the class-map. To verify the match, use 'show class-map [class-map-name]' which will display the match criteria, including the referenced ACL. The ACL itself must be verified with 'show access-lists [acl-name]' to ensure it contains the desired permit statements. A common pitfall is forgetting that the ACL must permit the traffic; deny statements will not match. Also, the ACL must be configured before referencing it in the class-map, otherwise the command will be rejected.
CCNA Exam Tips
Remember that 'match access-group' matches only packets permitted by the ACL; denied packets are not matched.
On the CCNA exam, you may be asked to identify the correct syntax: 'match access-group name [acl-name]' for named ACLs, or 'match access-group [number]' for numbered ACLs.
The ACL used in the match statement must be a standard or extended ACL; named ACLs are typically extended.
Be aware that the class-map must be in class-map configuration mode (global config 'class-map [name]') before using this command.
Common Mistakes
Using 'match access-group' without the 'name' keyword for a named ACL, causing a syntax error.
Referencing an ACL that does not exist yet, resulting in a configuration rejection.
Forgetting that the ACL must permit the desired traffic; if the ACL denies, the class-map will never match.
Related Commands
policy-map [name]
Creates or modifies a QoS policy-map that defines a set of class-maps and associated actions (e.g., bandwidth, priority, drop) to apply to traffic on Cisco IOS routers.
show access-lists
Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.
show class-map
Displays the configuration and match criteria of all class maps or a specific class map, used to verify QoS classification rules.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions