Using Access Control Lists (ACLs)
• Specify the default next-hop IP address if there is no explicit next-hop selection for the packet.
• Send the packet to the null interface (null0).
HP’s PBR routing is based on standard and extended ACLs and route-maps. The ACLs classify the traffic. Route
maps that match on the ACLs set routing attributes for the traffic. HP's implementation of PBR uses high
performance switching algorithms including route caches and route tables.
Configuring PBR
To configure PBR:
• Configure ACLs that contain the source IP addresses for the IP traffic to which you want to apply PBR.
• Configure a route map that matches on the ACLs and sets route information.
• Apply the route map globally or to individual interfaces.
NOTE: All the procedures in the following sections are for the CLI.
Configure the ACLs
PBR uses route maps to change the routing attributes in IP traffic. This section shows an example of how to
configure a standard ACL to identify the source sub-net for IP traffic.
To configure a standard ACL to identify a source sub-net, enter a command such as the following:
HP9300(config)# access-list 1 permit 209.157.23.0 0.0.0.255
The command in this example configures a standard ACL that permits traffic from sub-net 209.157.23.0/24. After
you configure a route map that matches based on this ACL, the software uses the route map to set route attributes
for the traffic, thus enforcing PBR.
NOTE: Do not use an access group to apply the ACL to an interface. Instead, use a route map to apply the ACL
globally or to individual interfaces for PBR, as shown in the following sections.
Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard> [log]
or
Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]
Syntax: [no] access-list <num> deny | permit host <source-ip> | <hostname> [log]
Syntax: [no] access-list <num> deny | permit any [log]
The <num> parameter is the access list number and can be from 1 – 99.
The deny | permit parameter indicates whether packets that match a policy in the access list are denied
(dropped) or permitted (forwarded).
NOTE: If you are configuring the ACL for use in a route map, always specify permit. Otherwise, the routing
switch drops the traffic instead of further processing the traffic using the route map.
The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host name.
NOTE: To specify the host name instead of the IP address, the host name must be configured using the HP
device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address… command at the
global CONFIG level of the CLI.
The <wildcard> parameter specifies the mask value to compare against the host address specified by the
<source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format)
consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>.
Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255
mean that all hosts in the Class C sub-net 209.157.22.x match the policy.
3 - 25