policy-route

Function

The policy-route command sets the next-hop IP or IPv6 address of the policy-based route for all users in a domain.

The undo policy-route command cancels the policy-based route function of all users in a domain.

By default, the policy-based route function is not configured in a domain.

This command is supported only on the NetEngine 8000 F1A.

Format

policy-route { next-hop-ip-address | next-hop-ipv6-address }

undo policy-route [ next-hop-ip-address | next-hop-ipv6-address ]

Parameters

Parameter	Description	Value
next-hop-ip-address	Specifies the next-hop IP address of the policy-based route for all users in a domain.	It is in dotted decimal notation.
next-hop-ipv6-address	Specifies the next-hop IPv6 address of the policy-based route for all users in a domain.	The address is a 32-digit hexadecimal number in the X:X:X:X:X:X:X:X format.

Parameter

Description

Value

next-hop-ip-address

Specifies the next-hop IP address of the policy-based route for all users in a domain.

It is in dotted decimal notation.

next-hop-ipv6-address

Specifies the next-hop IPv6 address of the policy-based route for all users in a domain.

The address is a 32-digit hexadecimal number in the X:X:X:X:X:X:X:X format.

Views

AAA domain view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
aaa-access	write

Usage Guidelines

Usage Scenario

If you want to change the forwarding paths for online users in a domain for security or load balancing reasons, run the policy-route command in the domain to configure the next hop address of the policy-based route.

Configuration Impact

After PBR is configured, the outbound interface used to forward user packets is determined based on the IP address specified in the user domain, instead of based on the destination IP address of the packets.

The policy-route and undo policy-route commands take effect for users who go online after these commands are configured.

When a user goes online from an IPv6 stack, if the IPv6 policy-based routes are direct routes, the policy-based routes do not take effect for the user. The status of the IPv6 policy-based rout4es is changed from direct to non-direct or from non-direct to direct, which does not affect the IPv6 stack of online users.

If user 1 goes online from an IPv6 stack and the IPv6 policy-based routes are direct routes, the policy-based routes configured using this command do not take effect for user 1. After the status of the subsequent policy-based routes is changed from direct to non-direct, the configured policy-based routes do not take effect for user 1.
If user 2 goes online from an IPv6 stack and the IPv6 policy-based routes are non-direct routes, the policy-based routes configured using this command take effect for user 2. After the status of the subsequent policy-based routes is changed from non-direct to direct, the configured policy-based routes still take effect for user 2 but will cause IPv6 traffic interruptions.

Precautions

In VS mode, this command is supported only by the admin VS.

If a RADIUS server uses an attribute to deliver policy-based routes, these policy-based routes take precedence.

The next hop IP address of the policy-based route configured for users in a domain must be available. If the configured next hop IP address is not available, the policy-based route is unreachable.

Example

# Set the next-hop IP address of the policy-based route for the user in the domain isp1 to 10.1.1.1.

<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] domain isp1
[*HUAWEI-aaa-domain-isp1] commit
[~HUAWEI-aaa-domain-isp1] policy-route 10.1.1.1