How policy matching works

A policy can be applied to an interface to affect/control traffic arriving on that interface ('in'). Policy matching differs from an "implicit deny" behavior of an ACL.

A single policy entry matches on one or more characteristics of the particular traffic type and has a configured action to continue through the switch.

This matching occurs by beginning with the entry with the lowest sequence number. The entry is then compared against the incoming or outgoing frame to its particular match characteristics. If there is a match, the action is taken.

If there is no match, the match characteristics of the next sequence are compared to the relevant frame/packet details. If there is a match, the specified action is taken.

This process continues until a match is found; otherwise, the packet is permitted to flow through the switch unaltered.