Configuring an IPv4 object policy rule
You can specify an existing object group in an IPv4 object policy rule for matching target IPv4 packets. If no object group is specified for a rule, the rule applies to all IPv4 packets.
The following object groups can be used in a rule for packet matching:
Source IPv4 address object group—Used for matching the source IPv4 addresses of packets.
Destination IPv4 address object group—Used for matching the destination IPv4 addresses of packets.
Service object group—Used for matching the service types carried in packets.
VRF instance—Used for matching the MPLS L3VPN instances of packets.
Application/application group—Used for matching PBAR-classified application IDs of packets. NBAR-classified applications cannot match any packets. For more information about PBAR and NBAR, see "Configuring ARP."
For more information about object groups, see "Configuring object groups."
To configure an IPv4 object policy rule:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter IPv4 object policy view. | object-policy ip object-policy-name | N/A |
3. Configure an IPv4 object policy rule. | rule [ rule-id ] { drop | pass | inspect app-profile-name } [ [ source-ip { object-group-name | any } ] [ destination-ip { object-group-name | any } ] [ service { object-group-name | any } ] [ vrf vrf-name ] [ application application-name ] [ app-group app-group-name ] [ counting ] [ disable ] [ logging ] [ track [ negative ] track-entry-number ] [ time-range time-range-name ] ] * | By default, no IPv4 object policy rules are configured. If you specify a nonexistent object group, the rule does not match packets. |
4. (Optional.) Configure a description for the rule. | rule rule-id comment text | By default, an object policy rule does not have a description. |