Policy
Policy configuration provides comprehensive traffic classification and action enforcement through class-maps and policy-maps that define how network traffic should be identified, prioritized, and processed based on various criteria including DSCP markings, protocols, and authentication states. It supports both Quality of Service (QoS) policies for bandwidth management, prioritization, and queuing, as well as control policies for network access control that define actions to take based on authentication events and user authorization status. Policy framework enables fine-grained traffic engineering, security enforcement, and service differentiation by combining flexible matching criteria with configurable actions such as rate limiting, priority queuing, and service template activation.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”configuration (iosxe.devices)
Section titled “configuration (iosxe.devices)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| policy | Class | [policy] | No |
policy (iosxe.devices.configuration)
Section titled “policy (iosxe.devices.configuration)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| class_maps | List | [class_maps] | No | |
| policy_maps | List | [policy_maps] | No |
class_maps (iosxe.devices.configuration.policy)
Section titled “class_maps (iosxe.devices.configuration.policy)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| type | Choice | control, subscriber | No | |
| subscriber | Boolean | true, false | No | |
| prematch | Choice | match-all, match-any, match-none | No | |
| match | Class | [match] | No | |
| description | String | No |
policy_maps (iosxe.devices.configuration.policy)
Section titled “policy_maps (iosxe.devices.configuration.policy)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| type | Choice | access-control, appnav, control, epbr, inspect, packet-service, performance-monitor, queueing, service, service-chain, umbrella | No | |
| subscriber | Boolean | true, false | No | |
| description | String | No | ||
| classes | List | [classes] | No | |
| events | List | [events] | No |
match (iosxe.devices.configuration.policy.class_maps)
Section titled “match (iosxe.devices.configuration.policy.class_maps)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| authorization_status_authorized | Boolean | true, false | No | |
| authorization_status_unauthorized | Boolean | true, false | No | |
| result_type_aaa_timeout | Boolean | true, false | No | |
| activated_service_templates | List | String | No | |
| authorizing_method_priority_greater_than | Integer | No | ||
| method_dot1x | Boolean | true, false | No | |
| result_type_method_dot1x_authoritative | Boolean | true, false | No | |
| result_type_method_dot1x_agent_not_found | Boolean | true, false | No | |
| result_type_method_dot1x_method_timeout | Boolean | true, false | No | |
| method_mab | Boolean | true, false | No | |
| result_type_method_mab_authoritative | Boolean | true, false | No | |
| dscp | List | Integer | No | |
| access_group | String | No | ||
| ip_dscp | Any | Choice[af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, dscp, ef, precedence] or Integer[min: 0, max: 63] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| ip_precedence | Any | Choice[critical, flash, flash-override, immediate, internet, network, priority, routine] or Integer[min: 0, max: 7] or String[Regex: ^.*[\$\%]\{.*$] | No |
classes (iosxe.devices.configuration.policy.policy_maps)
Section titled “classes (iosxe.devices.configuration.policy.policy_maps)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| actions | List | [actions] | No |
events (iosxe.devices.configuration.policy.policy_maps)
Section titled “events (iosxe.devices.configuration.policy.policy_maps)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| event_type | Choice | aaa-available, absolute-timeout, agent-found, authentication-failure, authentication-success, authorization-failure, authorization-success, identity-update, inactivity-timeout, remote-authentication-failure, remote-authentication-success, remote-update, session-disconnected, session-started, tag-added, tag-removed, template-activated, template-activation-failed, template-deactivated, template-deactivation-failed, timer-expiry, violation | No | |
| match_type | Choice | match-all, match-first | No | |
| classes | List | [classes] | No |
actions (iosxe.devices.configuration.policy.policy_maps.classes)
