Configuring Policy-based Route
Policy Based Route (PBR) is designed to select a router and forward data based on the source IP address, destination IP address and service type of a packet.
Creating a Policy-based Route and PBR Rule
To create a policy-based route and PBR rule, take the following steps:
- On the Navigation pane, click Configuration > Network > Routing to visit the Routing page.
- From the Virtual Router drop-down list, select a Virtual Routerouter for the new route.
- On the Policy-based Route tab, click New.
- Select Policy-based Route from the drop-down list.
- On the Basic tab in the Policy-based Route Configuration dialog, configure basic options for the route.
| Option |
Description |
| PBR name |
Specifies a name for the policy-based route. |
| Bind to |
Binds the policy-based route to a zone or interface. Select a zone or interface from the drop-down list. |
| Schedule |
Specifies a schedule for the policy-based route.
|
| Description |
Type information about the PBR rule. |
- On the Source tab, configure source address options for the PBR rule. The source address for the PBR rule can be an arbitrary combination between address entry, IP address, host name and IP range.
| Option |
Description |
| Type |
IP address: To specify a source address type of "IP address", click this option button and type the IP address and netmask into the IP address and Netmask box respectively. |
| Host name: To specify a source address type of "host name", click this option button and type the host name into the Host name box. |
| IP range: To specify a source address type of "IP range", click this option button and type the start IP and end IP into the Start IP and End IP box respectively. |
| Address entry: To specify a source address type of "address entry", click this option button and select an address entry from the Address entry drop-down list. |
| Add |
Click Add add the source address entry to the system. All the entries that have been added will be displayed in the list below. |
| Delete |
Select the entry you want to delete from the list, and click Delete. |
- On the Role/User/User group tab, configure source user options for the PBR rule. The source user for the PBR rule can be an arbitrary combination between role, user and user group.
| Option |
Description |
| User type |
Role: To specify a source user type of "Role", click this option button and select a role from the Role drop-down list. |
| User: To specify a source user type of "User", click this option button and select an AAA server and username from the AAA server and Username drop-down list respectively. |
| User group: To specify a source user type of "User group", click this option button and select an AAA server and user group name from the AAA server and User group name drop-down list respectively. |
| Add |
Click Add to add the source user entry to the system. All the entries that have been added will be displayed in the list below. |
| Delete |
Select the entry you want to delete from the list, and click Delete. |
- On the Destination tab, configure destination address options for the PBR rule. The destination address for the PBR rule can be an arbitrary combination between address entry, IP address, host name and IP range.
| Option |
Description |
| Type |
IP address: To specify a destination address type of "IP address", click this option button and type the IP address and netmask into the IP address and Netmask box respectively. |
| Host name: To specify a destination address type of "host name", click this option button and type the host name into the Host name box. |
| IP range: To specify a destination address type of "IP range", click this option button and type the start IP and end IP into the Start IP and End IP box respectively. |
| Address entry: To specify a destination address type of "address entry", click this option button and select an address entry from the Address entry drop-down list. |
| Add |
Click Add to add the destination address entry to the system. All the entries that have been added will be displayed in the list below. |
| Delete |
Select the entry you want to delete from the list, and click Delete. |
- On the Service tab, configure service type for the PBR rule. The service type for the PBR rule can be an arbitrary combination between pre-defined service, user-defined service and service group. To add a service, select a service or service group in the Available list, and click
to add to the Selected list. To delete a service or service group, select the service or service group in the Selected list, and click 
.
- On the Application tab, configure application type for the PBR rule. The application type for the PBR rule can be an arbitrary combination between pre-defined applications, user-defined applications and application groups. To add an application, select an application or application group in the Available list, and click to add to the Selected list. To delete an application or application group, select the application or application group in the Selected list, and click .
- On the Next hop tab, configure the next hop of the policy-based route. The next hop can be an arbitrary combination among IP address, interface, virtual routers in the current VSYS and virtual routers in other VSYS.
| Option |
Description |
| Next hop |
IP address: Check the radio button to specify an IP address as the next hop. Type IP address into the IP address text box and specify the weight into the Weight text box. When more than one next hops are available, the traffic will be allocated to the different next hops according to the weight value. |
| Interface: Check the radio button to specify an interface as the next hop. Select an interface from the Interface drop-down list and specify the weight into the Weight text box. When more than one next hops are available, the traffic will be allocated to the different next hops according to the weight value. |
| Virtual Router in current VSYS: Check the radio button to specify a virtual router in the current VSYS as the next hop. Select a virtual router from the Virtual Router drop-down list and specify the weight into the Weight text box. When more than one next hops are available, the traffic will be allocated to the different next hops according to the weight value. |
| Virtual Router in other VSYS: Check the radio button to specify a virtual router out of the current VSYS as the next hop. Select a virtual router from the Virtual Router drop-down list and specify the weight into the Weight text box. When more than one next hops are available, the traffic will be allocated to the different next hops according to the weight value. |
| Add |
Click to add the specified next hop. |
| Delete |
Select next-hop entries from the next hop table and click this button to delete. |
- Click OK to save your settings.
