Skip to content
Network as Code

Policy

Policy configuration provides comprehensive traffic classification and action enforcement through class-maps and policy-maps that define how network traffic should be identified, prioritized, and processed based on various criteria including DSCP markings, protocols, and authentication states. It supports both Quality of Service (QoS) policies for bandwidth management, prioritization, and queuing, as well as control policies for network access control that define actions to take based on authentication events and user authorization status. Policy framework enables fine-grained traffic engineering, security enforcement, and service differentiation by combining flexible matching criteria with configurable actions such as rate limiting, priority queuing, and service template activation.

Diagram

Diagram

Classes

configuration (iosxe.devices)

NameTypeConstraintMandatoryDefault Value
policyClass[policy]No

policy (iosxe.devices.configuration)

NameTypeConstraintMandatoryDefault Value
class_mapsList[class_maps]No
policy_mapsList[policy_maps]No

class_maps (iosxe.devices.configuration.policy)

NameTypeConstraintMandatoryDefault Value
nameStringYes
typeChoicecontrol, subscriberNo
subscriberBooleantrue, falseNo
prematchChoicematch-all, match-any, match-noneNo
matchClass[match]No
descriptionStringNo

policy_maps (iosxe.devices.configuration.policy)

NameTypeConstraintMandatoryDefault Value
nameStringYes
typeChoiceaccess-control, appnav, control, epbr, inspect, packet-service, performance-monitor, queueing, service, service-chain, umbrellaNo
subscriberBooleantrue, falseNo
descriptionStringNo
classesList[classes]No
eventsList[events]No

match (iosxe.devices.configuration.policy.class_maps)

NameTypeConstraintMandatoryDefault Value
authorization_status_authorizedBooleantrue, falseNo
authorization_status_unauthorizedBooleantrue, falseNo
result_type_aaa_timeoutBooleantrue, falseNo
activated_service_templatesListStringNo
authorizing_method_priority_greater_thanIntegerNo
method_dot1xBooleantrue, falseNo
result_type_method_dot1x_authoritativeBooleantrue, falseNo
result_type_method_dot1x_agent_not_foundBooleantrue, falseNo
result_type_method_dot1x_method_timeoutBooleantrue, falseNo
method_mabBooleantrue, falseNo
result_type_method_mab_authoritativeBooleantrue, falseNo
dscpListIntegerNo

classes (iosxe.devices.configuration.policy.policy_maps)

NameTypeConstraintMandatoryDefault Value
nameStringYes
actionsList[actions]No

events (iosxe.devices.configuration.policy.policy_maps)

NameTypeConstraintMandatoryDefault Value
nameStringYes
event_typeChoiceaaa-available, absolute-timeout, agent-found, authentication-failure, authentication-success, authorization-failure, authorization-success, identity-update, inactivity-timeout, remote-authentication-failure, remote-authentication-success, remote-update, session-disconnected, session-started, tag-added, tag-removed, template-activated, template-activation-failed, template-deactivated, template-deactivation-failed, timer-expiry, violationNo
match_typeChoicematch-all, match-firstNo
classesList[classes]No

actions (iosxe.devices.configuration.policy.policy_maps.classes)

NameTypeConstraintMandatoryDefault Value
typeChoicebandwidth, compression, dbl, drop, estimate, fair-queue, forward, netflow-sampler, police, priority, queue-buffers, queue-limit, random-detect, service-policy, set, shape, trustNo
bandwidth_bitsIntegermin: 1, max: 100000000No
bandwidth_percentIntegermin: 1, max: 100No
bandwidth_remaining_optionChoicepercent, ratioNo
bandwidth_remaining_percentIntegermin: 1, max: 100No
bandwidth_remaining_ratioIntegermin: 1, max: 65536No
priority_levelIntegermin: 1, max: 2No
priority_burstIntegermin: 32, max: 2000000No
queue_limitIntegermin: 1, max: 64000000No
queue_limit_typeAnybytes, ms, packets, usNo
shape_average_bit_rateIntegermin: 1000, max: 100000000000No
shape_average_bits_per_interval_sustainedIntegermin: 32, max: 800000000No
shape_average_bits_per_interval_excessIntegermin: 0, max: 154400000No
shape_average_percentIntegermin: 0, max: 100No
shape_average_burst_size_sustainedIntegermin: 10, max: 2000No
shape_average_msBooleantrue, falseNo

classes (iosxe.devices.configuration.policy.policy_maps.events)