Section titled “actions (iosxe.devices.configuration.policy.policy_maps.classes)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| type | Choice | bandwidth, compression, dbl, drop, estimate, fair-queue, forward, netflow-sampler, police, priority, queue-buffers, queue-limit, random-detect, service-policy, set, shape, trust | No | |
| bandwidth_bits | Integer | min: 1, max: 100000000 | No | |
| bandwidth_percent | Integer | min: 1, max: 100 | No | |
| bandwidth_remaining_option | Choice | percent, ratio | No | |
| bandwidth_remaining_percent | Integer | min: 1, max: 100 | No | |
| bandwidth_remaining_ratio | Integer | min: 1, max: 65536 | No | |
| priority_level | Integer | min: 1, max: 2 | No | |
| priority_burst | Integer | min: 32, max: 2000000 | No | |
| queue_limit | Integer | min: 1, max: 64000000 | No | |
| queue_limit_type | Any | bytes, ms, packets, us | No | |
| shape_average_bit_rate | Integer | min: 1000, max: 100000000000 | No | |
| shape_average_bits_per_interval_sustained | Integer | min: 32, max: 800000000 | No | |
| shape_average_bits_per_interval_excess | Integer | min: 0, max: 154400000 | No | |
| shape_average_percent | Integer | min: 0, max: 100 | No | |
| shape_average_burst_size_sustained | Integer | min: 10, max: 2000 | No | |
| shape_average_ms | Boolean | true, false | No | |
| police_target_bitrate_conform_transmit | Boolean | true, false | No | |
| police_target_bitrate_exceed_transmit | Boolean | true, false | No | |
| police_target_bitrate | Integer | min: 1, max: 100000000000 | No | |
| police_target_bitrate_conform_burst_byte | Integer | min: 1, max: 512000000 | No | |
| police_target_bitrate_excess_burst_byte | Integer | min: 1, max: 512000000 | No |
classes (iosxe.devices.configuration.policy.policy_maps.events)
Section titled “classes (iosxe.devices.configuration.policy.policy_maps.events)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| number | Integer | min: 1, max: 254 | Yes | |
| class | String | Yes | ||
| execution_type | Choice | do-all, do-until-failure, do-until-success | No | |
| actions | List | [actions] | No |
actions (iosxe.devices.configuration.policy.policy_maps.events.classes)
Section titled “actions (iosxe.devices.configuration.policy.policy_maps.events.classes)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| number | Integer | min: 1, max: 254 | Yes | |
| pause_reauthentication | Boolean | true, false | No | |
| authorize | Boolean | true, false | No | |
| terminate_config | Any | Choice[dot1x, mab, webauth] or String[Regex: ^.*[\$\%]\{.*$] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| activate_service_template_config_service_template | String | No | ||
| activate_service_template_config_aaa_list | String | No | ||
| activate_service_template_config_precedence | Integer | min: 1, max: 254 | No | |
| activate_service_template_config_replace_all | Boolean | true, false | No | |
| activate_interface_template | String | No | ||
| activate_policy_type_control_subscriber | String | No | ||
| deactivate_interface_template | String | No | ||
| deactivate_service_template | String | No | ||
| deactivate_policy_type_control_subscriber | String | No | ||
| authenticate_using_method | Choice | dot1x, mab, webauth | No | |
| authenticate_using_retries | Integer | min: 1, max: 5 | No | |
| authenticate_using_retry_time | Integer | min: 0, max: 65535 | No | |
| authenticate_using_priority | Integer | min: 1, max: 254 | No | |
| authenticate_using_aaa_authc_list | String | No | ||
| authenticate_using_aaa_authz_list | String | No | ||
| authenticate_using_both | Boolean | true, false | No | |
| authenticate_using_parameter_map | String | No | ||
| replace | Boolean | true, false | No | |
| restrict | Boolean | true, false | No | |
| clear_session | Boolean | true, false | No | |
| clear_authenticated_data_hosts_on_port | Boolean | true, false | No | |
| protect | Boolean | true, false | No | |
| err_disable | Boolean | true, false | No | |
| resume_reauthentication | Boolean | true, false | No | |
| authentication_restart | Integer | min: 1, max: 65535 | No | |
| set_domain | Choice | data, switch, voice | No | |
| unauthorize | Boolean | true, false | No | |
| notify | Boolean | true, false | No | |
| set_timer_name | String | No | ||
| set_timer_value | Integer | min: 0, max: 65535 | No | |
| map_attribute_to_service_table | String | No |
By defining class-maps and policy-maps, policy configuration enables granular traffic classification, prioritization, and enforcement for QoS and access control.
