Policy Lists Overview

You create a policy rule by specifying a policy action within a classifier group that references a CLACL. These rules become part of a policy list that you can attach to an interface as either an input policy, secondary-input policy, or output policy. The router applies the rules in the attached policy list to the packets traversing that interface.

You can apply policy lists to packets:

• Arriving at an interface (input policy); on IP and IPv6 interfaces the packets arrive before route lookup
• Arriving at the interface, but after route lookup (secondary input policy); secondary input policies are supported only on IP and IPv6 interfaces
• Leaving an interface (output policy)

Figure 1 shows how a sample IP policy list is constructed.

Figure 1: Constructing an IP Policy List

You can create a policy list with an unlimited number of classifier groups, each containing an unlimited number of rules. These rules can reference up to 512 classifier entries.

If you enter a policy-list command and then enter exit, the router creates a policy list with no rules. If the router does not find any rules in a policy, it inserts a default filter rule. Attaching this policy list to an interface filters all packets on that interface.

Note: If you do not specify one of the frame-relay, gre-tunnel, ip, ipv6, l2tp, mpls, or vlan keywords, the router creates an IP policy list. This version of the command has been deprecated and may be removed in a future release.

You can create policy lists for ATM, Frame Relay, IP, IPv6, GRE tunnels, L2TP, MPLS, and VLANs.

Note: Commands that you issue in Policy Configuration mode do not take effect until you exit from that mode.