Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Creating and Attaching a Policy with IP Classifiers
In this example, a policy with a combination of IP classifiers is created and attached. The configuration conforms to the 128 bit limit.
- Match all TCP SYN packets from 1.1.1.1 to any DA with
port 2000.host1(config)#ip classifier-list tcpCLACL tcp host 1.1.1.1 any eq 2000 tcp-flags "SYN"
- Match all IP packets with the don’t fragment flag
set to host 2.2.2.2.host1(config)#ip classifier-list ipCLACL ip any host 2.2.2.2 ip-flags "dont-fragment"
- Match all ICMP echo packets.host1(config)#ip classifier-list icmpCLACL icmp any any 8 0
- Match all frames with the color red.host1(config)#ip classifier-list colorCLACL color red ip any any
- Create a policy list.host1(config)#ip policy-list ipPolhost1(config-policy-list)#classifier-group colorCLACLhost1(config-policy-list-classifier-group)#filterhost1(config-policy-list-classifier-group)#classifier-group tcpCLACLhost1(config-policy-list-classifier-group)#filterhost1(config-policy-list-classifier-group)#classifier-group icmpCLACLhost1(config-policy-list-classifier-group)#filterhost1(config-policy-list-classifier-group)#classifier-group ipCLAChost1(config-policy-list-classifier-group)#filter
- Apply the policy list to an interface.host1(config)#interface atm 5/0/0.1 host1(config-if)#ip policy input ipPol
Table 24 lists the active classifiers in the policy named ipPol and the size of each classifier.
Table 24: Classification Fields for Example 1
Classifiers
Size (Bits)
Source address
32
Destination address
32
Destination port, ICMP type, ICMP code
16
Protocol
8
Color and TCP flags
8
TOS
8
IP flags
8
The total value of the classifiers requested in the ipPol policy is 112, which is less than 128 bit CAM entry size limit.
In this example, a policy with a combination of IP classifiers is created and attached. The configuration exceeds the 128 bit limit.
- Match all TCP packets from 1.1.1.1 port 10 to 2.2.2.2
port 20.host1(config)#ip classifier-list tcpCLACL tcp host 1.1.1.1 eq 10 host 2.2.2.2 eq 20
- Match all IP fragmentation offset equal to 1.host1(config)#ip classifier-list ipFragCLACL ip any any ip-frag-offset eq 1
- Match all frames with the color red.host1(config)#ip classifier-list colorCLACL color red traffic-class best-effort ip any any
- Match all frames with UPC 1.host1(config)#ip classifier-group upcCLACL user-packet-class 1 ip any any
- Create a policy list.host1(config)#ip policy-list ipPol host1(config-policy-list)#classifier-group colorCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group ipFragCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group igmpCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group lowDelayCLACL host1(config-policy-list-classifier-group)#traffic-class strict-priority host1(config-policy-list-classifier-group)#classifier-group tcpCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group * host1(config-policy-list-classifier-group)#filter
- Apply the policy list to an interface.host1(config)#interface atm 5/0/0.1 host1(config-if)#ip policy input ipPol % too many classifier fields in policy
Table 25 lists the active classifiers in the policy named ipPol and the size of each classifier.
Table 25: Classification Fields for Example 2
Classifiers
Size (Bits)
Source address
32
Source port
16
Destination port
16
Protocol
8
User packet class
8
Color
8
IP fragmentation
8
ToS
8
The configuration fails because the total value of the classifiers requested in the ipPol policy is 136, which is greater than 128 bit CAM entry size limit.
