Creating a routing policy, Defining if-match clauses – H3C Technologies H3C SecPath F1000-E User Manual
Page 947
922
node, or go to the next node. If route information cannot match all the if-match clauses of the node,
it will go to the next node for a match.
•
When a routing policy has more than one node, at least one node should be configured with the
permit keyword. If the routing policy is used to filter routing information, routing information that
does not meet any node cannot pass the routing policy. If all nodes of the routing policy are set with
the deny keyword, no routing information can pass it.
Creating a routing policy
Step Command
1.
Enter system view.
system-view
2.
Create a routing policy, specify a node
for it and enter routing policy view.
route-policy route-policy-name { deny | permit } node
node-number
Defining if-match clauses
Follow these guidelines when you define if-match clauses:
•
The if-match clauses of a routing policy node are in logic AND relationship. Routing information
has to satisfy all its if-match clauses before being executed with its apply clauses. If an if-match
command exceeds the maximum length, multiple identical if-match clauses are generated. These
clauses are in logical OR relationship. Routing information only needs to match one of them.
•
You can specify any number of if-match clauses for a routing policy node. If no if-match clause is
specified, and the routing policy node is in permit mode, all routing information can pass the node.
If it is in deny mode, no routing information can pass it.
•
If the ACL referenced by an if-match clause does not exist, the clause is always satisfied; if no rules
of the referenced ACL are matched or the matching rule is inactive, the clause is not satisfied.
•
An ACL specified in an if-match clause should be a non-VPN ACL.
•
The if-match commands for matching IPv4 destination, next hop and source address are different
from those for matching IPv6 ones.
•
BGP does not support criteria for matching against outgoing interfaces of routing information.
To define if-match clauses:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter routing policy view.
route-policy route-policy-name { deny |
permit } node node-number
N/A
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS H3C SecBlade LB Cards H3C SecPath L1000-A Load Balancer