Creating Policy Lists
You can create a policy list with an unlimited number of classifier groups, each containing an unlimited number of rules. These rules can reference up to 512 classifier entries.
You can create policy lists for Frame Relay, IP, IPv6, GRE tunnels, L2TP, MPLS, and VLANs.
Creating a Policy List for IP
The following example creates an IP policy list named routeForABCCorp. For information about creating the CLACLs and rate-limit profile used in this example, see the previous sections.
- Create the policy list routeForABCCorp.
- Create the classification group for the CLACL named ipCLACL10 and assign the precedence to the classification group.
- Add a rule that specifies a group of forwarding solutions based on classifier list ipCLACL10.
- Add a rule that sets a ToS byte value of 125 for packets based on classifier list ipCLACL10.
- Add a rule that uses rate-limit profile ipRLP25.
- Exit Classifier Group Configuration mode for ipCLACL10, then create a new classification group for classifier list ipCLACL20. Add a rule that filters packets based on classifier list ipCLACL20.
- Exit Policy List Configuration mode to save the configuration.
- Display the policy list.
host1(config)#ip policy-list routeForABCCorp
host1(config-policy-list)#
host1(config-policy-list)#classifier-group ipCLACL10 precedence 75
host1(config-policy-list-classifier-group)#
host1(config-policy-list-classifier-group)#forward next-hop 192.0.2.12 order 10
host1(config-policy-list-classifier-group)#forward next-hop 192.0.100.109 order 20
host1(config-policy-list-classifier-group)#forward next-hop 192.120.17.5 order 30
host1(config-policy-list-classifier-group)#forward interface ip 3/1 order 40
host1(config-policy-list-classifier-group)#mark tos 125
host1(config-policy-list-classifier-group)#rate-limit-profile ipRLP25
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group ipCLACL20 precedence 125
host1(config-policy-list-classifier-group)#filter
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#exit
host1(config)#
host1#show policy-list routeForABCCorp
Policy Table
------ -----
IP Policy routeForABCCorp
Administrative state: enable
Reference count: 0
Classifier control list: ipCLACL10, precedence 75
forward
Virtual-router: default
List:
next-hop 192.0.2.12, order 10, rule 2 (active)
next-hop 192.0.100.109, order 20, rule 3 (reachable)
next-hop 192.120.17.5, order 30, rule 4 (reachable)
interface ip3/1, order 40, rule 5
mark tos 125
rate-limit-profile ipRLP25
Classifier control list: ipCLACL20, precedence 125
filter
 |
NOTE: Commands that you issue in Policy Configuration mode do not take effect until you exit from that mode. |
Creating a Policy List for IPv6
The following example creates an IPv6 policy list named routeForIPv6. For information about creating the CLACL used in this example, see the previous sections.
- Create the policy list routeForIPv6.
- Create the classification group for the CLACL named ipv6tc67 and assign the precedence to the classification group.
- Add a rule to color packets as red, and a second rule that sets the traffic class field of the packets to 7.
- Exit Policy List Configuration mode to save the configuration.
- Display the policy list.
host1(config)#ipv6 policy-list routeForIPv6
host1(config-policy-list)#
host1(config-policy-list)#classifier-group ipv6tc67 precedence 75
host1(config-policy-list-classifier-group)#
host1(config-policy-list-classifier-group)#color red
host1(config-policy-list-classifier-group)#mark tcfield 7
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#exit
host1(config)#
host1#show policy-list routeForIPv6
Policy Table
------ -----
IPv6 Policy routeForIPv6
Administrative state: enable
Reference count: 0
Classifier control list: ipv6tc67, precedence 75
color red
mark tc-precedence 7
|
NOTE: Commands that you issue in Policy Configuration mode do not take effect until you exit from that mode. |
Creating a Policy List for Frame Relay
The following example creates a Frame Relay policy that on egress marks the DE bit to 1, and on ingress colors frames with a DE bit of 1 as red.
- Create the policy list used to mark egress traffic, then create the classifier group for packets conforming to CLACL frMatchDeSet. Add a rule that marks the DE bit as 1.
- Create the policy list used for the ingress traffic. and create the classifier group conforming to CLACL frMatchDeSet. Add a rule that colors the ingress traffic.
- Apply the policy lists.
