Example: Configuring Hierarchical Policies

The configuration in Figure 1 requires four parent group resources for each atm5/0.1, atm5/0.2, and atm5/0.3 attachment. The rate-limit instance R1 is referenced by C1 and packet flows from C1 to EPG1 to EPG2.

Figure 1: Configuration Process

This procedure uses the following designations:

• EPG1 and EPG2 are external parent groups.
• IP1 and IP2 are internal parent groups.
• ER1, ER2, R1, and R2 are rate-limit profiles.
• POL is the name of the IP policy.
• C1 and C2 are classified flows.
• A, B, and C are policy parameters.

1. Configure two external parent groups EPG1 and EPG2. Create policy-parameter C and two external parent groups: EPG1 and EPG2.
   host1(config)#policy-parameter C hierarchical host1(config-policy-parameter)#exit
   host1(config)#parent-group EPG2 host1(config-parent-group)#rate-limit-profile ER2 host1(config-parent-group)#exit
   host1(config)#parent-group EPG1 host1(config-parent-group)#next-parent EPG2 parameter C host1(config-parent-group)#rate-limit-profile ER1 host1(config-parent-group)#exit

   EPG1 contains a rate-limit profile ER1 and points to EPG2 as the next parent group in series. The EPG2 reference is associated with policy parameter C. When you later use the policy-parameter command in Interface Configuration mode, actual values are substituted for the names. EPG2 contains a reference to rate-limit-profile ER2.

2. Configure IP policy list POL.
   host1(config)#ip policy-list POL host1(config-policy-list)#classifier-group C1 external parent-group EPG1 parameter A host1(config-policy-list-classifier-group)#rate-limit-profile R1 host1(config-policy-list-classifier-group)#exit
   host1(config-policy-list)#classifier-group C2 parent-group IPG1 host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit
   host1(config-policy-list)#parent-group IPG1 external parent-group EPG1 parameter B host1(config-parent-group)#rate-limit-profile R2 host1(config-policy-list-parent-group)#exit

   A classified flow C1 references EPG1 as the next parent group to call in the hierarchy. This is an external parent group that is associated with policy parameter A. The C2 classified flow points to internal parent group IPG1, which contains rate-limit-profile R2 and points to EPG1 as the next parent group to call in the hierarchy. The EPG1 reference is associated with policy parameter B. When you later use the policy-parameter command in Interface Configuration mode, the policy parameters are given numeric values.

3. Attach POL to atm5/0.1 as an input policy.
   host1(config)#interface atm 5/0.1 host1(config-interface)#ip policy-parameter hierarchical A 1 host1(config-interface)#ip policy-parameter hierarchical B 1 host1(config-interface)#ip policy-parameter hierarchical C 1 host1(config-interface)#ip policy input POL statistics enabled host1(config-interface)#exit

   Policy list POL contains three parameter names that must be substituted with actual values. This attachment contains two internal rate-limit instances, one for R1 and one for R2. This attachment also contains one parent group instance for IPG1, one parent-group instance for (EPG1, parameter A) tuple, one for (EPG1, parameter B) tuple, and one for (EPG2, parameter C) tuple. Value number 1 is substituted for parameters A, B, and C when you use the policy-parameter command. Because of this policy attachment and the policy-parameter command, the following aggregation nodes are created: (slot 5, ingress, EPG1, 1), (slot 5, ingress, EPG2, 1). The system creates a rate-limit instance for each aggregation node: ER1-instance-1 and ER2-instance-1, respectively. ER1-instance-1 is referenced in parent-group instances (EPG1, parameter A) and (EPG1, parameter B). ER2-instance-1 is referenced in the parent group instance (EPG2, parameter C).

4. Attach POL to atm5/0.2 as input policy.
   host1(config)#interface atm 5/0.2 host1(config-interface)#ip policy-parameter hierarchical A 1 host1(config-interface)#ip policy-parameter hierarchical B 2 host1(config-interface)#ip policy-parameter hierarchical C 2 host1(config-interface)#ip policy input POL statistics enabled host1(config-interface)#exit

   Policy list POL contains three parameter names that must be substituted with actual values. This attachment consumes two internal rate-limit instances: one for R1 and one for R2. This attachment also consumes one parent group instance for IPG1, one parent-group instance for (EPG1, parameter A) tuple, one for (EPG1, parameter B) tuple, and one for (EPG2, parameter C) tuple as in Step 3. When you use the policy-parameter command, parameter A is substituted with value 1 and parameters B and C are substituted with value 2. Because of this policy attachment and the policy-parameter commands, the following aggregation nodes are identified: (slot 5, ingress, EPG1, 1), (slot 5, ingress, EPG1, 2), (slot 5, ingress, EPG2, 2). The (slot 5, ingress, EPG1, 1) node was already created in Step 3 and was named ER1-instance-1. The other two aggregation nodes are now created and named ER1-instance-2 and ER2-instance-2, respectively. ER1-instance-1 is referenced by parent-group instance (EPG1, parameter A), ER1-instance-2 is referenced by parent group instance (EPG1, parameter B), and ER2-instance-2 is referenced by the parent group instance (EPG2, parameter C).

5. Attach POL to atm5/0.3 as input policy.
   host1(config)#interface atm 5/0.3 host1(config-interface)#ip policy-parameter hierarchical A 2 host1(config-interface)#ip policy-parameter hierarchical B 1 host1(config-interface)#ip policy-parameter hierarchical C 2 host1(config-interface)#ip policy input POL statistics enabled host1(config-interface)#exit

   Policy list POL contains three parameter names that need to be substituted with actual values. This attachment consumes two internal rate-limit instances: one for R1 and one for R2. This attachment also consumes one parent group instance for IPG1, one parent-group instance for (EPG1, parameter A) tuple, one for (EPG1, parameter B) tuple, and one for (EPG2, parameter C) tuple. When you use the policy-parameter command, parameters A and C are substituted with value 2 and parameter B is substituted with value 1. Because of this policy attachment and use of the policy-parameter commands, the following aggregation nodes are identified; (slot 5, ingress, EPG1, 2), (slot 5, ingress, EPG1, 1), (slot 5, ingress, EPG2, 2). All three aggregation nodes were created in earlier steps and were named ER1-instance-2, ER1-instance-1, and ER2-instance-2, respectively. ER1-instance-2 is referenced by parent-group instances (EPG1, parameter A), ER1-instance-1 is referenced by parent group instance (EPG1, parameter B), and ER2-instance-2 is referenced by the parent group instance (EPG2, parameter C).