Create an Ingress Policy for a Device

An ingress policy (or route map) defines the actions to apply to inbound packets.

Before you begin

Create a policy rule match to associate with the policy. For more information, see Change a Policy Rule Match for a Device.

Create an egress group to associate with the policy. For more information, see Create an Egress Group.

About this task

Take the following steps to define the criteria for a policy. Each set of criteria is a rule. A policy can contain multiple rules.

Procedure

  1. In the Navigation menu, select Device Inventory.
  2. In the Devices page, click anywhere in the required device row except the Actions column (Actions column icon) to proceed to the device Overview page.
  3. In the Device Config menu, select Policies and Configuration > Policies > Add Policy.
  4. In the Name field, enter a unique name for the policy.
    An ingress policy cannot have the same name as another ingress policy or the reserved keyword all.
  5. In the Policy Type field, select Ingress Policy.
  6. Select the Sequence in which to apply the rule.
  7. In the Matches field, select a policy rule.
    Note

    Note

    • For a policy, you can select three rule matches of different types: 1 v4, 1 v6, and 1 l2.
    • If you did not create a policy rule match, select Create Match to create the match now.
    • You cannot use the same policy rule match multiple times in a policy.
    • For SLX devices, you can select only one rule match type (v4, v6, L2, or UDA) per rule.
    • For MLX devices, you cannot select L2 and UDA match in the same rule.
    • (MLX only) Do not apply an L2 rule match and a UDA rule match in the same policy. Doing so causes the related ingress group to fail.
    • (MLX only) If you add a UDA rule match to a policy that is associated with an ingress group, ensure that you first apply the associated UDA profile to that group. For more information, see Create an Ingress Group for an SLX or MLX Device.
  8. (9920 only) In the QoS field, select the required QoS.
    For more information, see Quality of Service.
  9. In the Egress Group field, select the group to associate with the policy.
    If you did not create an Egress Group, select Create Egress Group. For more information, see Create an Egress Group.
  10. (MLX and 9920 only) In the Packet Slicing field, enter a value to represent the maximum packet size after slicing.
    The final packet size will be less than or equal to this value.
  11. (SLX only) In the Truncation Profile field, select a profile that you created for a port or a port channel.
    For more information, see Create a Truncation Profile for an SLX Device.
  12. (9920 only) In the Advance Scope section, select one of the following:
    • Decap to remove the outermost tunnel headers from the packet
    • Scope Shift to move the ACL scope for matching from the outer headers to the inner headers of a tunneled packet
    • None to perform neither action
  13. (9920 only) To prevent the rule from being used in the policy, select the Deny check box.
    Tip

    Tip

    This option prevents the rule from being used, but does not delete the configuration of the rule. The rule is skipped and is not used to drop a packet. You can reinstate the rule later without having to reconfigure it.
  14. Select Add Rule.
    The rule parameters appear in the pane on the right.
  15. Repeat step 7 through step 14 until you have added all the rules you need.
  16. Select Create.
9037726-00 Rev AB