Configuring policy-based routing, Overview, Defining a policy – H3C Technologies H3C SecPath F1000-E User Manual
Page 564
539
Configuring policy-based routing
Overview
Policy-based routing (PBR) is a routing mechanism based on user-defined policies. Different from the
traditional destination-based routing mechanism, PBR enables you to use a policy to route packets based
on the source address, packet length, and other criteria. You can specify the VPN instance, packet
priority, outgoing interface, next hop, default outgoing interface, default next hop, and other parameters
to guide the forwarding of packets that match specific ACLs or have specific lengths.
In general, PBR takes precedence over destination-based routing. PBR applies to the packets matching
the specified criteria, and other packets are forwarded through destination-based routing. However, if
PBR has a default outgoing interface (next hop) configured, destination-based routing takes precedence
over PBR.
Defining a policy
A policy contains several nodes and each node comprises some if-match and apply clauses.
1.
if-match clause
An if-match clause specifies which packets are to be forwarded through PBR. There is an AND
relationship between the if-match clauses of a node. If a packet satisfies all the criteria defined by
the if-match clauses of the node, the apply clauses of the node are executed to forward packets.
Currently, two types of if-match clauses are available: if-match packet-length clause and if-match
acl clause.
2.
apply clause
An apply clause defines the action performed on the packets matching the criteria of this node. At
present, PBR provides five types of apply clauses: apply IP precedence, apply output interface,
apply IP address nexthop, apply default output interface, and apply IP address default nexthop.
The priorities of the apply clauses are in the following descending order:
{
apply ip-precedence. If configured for public network forwarding, this clause will always be
executed.
{
apply output-interface and apply ip-address next-hop. The apply output-interface clause takes
precedence over the apply ip-address next-hop clause. This means that only the apply
output-interface clause will be executed when both are configured.
{
apply default output-interface and apply ip-address default next-hop. The apply default
output-interface clause takes precedence over the apply ip-address default next-hop clause.
This means that only the apply default output-interface clause is executed when both are
configured. They take effective only when no outgoing interface or next hop is defined for
packets, or the defined outgoing interface or next hop is invalid and the destination address
does not match any route in the routing table.
3.
Node
There is an OR relationship between nodes of the policy. That is, if a packet matches a node, it
satisfies the policy. A packet not passing any node of a policy cannot pass the policy.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS H3C SecBlade LB Cards H3C SecPath L1000-A Load Balancer