Creating Classifier Groups and Policy Rules

[Contents] [Prev] [Next] [Index] [Report an Error]

Creating Classifier Groups and Policy Rules
Classifier groups contain the policy rules that make up a policy list. A policy rule is an association between a policy action and an optional CLACL. The CLACL defines the packet flow on which the policy action is taken.

A policy list might contain multiple classifier groups—you can specify the precedence in which classifier groups are evaluated. Classifier groups are evaluated starting with the lowest precedence value. Classifier groups with equal precedence are evaluated in the order of creation.

NOTE: For IP policies, the forward command supports the order keyword, which enables you to order multiple forward rules within a single classifier group. (See Creating Multiple Forwarding Solutions with IP Policy Lists.)

From Policy Configuration mode, you can assign a precedence value to a CLACL by using the precedence keyword when you create a classifier group. The default precedence value is 100. For example:
host1(config-policy-list)#classifier-group ipCLACL25 precedence 21
host1(config-policy-list-classifier-group)#
The classifier-group command puts you in Classifier Group Configuration mode. In this mode you configure the policy rules that make up the policy list. For example:
host1(config-policy-list-classifier-group)#forward next-hop 172.18.20.54 
To stop and start a policy rule without losing statistics, you can suspend the rule. Suspending a rule maintains the policy rule with its current statistics, but the rule no longer affects packets in the forwarding path.

From Classifier Group Configuration mode, you can suspend a rule by using the suspend version of that policy rule command. The no suspend version reactivates a suspended rule. For example:
host1(config-policy-list-classifier-group)#suspend forward next-hop 172.18.20.54 
host1(config-policy-list-classifier-group)#no suspend forward next-hop 
172.18.20.54
You can add, remove, or suspend policy rules while the policy is attached to one or more interfaces. The modified policy takes effect once you exit Policy Configuration mode.

Policy Rule Support

Table 9 shows the policy rule commands that you can use for each type of policy list. Yes and No indicate whether the command is supported. NA indicates that the command does not apply to that type of interface.
 Table 9:  Policy Rule Commands  

 Policy Command
 Frame Relay
 GRE 
 IP
 IPv6
 L2TP
 MPLS
 VLAN 

 color

 Yes

 Yes

 Yes

 Yes

 Yes

 Yes

 Yes


 filter

 Yes

 Yes

 Yes

 Yes

 Yes

 Yes

 Yes


 forward

 Yes

 Yes

 Yes

 Yes

 Yes

 Yes

 Yes


 log

 No

 No

 Yes

 No

 No

 No

 No


 mark

 NA

 Yes

 Yes

 Yes

 NA

 NA

 NA


 mark-de

 Yes

 NA

 NA

 NA

 NA

 NA

 NA


 mark-exp

 NA

 NA

 NA

 NA

 NA

 Yes

 NA


 mark-user-priority

 NA

 NA

 NA

 NA

 NA

 NA

 Yes


 next-hop

 NA

 No

 Yes (input policies only) 

 No

 NA

 NA

 NA


 next-interface

 NA

 No

 Yes (input and secondary input policies only)

 No

 NA

 NA

 NA


 rate-limit-profile

 No

 No

 Yes

 Yes

 Yes

 Yes

 No


 traffic-class

 Yes

 Yes

 Yes

 Yes

 Yes

 Yes

 Yes


 user-packet-class

 Yes

 Yes

 Yes

 Yes

 Yes

 Yes

 Yes



 
Rules That Provide Routing Solutions

The next interface, next hop, filter, and forward rules provide routing solutions for traffic matching a classifier. A classifier can have only one action that provides a routing solution.

If you configure two routing solution rules, such as filter and forward, in the same classifier group, the router displays a warning message, and the rule configured last replaces the previous rule.

Creating Multiple Forwarding Solutions with IP Policy Lists

By default, the router uses a single route table lookup to determine the forwarding solution for packets. For IP policy lists only, the forward command enables you to configure one or more unique forwarding solutions (interfaces or next-hop addresses) that override the route table lookup. By creating a group of forwarding solutions, you can ensure that there is a reachable solution for the packets.