- Display interface information to view the applied policies.
- Display the classifier list.
- Display the policy lists.
host1(config)#frame-relay policy-list frOutputPolicy
host1(config-policy-list)#classifier-group frMatchDeSet
host1(config-policy-list-classifier-group)#mark-de 1
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#exit
host1(config)#frame-relay policy-list frInputPolicy
host1(config-policy-list)#classifier-group frGroupA
host1(config-policy-list-classifier-group)#color red
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#exit
host1(config)#interface serial 5/0:1/1.1
host1(config-subif)#frame-relay policy output frOutputPolicy statistics enabled
host1(config-subif)#ip address 10.0.0.1 255.255.255.0
host1(config-subif)#exit
host1(config)#interface serial 5/1:1/1.1
host1(config-subif)#frame-relay policy input frInputPolicy statistics enabled
host1(config-subif)#exit
host1#show frame-relay subinterface
Frame relay sub-interface SERIAL5/0:1/1.1, status is up
Number of sub-interface down transitions is 0
Time since last status change 03:04:59
No baseline has been set
In bytes: 660 Out bytes: 660
In frames: 5 Out frames: 5
In errors: 0 Out errors: 0
In discards: 0 Out discards: 0
In unknown protos: 0
Frame relay policy output frOutputPolicy
classifier-group frGroupA entry 1
5 packets, 640 bytes
mark-de 1
Frame relay sub-interface SERIAL5/1:1/1.1, status is up
Number of sub-interface down transitions is 0
Time since last status change 03:05:09
No baseline has been set
In bytes: 660 Out bytes: 660
In frames: 5 Out frames: 5
In errors: 0 Out errors: 0
In discards: 0 Out discards: 0
In unknown protos: 0
Frame relay policy input frInputPolicy
classifier-group frMatchDeSet entry 1
5 packets, 660 bytes
color red
host1#show classifier-list detailed
Classifier Control List Table
---------- ------- ---- -----
Frame relay Classifier Control List frMatchDeSet
Reference count: 1
Entry count: 1
Classifier-List frMatchDeSet Entry 1
DE Bit: 1
host1#show policy-list
Policy Table
------ -----
Frame relay Policy frOutputPolicy
Administrative state: enable
Reference count: 0
Classifier control list: frMatchDeSet, precedence 100
mark-de 1
Frame relay Policy frInputPolicy
Administrative state: enable
Reference count: 0
Classifier control list: frGroupA, precedence 100
color red
|
NOTE: Commands that you issue in Policy Configuration mode do not take effect until you exit from that mode. |
Creating a Policy List for GRE Tunnels
The following example creates a GRE tunnel policy list named routeGre50. For information about creating the CLACL used in this example, see the previous sections.
- Create the policy list routeGre50.
- Create the classification group for the CLACL named gre8 and assign a precedence of 150 to it.
- Add two rules for traffic based on the CLACL named gre8: one rule to color packets as red, and a second rule that specifies the ToS DS field value to be assigned to the packets.
- Exit Policy List Configuration mode to save the configuration.
- Display the policy list.
host1(config)#gre-tunnel policy-list routeGre50
host1(config-policy-list)#classifier-group gre8 precedence 150
host1(config-policy-list-classifier-group)#
host1(config-policy-list-classifier-group)#color red
host1(config-policy-list-classifier-group)#mark dsfield 20
host1(config-policy-list-classifier-group)#
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#exit
host1(config)#
host1#show policy-list routeGre50
Policy Table
------ -----
GRE Tunnel Policy routeGre50
Administrative state: enable
Reference count: 0
Classifier control list: gre8, precedence 150
color red
mark dsfield 20
|
NOTE: Commands that you issue in Policy Configuration mode do not take effect until you exit from that mode. |
Creating a Policy List for L2TP
The following example creates an L2TP policy list.
- Create the policy list routeForl2tp.
- Create the classification group to match all packets.
- Add a rule to color packets as red, and a second rule that uses the rate-limit profile l2tpRLP10.
- Exit Policy List Configuration mode to save the configuration.
