Configuring pbr, Defining a policy – H3C Technologies H3C S12500 Series Switches User Manual

272

Configuring PBR

Defining a policy

Follow these guidelines when you define a policy:

•

If an ACL match criterion is defined, do not configure deny action for the specified ACL rules.

•

If the specified ACL does not exist, no packet is matched.

•

If packets that match a policy node do not need to be forwarded according to PBR, specify deny
match mode for the policy node.

•

The rule you add to an ACL that has been used by a policy cannot take effect if hardware resources
are insufficient or the policy does not support the rule. Such rules are marked as uncompleted in the

output from the display acl { acl-number | all | name acl-name } slot slot-number command. To
successfully apply the rule, you must delete the rule and reconfigure it when hardware resources are

sufficient. For more information about the display acl command, see ACL and QoS Command

Reference.

•

You can configure two next hops by using the apply ip-address next-hop command twice (first case)
or once (second case). After that, executing the apply ip-address next-hop command with a new
next hop will replace the earlier configured next hop in the first case, or will replace the second next

hop specified in the second case. To remove both next hops, execute the apply ip-address next-hop

command again by specifying two next hops.

•

If a policy node has no if-match clause configured, all packets can match the policy node. However,
an action is taken according to the match mode, and the packets will not go to the next policy node

for a match.

•

If a permit-mode policy node has no apply clause configured, packets matching an if-match clause
of the node can pass the policy node, and no action is taken. The matching packets will not go to

the next policy node for a match, and will be forwarded according to the routing table.

•

If a policy node has neither if-match nor apply clauses configured, all packets can match the policy
node. However, no action is taken. The packets will not go to the next policy node for a match, and

will be forwarded according to the routing table.

To define a policy:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create a policy or policy
node and enter PBR policy

node view.

policy-based-route policy-name
[ deny | permit ] node
node-number

N/A

3.

Define an ACL match

criterion.

if-match acl acl-number

Optional.

4.

Set a VPN instance.

apply access-vpn vpn-instance
vpn-instance-name

Optional.

5.

Set an IP precedence.

apply ip-precedence value

Optional.