You can use the order keyword to specify the order of the group of forwarding solutions within a single forward rule. If no order value is specified, then the default order of 100 is assigned to a solution. The router evaluates the forwarding solutions in the group, starting at the solution with the lowest order value, and then uses the first reachable solution. To be considered a reachable solution, a solution must be a reachable interface or a next-hop address that has a route in the routing table. If no solutions are reachable, the traffic is dropped.

The following guidelines apply when you create a group of forwarding solutions in an IP policy list:

You can specify a maximum of 20 forwarding solutions for a classifier.

The interface and next-hop elements of a forwarding solution must exist within a single virtual router:

Next-interface elements are associated with the virtual router where that interface exists.

You can include an optional parameter to specify the virtual router when you define next-hop elements.

If only next-hop elements exist and you do not use the virtual router option, then the policy assumes the virtual router context of the command-line interface (CLI).

If you specify both an interface element and a next-hop address element, then they both must be reachable to be used. Also, the interface must be the correct interface for the next-hop address.

If you specify a next-hop address, then you can optionally specify that the default route be ignored.

If you delete the target (interface or next-hop address) referenced in a rule, that solution is replaced by the null interface but retains the same order number in the policy list. The null interface is always considered unreachable.

When a forwarding solution with a lower order value than the currently active solution becomes reachable, the router switches to the lower-ordered solution.

If two rules that have the same order value are reachable, then the rule that was created first is used.

NOTE: The forward interface and forward next-hop commands are replacing the next-interface and next-hop commands, which do not support multiple forwarding solutions in a single forward rule.

In the following sample classifier group of a policy list, the forwarding solution of ATM interface 0/0.1 has the lowest order value in the group, and would therefore be selected as the solution for the policy list. However, if this interface is not reachable, the router then attempts to use the solution with the next higher order; which would be ATM interface 12/0.1. If none of the solutions in the group is reachable, the traffic is dropped.
host1(config-policy-list)#classifier-group westfordClacl precedence 200 
host1(config-policy-list-classifier-group)#forward interface atm 0/0.1 order 10 
host1(config-policy-list-classifier-group)#forward interface atm 12/0.1 order 50 
host1(config-policy-list-classifier-group)#forward interface atm 3/0.25 order 300 
 NOTE: You can use the suspend version of the command to suspend an individual entry in a group of forwarding solutions. The forward rule remains "active" as long as there is a reachable or active entry in the group of forwarding solutions. If you suspend all entries in the group, the status of the forward rule is changed to "suspended." 



 
Classifier Group Command

Use the command described in this section to create classifier groups. See Rate Limiting Individual or Aggregate Packet Flows for examples of using this command to rate limit traffic flows.

classifier-group
Creates a classifier group for a policy list and assigns precedence to the specific CLACL that is referenced in the group; enters Classifier Group Configuration mode, in which you create policy rule configurations related to the specified CLACL.

Use the precedence keyword to specify the order in which a classifier group is evaluated compared to other classifier groups. Classifier groups are evaluated from lowest to highest precedence value (for example, a classifier group with a precedence of 1 is used before a classifier group with a precedence of 2). Classifier groups with equal precedence are evaluated in the order of creation, with the group created first having precedence. A default value of 100 is used if no precedence is specified.

Example
host1(config-policy-list)#classifier-group westfordClacl precedence 150 
Use the no version to remove the classifier group and its rules from a policy list.

NOTE: Empty classifier groups have no effect on the router's classification of packets and are ignored by the router. You might inadvertently create empty classifier groups in a policy if you use both the newer CLI style and the older CLI style, which used the Policy List Configuration mode version of the classifier list commands.
Policy Rule Commands

Use the commands described in this section to specify policy rules for classifier groups.

