F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Network Management Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

951

952

953

954

955

956

957

958

959

960

932

• The routing information matching all the if-match clauses of a permit-mode node is handled by the

apply clauses of the node, without needing to match against the next node. The routing information

that does not match the node goes to the next node for a match.

• The apply clauses of a deny-mode node are never executed. The routing information matching all

the if-match clauses of the node cannot pass the node, or go to the next node. The route information

that does not match node goes to the next node for a match.

• For a routing policy that has more than one node, configure at least one permit-mode node. A route

that does not match any node cannot pass the routing policy. If all the nodes are in deny mode, no

routing information can pass the routing policy.

To create a routing policy:

Ste

Command

Remarks

1589. Enter system view.

system-view N/A

1590. Create a routing policy

and a node and enter routing

policy view.

route-policy route-policy-name { deny |

permit } node node-number

By default, no routing policy

is created.

1045BConfiguring if-match clauses

Follow these guidelines when you configure if-match clauses:

• The if-match clauses of a routing policy node have a logical AND relationship. A route must satisfy

all if-match clauses before it can be handled by the apply clauses of the node. If an if-match

command exceeds the maximum length, multiple identical if-match clauses are generated. These

clauses have a logical OR relationship. A route only needs to match one of them.

• You can specify no or multiple if-match clauses for a routing policy node. If no if-match clause is

specified for a permit-mode node, all routing information can pass the node. If no if-match clause

is specified for a deny-mode node, no routing information can pass the node.

• If the ACL referenced by an if-match clause does not exist, the clause is always satisfied; if no rules

of the referenced ACL are matched or the matching rule is inactive, the clause is not satisfied.

• An ACL specified in an if-match clause must be a non-VPN ACL.

• The if-match command for matching IPv4 destination, next hop, and source is different from the

if-match command for matching IPv6 ones.

• BGP does not support criteria for matching against outbound interfaces of routing information.

To configure if-match clauses for a routing policy:

Ste