NameTypeConstraintMandatoryDefault Value
numberIntegermin: 1, max: 254Yes
classStringYes
execution_typeChoicedo-all, do-until-failure, do-until-successNo
actionsList[actions]No

actions (iosxe.devices.configuration.policy.policy_maps.events.classes)

NameTypeConstraintMandatoryDefault Value
numberIntegermin: 1, max: 254Yes
pause_reauthenticationBooleantrue, falseNo
authorizeBooleantrue, falseNo
terminate_configAnyChoice[dot1x, mab, webauth] or String[Regex: ^.*[\$\%]\{.*$] or String[Regex: ^.*[\$\%]\{.*$]No
activate_service_template_config_service_templateStringNo
activate_service_template_config_aaa_listStringNo
activate_service_template_config_precedenceIntegermin: 1, max: 254No
activate_service_template_config_replace_allBooleantrue, falseNo
activate_interface_templateStringNo
activate_policy_type_control_subscriberStringNo
deactivate_interface_templateStringNo
deactivate_service_templateStringNo
deactivate_policy_type_control_subscriberStringNo
authenticate_using_methodChoicedot1x, mab, webauthNo
authenticate_using_retriesIntegermin: 1, max: 5No
authenticate_using_retry_timeIntegermin: 0, max: 65535No
authenticate_using_priorityIntegermin: 1, max: 254No
authenticate_using_aaa_authc_listStringNo
authenticate_using_aaa_authz_listStringNo
authenticate_using_bothBooleantrue, falseNo
authenticate_using_parameter_mapStringNo
replaceBooleantrue, falseNo
restrictBooleantrue, falseNo
clear_sessionBooleantrue, falseNo
clear_authenticated_data_hosts_on_portBooleantrue, falseNo
protectBooleantrue, falseNo
err_disableBooleantrue, falseNo
resume_reauthenticationBooleantrue, falseNo
authentication_restartIntegermin: 1, max: 65535No
set_domainChoicedata, switch, voiceNo
unauthorizeBooleantrue, falseNo
notifyBooleantrue, falseNo
set_timer_nameStringNo
set_timer_valueIntegermin: 0, max: 65535No
map_attribute_to_service_tableStringNo

Examples

Example 1: The example below shows basic qos class-map and policy-map configuration and include basic attributes such as matching dscp values and assigning bandwidth percentage.

iosxe:
  devices:
    - name: Device1
      configuration:
        policy:
          class_maps:
            - name: VOICE-CLASS
              prematch: match-all
              description: Voice traffic classification
              match:
                dscp: [46]
            - name: VIDEO-CLASS
              prematch: match-all
              description: Video traffic classification
              match:
                dscp: [34, 36, 38]
            - name: CONTROL-CLASS
              type: control
              subscriber: true
              match:
                authorization_status_authorized: true
                method_dot1x: true
                result_type_method_dot1x_authoritative: true
          policy_maps:
            - name: WAN-QOS-POLICY
              description: WAN QoS policy with voice and video prioritization
              classes:
                - name: VOICE-CLASS
                  actions:
                    - type: priority
                      priority_level: 1
                      priority_burst: 8000
                - name: VIDEO-CLASS
                  actions:
                    - type: bandwidth
                      bandwidth_percent: 30
                    - type: queue-limit
                      queue_limit: 64
                      queue_limit_type: packets
            - name: ACCESS-CONTROL-POLICY
              type: control
              subscriber: true
              description: Network access control policy
              events:
                - name: authentication-success
                  event_type: authentication-success
                  match_type: match-first
                  classes:
                    - number: 1
                      class: CONTROL-CLASS
                      execution_type: do-all
                      actions:
                        - number: 1
                          authorize: true
                        - number: 2
                          activate_service_template_config_service_template: USER-TEMPLATE