NOTE: The commands listed in this section replace the Policy List Configuration mode versions of the command. For example, the color command replaces the Policy List Configuration mode version of the color command. The original command may be removed completely in a future release.

color

Use to color a packet matching the current CLACL as green, yellow, or red:

green—Highest precedence

yellow—Intermediate precedence

red—Lowest precedence
Example
host1(config-policy-list-classifier-group)#color green 
Use the suspend version to suspend the color rule within the classifier group.

Use the no version to remove the color rule from the classifier group.
filter
Use to define a rule that drops all packets matching the current CLACL.

You can enter the filter command while the policy list is referenced by interfaces.

Example
host1(config-policy-list-classifier-group)#filter 
Use the suspend version to suspend a filter rule within the classifier group.

Use the no version to remove the filter rule from the classifier group.
forward
forward interface
forward next-hop

Use to define a rule that creates the forwarding solution for packets matching the current CLACL.

The forward command can be used while the policy list is referenced by interfaces.
Example
host1(config-policy-list-classifier-group)#forward 
Use the suspend version to suspend the forward rule within the classifier group.

For IP policy lists only:

You can use the forward interface command to specify multiple interfaces and the forward next-hop command to specify next-hop addresses as possible forwarding solutions. If you define multiple forwarding solutions for a single CLACL, use the order keyword to specify the order in which the router chooses the solutions. The router uses the first reachable solution in the list, starting with the solution with the lowest order value. The default order value is 100.

NOTE: The forward interface and forward next-hop commands are replacing the next-interface and next-hop commands.

The switch route processor (SRP) module Fast Ethernet port cannot be the destination of the forward next-hop and forward next-interface commands.

If you specify a next-hop address as the forwarding solution, you can specify that the default route is not used as a routing solution for the next-hop address when selecting a reachable forward rule entry.
Example
host1(config-policy-list-classifier-group)#forward interface atm 0/0.1 order 10 
host1(config-policy-list-classifier-group)#forward interface atm 3/1.2 order 20 
Use the no version to remove the forward rule from the classifier group.
log
Use to define a rule that logs all packets conforming to the current CLACL.

Example
host1(config-policy-list-classifier-group)#log 
Use the suspend version to suspend the log rule within the classifier group.

Use the no version to remove the log rule from the classifier group.
mark

Use to set the ToS field in the IP header or the traffic-class field in the IPv6 header to a specified value for packets conforming to the current CLACL.

For IPv4, you must specify one of the following:

A ToS byte value in the range 0-255 and a mask value in the range 1-255

tos-precedence keyword and a value in the range 0-7

tos keyword and a value in the range 0-255

dsfield keyword and a value in the range 0-63

For IPv6, you must specify one of the following:

A traffic-class byte in the range 0-255 and a mask in the range 1-255

tc-precedence keyword and a value in the range 0-7

tcfield keyword and a value in the range 0-255

dsfield keyword and a value in the range 0-63
Only one mask value is allowed per policy. Multiple mark rules are allowed with various mark values, but the mask for each of these rules must be the same.

Example
host1(config-policy-list-classifier-group)#mark tos-precedence 3 
Use the suspend version to suspend the mark rule within the classifier group.

Use the no version to remove the mark rule from the classifier group.
mark-de
Use to assign a value of 0 or 1 to the Frame Relay DE bit for packets conforming to the current CLACL.

Example
host1(config-policy-list-classifier-group)#mark-de 1 
Use the suspend version to suspend the mark DE rule within the classifier group.

Use the no version to remove the mark DE rule from the classifier group.
mark-exp
Use to assign a value in the range 0-7 to the MPLS EXP field for packets conforming to the current CLACL.

Example
host1(config-policy-list-classifier-group)#mark-exp 5 
Use the suspend version to suspend the mark EXP rule within the classifier group.

Use the no version to remove the mark EXP rule from the classifier group.
mark-user-priority
Use to assign a value in the range 0-7 to the 802.1p VLAN priority field for packets conforming to the current CLACL.

Example
host1(config-policy-list-classifier-group)#mark-user-priority 5 
Use the suspend version to suspend the mark-user-priority rule within the classifier group.

