In some case when configuring the PBR , the requirement is to make sure the traffic from segment A ,for example 10.1.1.0 0.0.0.255 follow the PBR policy and redirect to other Next hop ,but only the traffic from segment A to the specific servers , such as 192.168.1.68 and 192.168.35.15 to be forward by the routing ,if the configuration is shown as below ,all the traffic were forwarded by PBR and cannot work .
acl 3000
rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 192.168.1.68 0
rule 10 deny ip source 10.1.1.0 0.0.0.255 destination 192.168.35.15 0
rule 100 permit ip source 10.1.1.0 0.0.0.255
#
traffic classifier ForInternet operator or precedence 10
if-match acl 3000
#
traffic behavior ForInternet
redirect ip-nexthop 192.168.20.253
#
traffic policy ForInternet match-order config
classifier ForInternet behavior ForInternet
#
traffic-policy ForInternet global inbound
It is necessary to create a another Classifier and behaviors to permit the servers and make it forward by routing ,
#
acl 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.1.68 0
rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.35.15 0
acl 3001
rule 100 permit ip source 10.1.1.0 0.0.0.255
#
traffic classifier DenyServer operator or precedence 5 //the Denyserver must be with high priority
if-match acl 3000
traffic classifier ForInternet operator or precedence 10
if-match acl 3001
#
traffic behavior DenyServer
permit
#
traffic behavior ForInternet
redirect ip-nexthop 192.168.20.253
#
traffic policy ForInternet match-order config //here the match-order should be “config” , in this way the traffic to the server will be forwarded following the routing table.
classifier DenyServer behavior DenyServer
classifier ForInternet behavior ForInternet
#
traffic-policy ForInternet global inbound