Adding a PBR Rule
To add a rule for an existing policy-based route, take the following steps:
- On the Navigation pane, click Configuration > Network > Routing to visit the Routing page.
- On the Policy-based Route tab, click New.
- Select PBR Rule from the drop-down list.
- On the Basic tab in the Rule Configuration dialog, configure basic options for the route.
s
| Option |
Description |
| PBR name |
Select an existing policy-based route from the drop-down list. |
| Schedule |
Specifies a schedule for the PBR rule. |
| Description |
Type information about the PBR rule. |
| Option |
Description |
| PBR name |
Specifies a name for the policy-based route. |
| Set next hop |
Specifies a next hop for the PBR rule. Select the Set next hop check box, and then specify the type of the next hop in the box below, including:
- IP address: Type the IP address into the box, and the type of next hop will be an IP address.
- Interface: Select an interface from the drop-down list, and the type of next hop will be an interface.
|
| Description |
Type information about the PBR rule. |
| Bind to |
Binds the policy-base rule to an interface or zone. Select an interface or zone from the drop-down list. |
- On the Source tab, configure source address options for the PBR rule. The source address for the PBR rule can be an arbitrary combination between address entry, IP address, host name and IP range.
| Option |
Description |
| Type |
IP address: To specify a source address type of "IP address", click this option button and type the IP address and netmask into the IP and Netmask box respectively. |
| Host name: To specify a source address type of "host name", click this option button and type the host name into the Host name box. |
| IP range: To specify a source address type of "IP range", click this option button and type the start IP and end IP into the Start IP and End IP box respectively. |
| Address entry: To specify a source address type of "address entry", click this option button and select an address entry from the Address entry drop-down list. |
| Add |
Click Add to add the source address entry to the system. All the entries that have been added will be displayed in the list below. |
| Delete |
Select the entry you want to delete from the list, and click Delete. |
- On the Role/User/User group tab, configure source user options for the PBR rule. The source user for the PBR rule can be an arbitrary combination between role, user and user group.
| Option |
Description |
| User type |
Role: To specify a source user type of "Role", click this option button and select a role from the Role drop-down list. |
| User: To specify a source user type of "User", click this option button and select an AAA server and username from the AAA server and Username drop-down list respectively. |
| User group: To specify a source user type of "User group", click this option button and select an AAA server and user group name from the AAA server and User group name drop-down list respectively. |
| Add |
Click Add to add the source user entry to the system. All the entries that have been added will be displayed in the list below. |
| Delete |
Select the entry you want to delete from the list, and click Delete. |
- On the Destination tab, configure destination address options for the PBR rule. The destination address for the PBR rule can be an arbitrary combination between address entry, IP address, host name and IP range.
| Option |
Description |
| Type |
IP address: To specify a destination address type of "IP address", click this option button and type the IP address and netmask into the IP address and Netmask box respectively. |
| Host name: To specify a destination address type of "host name", click this option button and type the host name in the Host name box. |
| IP range: To specify a destination address type of "IP range", click this option button and type the start IP and end IP into the Start IP and End IP box respectively. |
| Address entry: To specify a destination address type of "address entry", click this option button and select an address entry from the Address entry drop-down list. |
| Add |
Click Add to add the destination address entry to the system. All the entries that have been added will be displayed in the list below. |
| Delete |
Select the entry you want to delete from the list, and click Delete. |
- On the Service tab, configure service type for the PBR rule. The service type for the PBR rule can be an arbitrary combination between pre-defined service, user-defined service and service group. To add a service, select a service or service group from the Available list, and click to add to the Selected list. To delete a selected service or service group, select the service or service group from the Selected list, and click .