Policy Parameters
Section titled “Policy Parameters”Key Components:
Class-Map Name (
class_maps.name): The identifier for the class-map.Class-Map Type (
class_maps.type): Specifies the class-map type (QoS, control, inspect).Class-Map Match Criteria (
class_maps.match): Defines match conditions (DSCP, protocol, access-group, authorization status, method).Policy-Map Name (
policy_maps.name): The identifier for the policy-map.Policy-Map Type (
policy_maps.type): Specifies the policy-map type (QoS, control, inspect).Policy-Map Classes (
policy_maps.classes): Associates classes with the policy-map.Policy-Map Actions (
policy_maps.classes.actions): Specifies actions (bandwidth, priority, queue-limit, authorize, activate service template, redirect).Events (
policy_maps.events): Defines events for control policies.Description (
description): Descriptive text for class-maps and policy-maps.
Key Parameters Briefly Explained:
class_maps.name: Class-map identifier.class_maps.type: Class-map type.class_maps.match: Match conditions.policy_maps.name: Policy-map identifier.policy_maps.type: Policy-map type.policy_maps.classes: Classes in the policy-map.policy_maps.classes.actions: Actions for matched traffic.policy_maps.events: Control policy events.description: Description for class-map or policy-map.
You can use these Policy parameters to define granular traffic classification and enforcement rules. Customize class-map match conditions and policy-map actions to fit your network’s QoS requirements, access control policies, and traffic engineering needs. Adjusting these parameters lets you tailor how traffic is identified, prioritized, and processed across your network infrastructure.
Sample Configuration
Section titled “Sample Configuration”The following configuration describes how to set up QoS and control policies on a Cisco IOS-XE device, including class-maps for DSCP values and authentication status, and policy-maps for QoS actions and access control.
class-map match-all VOICE-CLASS description Voice traffic classification match dscp 46!class-map match-all VIDEO-CLASS description Video traffic classification match dscp 34 36 38!class-map type control subscriber CONTROL-CLASS match authorization-status authorized match method dot1x match result-type method dot1x authoritative!policy-map WAN-QOS-POLICY description WAN QoS policy with voice and video prioritization class VOICE-CLASS priority level 1 priority-burst 8000 class VIDEO-CLASS bandwidth percent 30 queue-limit 64 packets!policy-map type control subscriber ACCESS-CONTROL-POLICY description Network access control policy event authentication-success match-first class CONTROL-CLASS do-all 1 authorize 2 activate service-template USER-TEMPLATEExample YAML Code
Section titled “Example YAML Code”The following YAML code defines QoS and control policies on an IOS-XE device, specifying class-maps with match criteria and policy-maps with actions and events.
iosxe: devices: - name: Device1 configuration: policy: class_maps: - name: VOICE-CLASS prematch: match-all description: Voice traffic classification match: dscp: [46] - name: VIDEO-CLASS prematch: match-all description: Video traffic classification match: dscp: [34, 36, 38] - name: CONTROL-CLASS type: control subscriber: true match: authorization_status_authorized: true method_dot1x: true result_type_method_dot1x_authoritative: true policy_maps: - name: WAN-QOS-POLICY description: WAN QoS policy with voice and video prioritization classes: - name: VOICE-CLASS actions: - type: priority priority_level: 1 priority_burst: 8000 - name: VIDEO-CLASS actions: - type: bandwidth bandwidth_percent: 30 - type: queue-limit queue_limit: 64 queue_limit_type: packets - name: ACCESS-CONTROL-POLICY type: control subscriber: true description: Network access control policy events: - name: authentication-success event_type: authentication-success match_type: match-first classes: - number: 1 class: CONTROL-CLASS execution_type: do-all actions: - number: 1 authorize: true - number: 2 activate_service_template_config_service_template: USER-TEMPLATE