HP 6308M-SX, 9304M, 9308M manual 80

Using Access Control Lists (ACLs)

•Specify the default next-hop IP address if there is no explicit next-hop selection for the packet.

•Send the packet to the null interface (null0).

HP’s PBR routing is based on standard and extended ACLs and route-maps. The ACLs classify the traffic. Route maps that match on the ACLs set routing attributes for the traffic. HP's implementation of PBR uses high performance switching algorithms including route caches and route tables.

Configuring PBR

To configure PBR:

•Configure ACLs that contain the source IP addresses for the IP traffic to which you want to apply PBR.

•Configure a route map that matches on the ACLs and sets route information.

•Apply the route map globally or to individual interfaces.

NOTE: All the procedures in the following sections are for the CLI.

Configure the ACLs

PBR uses route maps to change the routing attributes in IP traffic. This section shows an example of how to configure a standard ACL to identify the source sub-net for IP traffic.

To configure a standard ACL to identify a source sub-net, enter a command such as the following:

HP9300(config)# access-list 1 permit 209.157.23.0 0.0.0.255

The command in this example configures a standard ACL that permits traffic from sub-net 209.157.23.0/24. After you configure a route map that matches based on this ACL, the software uses the route map to set route attributes for the traffic, thus enforcing PBR.

NOTE: Do not use an access group to apply the ACL to an interface. Instead, use a route map to apply the ACL globally or to individual interfaces for PBR, as shown in the following sections.

Syntax: [no] access-list <num> deny permit <source-ip> <hostname> <wildcard> [log]

or

Syntax: [no] access-list <num> deny permit <source-ip>/<mask-bits> <hostname> [log]

Syntax: [no] access-list <num> deny permit host <source-ip> <hostname> [log]

Syntax: [no] access-list <num> deny permit any [log]

The <num> parameter is the access list number and can be from 1 – 99.

The deny permit parameter indicates whether packets that match a policy in the access list are denied (dropped) or permitted (forwarded).

NOTE: If you are configuring the ACL for use in a route map, always specify permit. Otherwise, the routing switch drops the traffic instead of further processing the traffic using the route map.

The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host name.

NOTE: To specify the host name instead of the IP address, the host name must be configured using the HP device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address…command at the global CONFIG level of the CLI.

The <wildcard> parameter specifies the mask value to compare against the host address specified by the <source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy.

3 - 25