ip access-list policy (S-, K-Series)

Use this command to enter access list configuration mode for policy ACLs.

Syntax

Parameters

Defaults

None.

Mode

Configuration command, Global configuration.

Usage

The ip access-list policy command enters the rule configuration command mode for the specified policy access-list. Policy access-lists specify both a source and destination address. Policy access-lists have the same configuration options as IPv4 extended access-lists, with the exception of a required parameter that sets the DSCP value. Access-list and rule resources are taken from the same pool available for standard and extended ACLs. Multiple policy ACLs may be created, but only a single policy ACL can be applied to a given VRF.

There are two ways to identify an ACL: a number or a name. The use of a number is for IPv4 ACLs only. Policy IPv4 ACL numbers range from 100 to 199. Names must start with an alpha character. A name may be quoted, as the quotes are stripped, but spaces are not supported in the quoted string. A name cannot be one of the show access-lists keywords brief or applied, or any prefix thereof such as ?br? or ?app?. Names can be up to 64 characters in length.

Policy access lists do not deny (drop) packets. When using a policy ACL, a permit rule match sets the packet DSCP field to the value specified in the rule and resumes the normal forwarding process. A deny rule match stops processing the packet against the policy ACL and resumes the normal forwarding process. All non-policy access-lists (L2, standard, and extended) may still be applied, and can cause a packet modified by a policy access list to subsequently be dropped.

If egress policy is configured to set TOS, the DSCP value set by a policy ACL is overridden.

Actions defined by a policy access list are applied by using the ip policy-access-list command (ip access-group).

Created policy ACLs do not persist after a system reset.

The “no” form of this command removes the specified access list.