- On the Next hop tab, configure the next hop of the policy-based route. The next hop can be an arbitrary combination among IP address, interface, virtual routers in the current VSYS and virtual routers in other VSYS.
| Option |
Description |
| Next hop |
IP address: Check the radio button to specify an IP address as the next hop. Type IP address into the IP address text box and specify the weight into the Weight text box. When more than one next hops are available, the traffic will be allocated to the different next hops according to the weight value. |
| Interface: Check the radio button to specify an interface as the next hop. Select an interface from the Interface drop-down list and specify the weight into the Weight text box. When more than one next hops are available, the traffic will be allocated to the different next hops according to the weight value. |
| Virtual Router in current VSYS: Check the radio button to specify a virtual router in the current VSYS as the next hop. Select a virtual router from the Virtual Router drop-down list and specify the weight into the Weight text box. When more than one next hops are available, the traffic will be allocated to the different next hops according to the weight value. |
| Virtual Router in other VSYS: Check the radio button to specify a virtual router out of the current VSYS as the next hop. Select a virtual router from the Virtual Router drop-down list and specify the weight into the Weight text box. When more than one next hops are available, the traffic will be allocated to the different next hops according to the weight value. |
| Add |
Click to add the specified next hop. |
| Delete |
Select next-hop entries from the next hop table and click this button to delete. |
- Click OK to save your changes.
Editing/Deleting/Moving a PBR Rule
To edit/delete/move a policy-based route, take the following steps:
- On the Navigation pane, click Configuration > Network > Routing to visit the Routing page.
- On the Policy-based Route tab, select the rule you want to edit/delete/move from the list below, and click Edit, Delete PBR rule or Move to edit/delete/move the rule.
| Option |
Description |
| Top |
Click this option button to move the PBR rule to the top. |
| Bottom |
Click this option button to move the PBR rule to the bottom. |
| Before ID |
Click this option button and type the ID into the box behind to move the PBR rule to the position before the ID. |
| After ID |
Click this option button and type the ID into the box behind to move the PBR rule to the position after the ID. |
Note: Each PBR rule is labeled with a unique ID. When traffic flows into a Hillstone device, the device will query for PBR rules by turn, and processes the traffic according to the first matched rule. However, the PBR rule ID is not related to the matching sequence during the query. You can move a PBR rule's location up or down at your own choice to adjust the matching sequence accordingly.
Enabling/Disabling a PBR Rule
By default the configured PBR rules will take effect immediately. You can disable a rule to end its control over traffic.
To enable or disable a PBR rule, take the following steps:
- On the Navigation pane, click Configuration > Network > Routing to visit the Routing page.
- On the Policy-based Route tab, select the rule you want to enable/disable from the list below, and click Enable/Disable to enable/disable the rule.
Deleting a Policy-based Route
To delete a policy-based route, take the following steps:
- On the Navigation pane, click Configuration > Network > Routing to visit the Routing page.
- On the Policy-based Route tab, click Delete PBR.
- In the Policy-based Route Deleting dialog, select a name from the PBR name drop-down list, and click OK to delete it. All the related PBR rules will be deleted as well.
Applying a Policy-based Route
You can apply a policy-based route by binding it to an interface or zone. To apply a policy-based route, take the following steps:
- On the Navigation pane, click Configuration > Network > Routing to visit the Routing page.
- On the Policy-based Route tab, click Bind to.
- In the Policy-base Route Binding dialog, select a route from the PBR name drop-down list, and select an interface or zone from the Bind to drop-down list.
- Click OK to save your changes.
Searching Policy-based Routes
To search the policy-based routes, take the following steps:
- On the Navigation pane, click Configuration > Network > Routing > Policy Based Routing to visit the policy-based route tab page.
- Specify the search conditions and click Search. The matched routes will be shown in the route table. To clear the specified search conditions, click Clear.
When searching the policy-based routes by an IP address, the system follows these principles:
- If the specified source/destination address is complete, the following policy-based routes will be filtered out:
- The policy-based routes whose source/destination address is the specified IP address;
- The policy-based routes whose source/destination address contains the specified IP address.
- If the specified source/destination address is uncompleted, the system will treat it as a string and the policy-based routes whose source/destination address entry containing the specified uncompleted address will be filtered out.
DNS Redirect
The system supports the DNS redirect funtion, which redirects the DNS requests to a specified DNS server. For more informaiton about specifying IP addresses of the DNS server, see Configuring a DNS Server. Currently, the DNS redirect function is mainly used to redirect the video traffic for load balancing. With the policy based route working together, the system can redirect the Web video traffic to different links, improving the user experience.
To enable the DNS redirect function, take the following steps:
- On the navigation pane, click Configuration > Network > Routing > Policy Based Routing.
- Click the Enable DNS Redirect button to enable this function.