Creating and Attaching a Policy with IP Classifiers

In this example, a policy with a combination of IP classifiers is created and attached. The configuration conforms to the 128 bit limit.

1. Match all TCP SYN packets from 1.1.1.1 to any DA with port 2000.
   host1(config)#ip classifier-list tcpCLACL tcp host 1.1.1.1 any eq 2000 tcp-flags "SYN"
2. Match all IP packets with the don’t fragment flag set to host 2.2.2.2.
   host1(config)#ip classifier-list ipCLACL ip any host 2.2.2.2 ip-flags "dont-fragment"
3. Match all ICMP echo packets.
   host1(config)#ip classifier-list icmpCLACL icmp any any 8 0
4. Match all frames with the color red.
   host1(config)#ip classifier-list colorCLACL color red ip any any
5. Create a policy list.
   host1(config)#ip policy-list ipPol host1(config-policy-list)#classifier-group colorCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group tcpCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group icmpCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group ipCLACL host1(config-policy-list-classifier-group)#filter
6. Apply the policy list to an interface.
   host1(config)#interface atm 5/0/0.1 host1(config-if)#ip policy input ipPol

   Table 1 lists the active classifiers in the policy named ipPol and the size of each classifier.

   Table 1: Classification Fields for Example 1

   Classifiers	Size (Bits)
   Source address	32
   Destination address	32
   Destination port, ICMP type, ICMP code	16
   Protocol	8
   Color and TCP flags	8
   TOS	8
   IP flags	8

   The total value of the classifiers requested in the ipPol policy is 112, which is less than 128 bit CAM entry size limit.

In this example, a policy with a combination of IP classifiers is created and attached. The configuration exceeds the 128 bit limit.

1. Match all TCP packets from 1.1.1.1 port 10 to 2.2.2.2 port 20.
   host1(config)#ip classifier-list tcpCLACL tcp host 1.1.1.1 eq 10 host 2.2.2.2 eq 20
2. Match all IP fragmentation offset equal to 1.
   host1(config)#ip classifier-list ipFragCLACL ip any any ip-frag-offset eq 1
3. Match all frames with the color red.
   host1(config)#ip classifier-list colorCLACL color red traffic-class best-effort ip any any
4. Match all frames with UPC 1.
   host1(config)#ip classifier-group upcCLACL user-packet-class 1 ip any any
5. Create a policy list.
   host1(config)#ip policy-list ipPol host1(config-policy-list)#classifier-group colorCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group ipFragCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group igmpCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group lowDelayCLACL host1(config-policy-list-classifier-group)#traffic-class strict-priority host1(config-policy-list-classifier-group)#classifier-group tcpCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group * host1(config-policy-list-classifier-group)#filter
6. Apply the policy list to an interface.
   host1(config)#interface atm 5/0/0.1 host1(config-if)#ip policy input ipPol % too many classifier fields in policy

   Table 2 lists the active classifiers in the policy named ipPol and the size of each classifier.

   Table 2: Classification Fields for Example 2

   Classifiers	Size (Bits)
   Source address	32
   Source port	16
   Destination port	16
   Protocol	8
   User packet class	8
   Color	8
   IP fragmentation	8
   ToS	8

   The configuration fails because the total value of the classifiers requested in the ipPol policy is 136, which is greater than 128 bit CAM entry size limit.