DIGITAL GIGAswitch/Router User Reference Manual
189
Configuring IP Policies
Associating the Profile with an IP Policy
Once you have defined a profile with the
acl
command, you associate the profile with an
IP policy by entering one or more
ip-policy
statements. An
ip-policy
statement specifies
the next-hop gateway (or gateways) where packets matching a profile are forwarded. To
cause packets matching a defined profile to be forwarded to a next-hop gateway, enter the
following command in Configure mode:
For example, the following command creates an IP policy called “p1” and specifies that
packets matching profile “prof1” are forwarded to next-hop gateway 10.10.10.10:
You can also set up a policy to prevent packets from being forwarded by an IP policy. To
prevent packets matching a defined profile from being forwarded by an IP policy to a
next-hop gateway, enter the following command in Configure mode:
Packets matching the specified profile are forwarded using dynamic routes instead.
For example, the following command creates an IP policy called “p2” that prevents
packets matching prof1 from being forwarded using an IP policy:
Creating Multi-statement IP Policies
An IP policy can contain more than one
ip-policy
statement. For example, an IP policy can
contain one statement that sends all packets matching a profile to one next-hop gateway,
and another statement that sends packets matching a different profile to a different next-
hop gateway. If an IP policy has multiple
ip-policy
statements, you can assign each
statement a sequence number that controls the order in which they are evaluated.
Statements are evaluated from lowest sequence number to highest.
To specify the order in which IP policy statements are evaluated by an IP policy, enter the
following command in Configure mode:
Forward packets matching a
profile to a next-hop gateway.
ip-policy
<name>
permit acl
<profile>
next-
hop-list
<ip-addr-list>
gs/r(config)#
ip-policy p1 permit acl prof1 next-hop-list 10.10.10.10
Prevent packets matching a
profile from being forwarded
by an IP policy.
ip-policy
<name>
deny acl
<profile>
gs/r(config)#
ip-policy p2 deny acl prof1
Specify a sequence number
for IP policy statements
ip-policy
<name>
permit|deny acl
<profile>
sequence
<num>