- Display the policy list.
host1(config)#l2tp policy-list routeForl2tp
host1(config-policy-list)#
host1(config-policy-list)#classifier-group *
host1(config-policy-list-classifier-group)#
host1(config-policy-list-classifier-group)#color red
host1(config-policy-list-classifier-group)#rate-limit-profile l2tpRLP10
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#exit
host1(config)#
host1#show policy-list routeForl2tp
Policy Table
------ -----
L2TP Policy routeForl2tp
Administrative state: enable
Reference count: 0
Classifier control list: *, precedence 100
color red
rate-limit-profile l2tpRLP20
|
NOTE: Commands that you issue in Policy Configuration mode do not take effect until you exit from that mode. |
Creating a Policy List for MPLS
The following example creates an MPLS policy list.
- Create the policy list routeForMpls.
- Create the classification group.
- Add one rule that sets the EXP bits for all packets to 2, and a second rule that uses the rate-limit profile mplsRLP5.
- Exit Policy List Configuration mode to save the configuration.
- Display the policy list.
host1(config)#mpls policy-list routeForMpls
host1(config-policy-list)#
host1(config-policy-list)#classifier-group * precedence 200
host1(config-policy-list-classifier-group)#
host1(config-policy-list-classifier-group)#mark-exp 2
host1(config-policy-list-classifier-group)#rate-limit-profile mplsRLP5
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#exit
host1(config)#
host1#show policy-list routeForMpls
Policy Table
------ -----
MPLS Policy routeForMpls
Administrative state: enable
Reference count: 0
Classifier control list: *, precedence 200
mark-exp 2 mask 7
rate-limit-profile mplsRLP5
|
NOTE: Commands that you issue in Policy Configuration mode do not take effect until you exit from that mode. |
Creating a Policy List for VLANs
The following example creates a VLAN policy list named routeForVlan. The classifier group lowLatencyLowDrop uses the default precedence of 100.
- Create the policy list routeForVlan.
- Create the classification group.
- Create a rule that adds the lowLatencyLowDrop traffic class for all packets that fall into the lowLatencyLowDrop classification.
- Add a rule that sets the drop precedence for all packets that fall into the lowLatencyLowDrop classification to green.
- Add a rule that sets the user-priority bits for all packets that fall into the lowLatencyLowDrop classification to 7.
- Exit to Policy List Configuration mode, then add traffic class rules for packets that conform to different CLACLs.
- Exit Policy List Configuration mode to save the configuration.
- Display the policy list.
host1(config)#vlan policy-list routeForVlan
host1(config-policy-list)#
host1(config-policy-list)#classifier-group lowLatencyLowDrop
host1(config-policy-list-classifier-group)#
host1(config-policy-list-classifier-group)#traffic-class lowLatencyLowDrop
host1(config-policy-list-classifier-group)#color green
host1(config-policy-list-classifier-group)#mark-user-priority 7
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group lowLatency
host1(config-policy-list-classifier-group)#traffic-class lowLatency
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group excellentEffort
host1(config-policy-list-classifier-group)#traffic-class excellentEffort
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group bestEffort
host1(config-policy-list-classifier-group)#traffic-class bestEffort
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#exit
host1(config)#
host1#show policy-list routeForVlan
Policy Table
------ -----
VLAN Policy routeForVlan
Administrative state: enable
Reference count: 0
Classifier control list: lowLatencyLowDrop, precedence 100
traffic-class lowLatencyLowDrop
color green
mark-user-priority 7
Classifier control list: lowLatency, precedence 100
traffic-class lowLatency
Classifier control list: excellentEffort, precedence 100
traffic-class excellentEffort
Classifier control list: bestEffort, precedence 100
traffic-class bestEffort
|
NOTE: Commands that you issue in Policy Configuration mode do not take effect until you exit from that mode. |
frame-relay policy-list
gre-tunnel policy-list
ip policy-list
ipv6 policy-list
l2tp policy-list
mpls policy-list
vlan policy-list
- Use to create or modify a policy list and to enter Policy List Configuration mode.
- If you enter a policy-list command and then enter exit, the router creates a policy list with no rules. If the router does not find any rules in a policy, it inserts a default filter rule. Attaching this policy list to an interface filters all packets on that interface.
NOTE: If you do not specify one of the frame-relay, gre-tunnel, ip, ipv6, l2tp, mpls, or vlan keywords, the router creates an IP policy list.
- Example
host1(config)#ip policy-list routeForXYZCorp
host1(config-policy-list)#