Manualshelf

HP VPN Firewall Appliances Network Management Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
561562563564565566567568569570
540
Configuring policy-based routing
Overview
Different from destination-based routing, policy-based routing (PBR) uses user-defined policies to route
packets based on the source address, packet length, and other criteria. A policy can specify the output
interface, next hop, default output interface, default next hop, and other parameters for packets that
match specific criteria such as ACLs or have specific lengths.
A device uses PBR to forward matching packets and uses the routing table to forward other packets. If
PBR is not configured, a device uses the routing table to forward packets.
PBR includes local PBR and interface PBR.
Local PBR guides the forwarding of locally generated packets, such as the ICMP packets generated
by using the ping command.
Interface PBR guides the forwarding of packets received on an interface only.
Policy
A policy comprises match criteria and actions to be taken on the matching packets. A policy can
comprise one or multiple nodes. The following describes information about nodes:
Each node is identified by a node number. A smaller node number has a higher priority.
A node comprises if-match and apply clauses. An if-match clause specifies a match criterion, and
an apply clause specifies an action.
A node has a match mode of permit or deny.
A policy matches nodes in priority order against packets. If a packet matches the criteria on a node, it
is processed by the action on the node. Otherwise, it goes to the next node for a match. If the packet does
not match the criteria on any node, it is forwarded according to the routing table.
if-match clause
PBR supports the following types of if-match clauses:
if-match acl—Sets an ACL match criteria.
if-match packet-length—Sets a packet length match criterion.
You can specify multiple if-match clauses for a node, but only one if-match clause can be specified for
each type at most. To match a node, a packet must match all the if-match clauses of the node.
apply clause
PBR supports the following types of apply clauses, as shown in Table 56. You can specify multiple apply
clauses for a node, but some of them might not be executed.