Use the no version to remove the mark-user-priority rule from the classifier group.
next-hop
Use to define the IP address of the next hop to which the packets are forwarded for packets conforming to the current CLACL.

NOTE: The forward forward interface forward next-hop next-hop command is replacing the next-hop command. The next-hop command may be removed in a future release. See the forward forward interface forward next-hop command for details.

The SRP module Fast Ethernet port cannot be the destination of the next-hop command.

For IP interfaces, this command is supported only on input policies.

Example
host1(config-policy-list-classifier-group)#next-hop 10.10.10.1 
Use the suspend version to suspend the next-hop rule within the classifier group.

Use the no version to remove the next-hop rule from the classifier group.
next-interface
Use to define an output interface to which the packets conforming to the current CLACL are forwarded.

NOTE: The forward forward interface forward next-hop interface command is replacing the next-interface command. The next-interface command may be removed in a future release. See the forward forward interface forward next-hop command for details.

The SRP module Fast Ethernet port cannot be the destination of the next-interface command.

For IP interfaces, this command is supported only on input policies.

IP interfaces referenced with this command can be tracked if they move. Policies attached to an interface also move if the interface moves. However, statistics are not maintained across the move.

Example
host1(config-policy-list-classifier-group)#next-interface atm 0/0.1 
Use the suspend version to suspend the next-interface rule within the classifier group.

Use the no version to remove the next-interface rule from the classifier group.
rate-limit-profile
Use to specify a rate-limit rule for packets conforming to the current CLACL. See Rate Limiting Individual or Aggregate Packet Flows for examples of using this command to rate limit traffic flows.

Example
host1(config-policy-list-classifier-group)#rate-limit-profile tcpFriendly8MB 
Use the suspend version to suspend the rate-limit-profile rule within the classifier group.

Use the no version to remove the rate-limit-profile from the classifier group.
traffic-class
Use to specify a traffic-class rule for packets conforming to the current CLACL.

When this rule is applied to a packet, the packet will be associated with this traffic class within the router.

Example
host1(config-policy-list-classifier-group)#traffic-class goldClass 
Use the suspend version to temporarily suspend the traffic class within the classifier group.

Use the no version to remove the traffic class from the classifier group.
user-packet-class
Use to add a user packet class rule that sets the use-packet-class attribute of packets that match the current CLACL.

The user packet class is associated with every packet that is forwarded through the router. It is a value in the range 0-15 that the router initializes to zero when it receives the packet on an ingress interface. The value travels with the packet throughout the router until the packet is transmitted out an egress interface. You can modify the value by using this command and then classify packets based on the value.

Example
host1(config-policy-list-classifier-group)#user-packet-class 3 
Use the suspend version to temporarily suspend the rule within the classifier group.

Use the no version to remove the user-packet-class rule from the classifier group.

Policy Command	Frame Relay	GRE	IP	IPv6	L2TP	MPLS	VLAN
color	Yes	Yes	Yes	Yes	Yes	Yes	Yes
filter	Yes	Yes	Yes	Yes	Yes	Yes	Yes
forward	Yes	Yes	Yes	Yes	Yes	Yes	Yes
log	No	No	Yes	No	No	No	No
mark	NA	Yes	Yes	Yes	NA	NA	NA
mark-de	Yes	NA	NA	NA	NA	NA	NA
mark-exp	NA	NA	NA	NA	NA	Yes	NA
mark-user-priority	NA	NA	NA	NA	NA	NA	Yes
next-hop	NA	No	Yes (input policies only)	No	NA	NA	NA
next-interface	NA	No	Yes (input and secondary input policies only)	No	NA	NA	NA
rate-limit-profile	No	No	Yes	Yes	Yes	Yes	No
traffic-class	Yes	Yes	Yes	Yes	Yes	Yes	Yes
user-packet-class	Yes	Yes	Yes	Yes	Yes	Yes	Yes

[Contents] [Prev] [Next] [Index] [Report an Error]