service-exclude (PBR rule view)

When referencing services or service groups in a PBR rule, you can run the service-exclude command to exclude a service or service group. Traffic with the excluded service will not match the rule.

Application Scenarios

When configuring a PBR rule, you can reference a server/server group as a matching condition in the rule. For example, two service groups Service_group1 (that references DNS and FTP services) Service_group2 (that references BGP, DNS, FTP, and H225 services) are available. Traffic of Service_group2 needs to be forwarded to next-hop address 10.1.1.1, and traffic of Service_group1 needs to be forwarded based on the current routing table, without being processed by PBR. You can use configuration method 1 in the following table to assign different actions to different service groups. This method increases rules as well as rule maintenance workloads. Alternatively, you can use configuration method 2 to run the service-exclude command to configure the rule. This method has the same effect as method 1 and does not need additional rules.

<sysname> system-view
[sysname] policy-based-route
[sysname-policy-pbr] rule name test
[sysname-policy-pbr-rule-test] source-address range 10.1.1.40 10.1.1.50
[sysname-policy-pbr-rule-test] action no-pbr
[sysname-policy-pbr-rule-test] quit
[sysname-policy-pbr] rule name test1
[sysname-policy-pbr-rule-test1] source-address 10.1.1.0 24
[sysname-policy-pbr-rule-test1] action pbr next-hop 10.1.1.1

<sysname> system-view
[sysname] policy-based-route
[sysname-policy-pbr] rule name test
[sysname-policy-pbr-rule-test] service Service_group2
[sysname-policy-pbr-rule-test] service-exclude Service_group1
[sysname-policy-pbr-rule-test] action pbr next-hop 10.1.1.1