Policy

A policy includes match criteria and actions to be taken on the matching packets. A policy can have one or multiple nodes as follows:

Each node is identified by a node number. A smaller node number has a higher priority.
A node contains if-match and apply clauses. An if-match clause specifies a match criterion, and an apply clause specifies an action.
A node has a match mode of permit or deny.

A policy compares packets with nodes in priority order. If a packet matches the criteria on a node, it is processed by the action on the node. Otherwise, it goes to the next node for a match. If the packet does not match the criteria on any node, it is forwarded according to the routing table.

if-match clause

PBR supports the following types of if-match clauses:

if-match acl—Sets an ACL match criterion.
if-match service-chain—Sets a service chain match criterion. For more information about service chain, see Service Chain Configuration Guide.

On a node, you can specify multiple types of if-match clauses, but only one if-match clause for each type.

To match a node, a packet must match all types of the if-match clauses for the node but only one if-match clause for each type.

apply clause

PBR supports the types of apply clauses shown in Table 23. You can specify multiple apply clauses for a node, but some of them might not be executed. The following apply clauses determine the packet forwarding paths in a descending order:

apply next-hop
apply output-interface
apply default-next-hop

Table 23: Priorities and meanings of apply clauses

Clause	Meaning	Priority
apply precedence	Sets an IP precedence.	This clause is always executed.
apply next-hop and apply output-interface	Sets next hops and sets output interfaces.	Only the apply next-hop clause is executed when both are configured.
apply service-chain	Sets the service chain information.	For this clause to take effect, make sure you have specified a reachable next hop in the apply next-hop clause.
apply default-next-hop	Sets the default next hop.	This clause takes effect only when no next hop is set or the next hop is invalid, and the packet does not match any route in the routing table.

Relationship between the match mode and clauses on the node

Does a packet match all the if-match clauses on the node?	Match mode
	Permit	Deny
Yes.	If the node is configured with apply clauses, PBR executes the apply clauses on the node. If the PBR-based forwarding succeeds, PBR does not compare the packet with the next node. If the PBR-based forwarding fails, PBR does not compare the packet with the next node. If the node is configured with no apply clauses, the packet is forwarded according to the routing table.	The packet is forwarded according to the routing table.
No.	PBR compares the packet with the next node.	PBR compares the packet with the next node.

A node that has no if-match clauses matches any packet.

prev	up	next
Overview	home	PBR and Track