Applying Policy Lists to Interfaces and Profiles

You can assign a policy list to supported interfaces and profiles. Policy lists are supported on Frame Relay, IP, IPv6, GRE tunnel, MPLS layer 2, and VLAN interfaces. You can also specify IP, IPv6, and L2TP policies in profiles to assign a policy list to an interface. In either case, you can enable or disable the recording of statistics for bytes and packets affected by the assigned policy.

NOTE: You can apply policies to MPLS topology-driven label-switched paths (LSPs) by using the mpls ldp lsp-policy command. See Policy Management and MPLS Topology-Driven LSPs.

Examples

To assign the policy list named routeForXYZCorp with statistics enabled to the ingress IP interface over an ATM subinterface:

host1(config)#interface atm 12/0.1

host1(config-subif)#ip policy input routeForXYZCorp statistics enabled

To create an L2TP profile that applies the policy list routeForABCCorp to the egress of an interface:

host1(config)#profile bostonProfile

host1(config-profile)#l2tp policy output routeForABCCorp

frame-relay policy
    gre-tunnel policy
    ip policy
    ipv6 policy
    mpls policy
    l2tp policy
    vlan policy

• Use to assign a Frame Relay, IP, IPv6, GRE tunnel, MPLS, or VLAN policy list to an interface. Also use to specify an IP, IPv6, or L2TP policy list to a profile, which then assigns the policy to the interfaces to which the profile is attached.
  

  NOTE: The mpls policy command is used to attach policies to MPLS Layer 2 circuits only. NOTE: The SRP module Fast Ethernet port does not support policy attachments, nor can the module be the destination for the forward next-hop, forward next-interface, next-hop, and next-interface commands.

  
  
• Use the input or output keyword to assign the policy list to the ingress or egress of the interface.
• For IP and IPv6 policy lists, use the secondary-input keyword to assign the policy list, after route lookup, to data destined to local or remote destinations.

The router supports secondary input policies whose principal applications are:

• To defeat denial-of-service attacks directed at a router's local IP or IPv6 stack
• To protect a router from being overwhelmed by legitimate local traffic
• To apply policies on packets associated with the route class
  

  NOTE: The local-input keyword for the ip policy and ipv6 policy commands is deprecated, and may be completely removed in a future release. The keyword should be removed from scripts. You should recreate any local input policies using the ip classifier-list local true command and attaching the policies using the ip policy secondary-input command.

  
  

• You can enable or disable the recording of routing statistics for bytes and packets affected by the policy.
• If you enable statistics, you can enable or disable baselining of the statistics. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved.
• You must also enable baselining on the interface with the appropriate baseline command.
  

  NOTE: The gre-tunnel policy command does not support the baseline keyword.

  
  
• Example 1

host1(config-if)#vlan policy input VlanPolicy33 statistics disabled 

• Example 2

host1(config-if)#ipv6 policy secondary-input my-policy

• Use the no version to remove the association between a policy list and an interface or a profile.