Network requirements, Configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual

Page 578

553

NOTE:
•

If a policy has a node with no if-match or apply clause configured, all packets can pass the policy.
However, no action is taken and the packets will not go to the next policy node for a match. The statistics
of PBR will be changed.

•

If a policy node has if-match clauses but no apply clauses configured, packets will match against these
if-match clauses. However, no apply clauses are applicable to the permitted packets, and the packets

will not go to the next policy node for a match. The statistics of PBR will be changed.

•

If a policy node has no if-match clause but apply clauses configured, all packets can pass the policy,
and then are forwarded according to the apply clauses if the permit keyword is specified for the node,

or are denied if the deny keyword is specified. The packets will not go to the next policy node for a

match. The statistics of PBR will be changed.

•

If the match mode of a policy node is deny, no apply clause will be executed for the packets satisfying
all the if-match clauses, and the packets will not go to the next policy node for a match. They will be

forwarded according to the routing table instead. Neither debugging information nor statistics for the

deny match mode can be displayed.

Configuring local PBR based on packet type at the CLI

Network requirements

As shown in

Figure 314

, configure PBR on SecPath, so that all TCP packets are forwarded via

GigabitEthernet 0/1 and other packets are forwarded according to the routing table.
SecPath is directly connected to Router A and Router B. Router A and Router B are unreachable to each

other.

Figure 314 Network diagram

Configuration procedure

Configure SecPath:
# Define ACL 3101 to match TCP packets.

system-view

[SecPath] acl number 3101

[SecPath-acl-adv-3101] rule permit tcp

[SecPath-acl-adv-3101] quit

# Define Node 5 of policy aaa, so that TCP packets are forwarded via GigabitEthernet 0/1.

[SecPath] policy-based-route aaa permit node 5

[SecPath-pbr-aaa-5] if-match acl 3101

[SecPath-pbr-aaa-5] apply ip-address next-hop 1.1.2.2

[SecPath-pbr-aaa-5] quit

# Apply policy aaa to SecPath.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS H3C SecBlade LB Cards H3C SecPath L1000-A Load Balancer