Configuration Examples‎ > ‎HP / HPE‎ > ‎Comware v7‎ > ‎

Comware Policy Based Routing PBR within a VRF

There are a few minor changes you have to make to your configuration to allow PBR within a VPN instance (or VRF, same thing, different kit)

I will use the same concept & IP Addressing as my previous PBR posts.

The router in the picture above (.254) has a default gateway of However, I want traffic sourced from the to.

1. Only use the switches default gateway for any traffic to
2. Use (the firewall) for any traffic to the internet.
3. To be done within a VRF / VPN Instance called Customer01

Configuration Steps

Create your VPN Instance / VRF

ip vpn-instance Customer01
 route-distinguisher 65005:1
 description Customer01

Create a PBR Node called CUSTOMER01-PBR, and match it on ACL 3001 - note the 'deny' statement.

policy-based-route CUSTOMER01-PBR deny node 10
 if-match acl 3001

Create a PBR Node called CUSTOMER01-PBR, and match it on ACL 3002 - note the 'permit' statement, the new next hop, and the reference to the VPN instance!

policy-based-route CUSTOMER01-PBR permit node 11
 if-match acl 3002
 apply next-hop vpn-instance Customer01

Now create the ACL's - this first ACL matches on any internal traffic to or

acl number 3001 name CUSTOMER01-PBR-INTERNAL-TRAFFIC
 rule permit ip source destination vpn-instance Customer01
 rule permit ip source destination vpn-instance Customer01

Now the following ACL is a catch all for anything else.. ie the internet  this includes - so make sure you don't need that network, or add it to ACL 3001

acl number 3002 name CUSTOMER01-PBR-EXTERNAL-TRAFFIC
 rule permit ip destination vpn-instance Customer01

And here's where the magic happens, apply the PBR to the VLAN interface.

interface vlan 10
 ip binding vpn-instance Customer01 
 ip policy-based-route CUSTOMER01-PBR
 ip address
 description Customer01

Note: This is only supported in Comware 7, routing within a PBR is not supported in Comware 5