Manualshelf

R3166-R3206-HP High-End Firewalls Network Management Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
381382383384385386387388389390
377
Policy-based routing configuration
Overview
Policy-based routing (PBR) is a routing mechanism based on user-defined policies. Different from the
traditional destination-based routing mechanism, PBR enables you to use a policy to route packets based
on the source address, packet length, and other criteria.
In general, PBR takes precedence over destination-based routing. PBR applies to the packets matching
the specified criteria, and other packets are forwarded through destination-based routing. However, if
PBR has a default outgoing interface (next hop) configured, destination-based routing takes precedence
over PBR.
Defining a policy
A policy contains several nodes. Each node comprises some if-match and apply clauses.
1. if-match clause
An if-match clause specifies which packets are to be forwarded through PBR. There is an AND
relationship between the if-match clauses of a node. If a packet satisfies all the criteria defined by the
if-match clauses of the node, the apply clauses of the node are executed to forward packets. Currently,
two types of if-match clauses are available: if-match packet-length clause and if-match acl clause.
2. apply clause
An apply clause defines the action performed on the packets matching the criteria of this node. At present,
PBR provides five types of apply clauses: apply IP precedence, apply output interface, apply IP address
nexthop, apply default output interface, and apply IP address default nexthop.
The priorities of the apply clauses are in the following descending order:
apply ip-precedence: If configured for public network forwarding, this clause will always be
executed.
apply output-interface and apply ip-address next-hop: The apply output-interface clause takes
precedence over the apply ip-address next-hop clause. This means that only the apply
output-interface clause will be executed when both are configured.
apply default output-interface and apply ip-address default next-hop: The apply default
output-interface clause takes precedence over the apply ip-address default next-hop clause. This
means that only the apply default output-interface clause is executed when both are configured.
They take effective only when no outgoing interface or next hop is defined for packets, or the
defined outgoing interface or next hop is invalid and the destination address does not match any
route in the routing table.
3. Node
There is an OR relationship between nodes of the policy. If a packet matches a node, it satisfies the policy.
A packet not passing any node of a policy cannot pass the policy.
When configuring policy nodes, you must specify the match mode as permit or deny: