Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Network Management Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
551552553554555556557558559560
534
34BConfiguring policy-based routing
189B
Overview
Different from destination-based routing, policy-based routing (PBR) uses user-defined policies to route
packets based on the source address, packet length, and other criteria. A policy can specify the output
interface, next hop, default output interface, default next hop, and other parameters for packets that
match specific criteria such as ACLs or have specific lengths.
A device uses PBR to forward matching packets and uses the routing table to forward other packets. If
PBR is not configured, a device uses the routing table to forward packets.
PBR falls into local PBR and interface PBR.
Local PBR guides the forwarding of locally generated packets, such as the ICMP packets generated
by using the ping command.
Interface PBR guides the forwarding of packets received on an interface only.
728BPolicy
A policy comprises match criteria and actions to be taken on the matching packets. A policy can
comprise one or multiple nodes. The following describes information about nodes:
Each node is identified by a node number. A smaller node number has a higher priority.
A node comprises if-match and apply clauses. An if-match clause specifies a match criterion, and
an apply clause specifies an action.
A node has a match mode of permit or deny.
A policy matches nodes in priority order against packets. If a packet satisfies the match criteria on a node,
it is processed by the action on the node. Otherwise, it goes to the next node for a match. If the packet
does not match the criteria on any node, it is forwarded according to the routing table.
1544Bif-match clause
PBR supports the following types of if-match clauses:
if-match acl—Sets an ACL match criteria.
if-match packet-length—Sets a packet length match criterion.
You can specify multiple if-match clauses for a node, but only one if-match clause can be specified for
each type at most. To match a node, a packet must satisfy all the if-match clauses of the node.
1545Bapply clause
PBR supports the following types of apply clauses, as shown in 2709HTable 60. You can specify multiple apply
clauses for a node, but some of them might not be executed.