Policy-based routing configuration, Overview, Defining a policy – H3C Technologies H3C SecPath F1000-E User Manual

Policy-Based Routing Configuration

Overview

Policy based routing (PBR) is a routing mechanism based on user-defined policies. Different from the

traditional destination-based routing mechanism, PBR enables you to use policies based on the source
address, packet length, or other criteria to route packets flexibly.
In general, PBR takes precedence over destination-based routing. PBR is applied to the packets

matching the specified criteria, and other packets are forwarded through destination-based routing.

However, if PBR has a default outgoing interface (next hop) configured, destination-based routing takes
precedence over PBR.

Defining a Policy

A policy contains several nodes and each node comprises some if-match and apply clauses.

1.

if-match clause

An if-match clause specifies which packets are to be forwarded through PBR. There is an AND
relationship between the if-match clauses of a node. If a packet satisfies all the criteria defined by the
if-match clauses of the node, the apply clauses of the node are executed to forward packets.
Currently, two types of if-match clauses are available: if-match packet-length clause and
if-match acl clause.

2.

apply clause

An apply clause defines the action performed on the packets matching the criteria of this node. At
present, PBR provides five types of apply clauses: apply IP precedence, apply output interface,
apply IP address nexthop, apply default output interface, and apply IP address
default nexthop.
The priorities of the apply clauses are in the following descending order:

•

apply ip-precedence: If configured for public network forwarding, this clause will always be

executed.

•

apply output-interface and apply ip-address next-hop: The apply output-interface
clause takes precedence over the apply ip-address next-hop clause. This means that only the
apply output-interface clause will be executed when both are configured.

•

apply default output-interface and apply ip-address default next-hop: The apply
default output-interface clause takes precedence over the apply ip-address default
next-hop clause. This means that only the apply default output-interface clause is
executed when both are configured. They take effective only when no outgoing interface or next

hop is defined for packets, or the defined outgoing interface or next hop is invalid and the

destination address does not match any route in the routing table.

3.

Node

There is an OR relationship between nodes of the policy. That is, if a packet matches a node, it satisfies

the policy. A packet not passing any node of a policy cannot pass the policy.
When configuring policy nodes, you need to specify the match mode as permit or deny: