ip access-list route

ip access-list route

forward|route {ipsec-map }|{next-hop-list }|{tunnel }|{tunnel-group } [position ]

ipv6 forward|route >} {next-hoplist } [position ] no …

Description

This command configures an ACL for PBR.

PBR is an optional feature that allows packets to be routed based on ACLs configured by the administrator. By default, when amanaged devicereceives a packet for routing, it looks up the destination IP in the routing table and forwards the packet to the nexthop router. If PBR is configured, the nexthop device can be chosen based on a defined ACL.

在具有多个上行链路的典型部署方案中,默认路由仅使用上下链路之一进行转发数据包。如果Nexthop变得无法到达,则数据包将无法到达目的地。如果您的部署使用基于NexThop列表的PBR,则任何上行链路Nexthops都可以用于转发流量。这需要所有PBR NexThops系统中有效的ARP条目(路由缓存)。

IPv6 PBR does not support WAN uplink functionality.

Parameter

Description

rout

Define a route access list, where is an access list name

The traffic source, which can be one of the following:

  • alias>: specify the network resource (use thenetdestinationcommand to configure aliases; use theshow netdestinationcommand to see configured aliases)
  • any: match any traffic
  • description: brief description about this route acl (up to 128 characters in quotes)
  • 主机: specify a single host IP address
  • localip: specify the local IP address to match traffic
  • network: specify the IP address and netmask
  • no: negate a command
  • 用户: represents the IP address of the user

笔记:Onlyany,主机, andnetworkoptions are supported for IPv6 address.

笔记:You cannot configure IPv6 multicast, link-local, unspecified, loopback, and subnet anycast addresses as IPv6 source addresses.

The traffic destination, which can be one of the following:

  • alias>: specify the network resource (use thenetdestinationcommand to configure aliases; use theshow netdestinationcommand to see configured aliases)
  • any: match any traffic
  • description: brief description about this route acl (up to 128 characters in quotes)
  • 主机: specify a single host IP address
  • localip: specify the local IP address to match traffic
  • network: specify the IP address and netmask
  • 用户: represents the IP address of the user

笔记:Onlyany,主机, andnetworkconfiguration options are supported for IPv6 address.

笔记:您不能将IPv6多播,链接本地,未指定,环回和子网Anycast地址作为IPv6目标地址。

Network service to which the ACL is applied. The service can be one of the following:

  • any: match any traffic
  • app: application name. (For a complete list of supported applications, issue the commandshow dpi application all.)
  • appcategory : application category name. (For a complete list of supported applications, issue the commandshow dpi application all.)
  • icmp: Internet Control Message Protocol
  • tcp<0-65535>:specify the TCP destination port number (0-65535)
  • tcpsource<0-65535>: TCP source port number
  • udp<0-65535>:UDP destination port number (0-65535)
  • udpsource<0-65535>:UDP源端口号
  • <0-255>:IP protocol number (0-255)
  • :name of a network service (use the show netservice command to see configured services)

笔记:Onlyanyconfiguration option is supported for IPv6 address.

Action if rule is applied, which can be one of the following:

  • forward: Explicitly define an ACL with a forward action to skip PBR for traffic which would otherwise match another PBR rule.
  • route ipsec-map : Redirected over a VPN tunnel by specifying the ipsec-map name. For more information on IPsec maps, seecrypto-local ipsec-map.
  • route next-hop-list : Packets can be routed to a nexthop router on a nexthop list by specifying the nexthop list name. For more information on nexthop lists, seeip nexthop-list.
  • 路线隧道<隧道-ID>:Packets can be redirected over an L3 GRE tunnel.
  • 路由隧道组:包可以被重定向到一个L3 GREtunnel group. For more information on tunnel groups, seetunnel-group.
  • [position ]:(可选)指定转发或路由规则的位置。(1是第一个,默认值是最后一个)

笔记:Onlyroute next-hop-list configuration option is supported for IPv6 address.

Example

The following command configures a routing access list using an IPsec map.

(host) [mynode] (config) #ip access-list route pbr1

(host) [mynode] (config-submode) #any any udp 100 route ipsec-map VPN1

The following command configures IPv6 rules in routing access list using next-hop list:

(host) [mynode] (config) #ip access-list route pbr2

(host) [mynode] (config-submode) #ipv6 any any any route next-hop-list new

A PBR ACL can have both IPv4 and IPv6 rules.

Related Commands

命令

Description

interface vlan

This command associates a routing ACL with a specific VLAN.

ip nexthop-list

此命令在基于策略的路由中定义了IPv4地址的下一跳列表。

ipv6 nexthop-list

This command defines a next-hop list for IPv6 address in policy-based routing.

命令History

Release

Modification

ArubaOS8.8.0.0

A new sub-parameter is added to capture a brief description of the route ACL.

ArubaOS8.6.0.0

The following configuration options were included underipv6parameter:

  • any
  • 主机
  • network
  • route next-hop-list

ArubaOS8.0.0.0

命令introduced.

命令Information

Platforms

License

命令Mode

All platforms

Requires the PEFNG license.

Config mode onMobility Conductor.