Table of Contents
Advertisement
Processing the Classifier Result
The classifier result of the input policy attachment is processed and a set of actions
is identified. When you configure filter, it is the first action taken and immediately
discards the packet. This is followed by any modification, such as mark or logging.
If a rate limit profile is configured, the packet is dropped or colored. If the packet is
not dropped, it is sent to the exception path (if configured). If the packet is not
exceptioned, any configured forward action is saved in the packet for use later (unless
overridden in Step 3). (See Figure 7 on page 124.)
Some information generated by the action processing in Step 2 is forwarded to Step
3, where it may affect the action processing for the auxiliary-input attachment. This
information can include color, exception information, and forwarding information.
The color can affect a rate-limit in the auxiliary-input attachment. Step 3 acts on the
exception and forwarding information, if it is not overridden by similar actions from
the auxiliary-input attachment.
The transmit information (transmit conditional, transmit unconditional, transmit
final) generated with hierarchical policies does not carry forward from input to
auxiliary-input action processing.
Processing the Auxiliary-Input Policy Attachment
If the packet is not filtered or exceptioned in policy Step 2, the classifier result of the
auxiliary policy attachment is processed and a set of actions identified. The packet
can be filtered or exceptioned at this time. These operations, if configured, are
performed regardless of whether a forward action was performed in Step 2. If the
packet is not discarded, either by a filter action or a rate limit, it can be exceptioned
(if configured). If the packet is not filtered, rate-limited, or exceptioned, any configured
forward action is applied and overrides any forward action from Step 2. If no forward
action is configured, any forward action from Step 2 applies.
Policy Actions
The set of actions in the following list specified by the input and auxiliary-input policy
attachments are executed in the order: input, auxiliary-input.
Color packet action Explicitly sets the packet color. Each policy attachment can
set the color and the final value persists. A rate limit profile action can also set
the color, which overrides the value of the color packet action.
Mark action Each attachment can set the TIP TOS, TOS precedence, and DS
fields. The cumulative result of all configured mark actions determines the
resulting value of these fields.
Mirror action Executes in the order: secure input policy follows secondary input
policy, secure output policy follows output policy. Mirror is the only supported
action for secure policies.
Rate-limit profile action Can be specified by any nonsecure input policy
attachment. This enables the application of multiple rate limits either within a
policy stage or across policy stages. These rate limits run serially; if the rate limit
imposed in the primary substage causes the packet to drop, the auxiliary rate
Chapter 6: Merging Policies
Overlapping Classification for IP Input Policy
125
Advertisement
Table of Contents
