routepolicy路由策略规则详解.docx
《routepolicy路由策略规则详解.docx》由会员分享,可在线阅读,更多相关《routepolicy路由策略规则详解.docx(10页珍藏版)》请在冰豆网上搜索。
routepolicy路由策略规则详解
route-policy-路由策略规则详解
ROUTE-POLICY路由策略规则详解
在实际工程中经常用到route-policy的情况,下面对route-policy和ACL的详细匹配规则做以说明:
一、 标准访问列表:
#
aclnumber2000
rule0permitsource192.168.1.00.0.0.255
此类ACL用于route-policy时做前缀匹配,即路由条目和规则条目做AND运算,结果落在反掩码的包含范围之内的则匹配成功。
对于上述配置:
192.168.1.0/24 192.168.1.0/25192.168.1.0/30等均可匹配,但是192.168.1.0/16等则匹配不成功。
二、 扩展访问列表:
#
aclnumber3000
rule0permitipsource192.168.1.00destination255.255.255.00
是能够匹配ACLpermit规则的条目就执行node10中的apply规则,并不再继续匹配下面的规则。
不能够匹配ACLpermit规则的条目,就继续执行下一个node20中的相应规则。
对于上述配置的结果是192.168.1.0/24匹配node10被修改LP属性为1300,而192.168.2.0/24则匹配node20不做任何修改。
2个条目都可以通告。
[AR2810-B]disbgprouting
Flags:
#-valid ^-active I-internal
D-damped H-history S-aggregatesuppressed
Dest/Mask Next-Hop Med Local-prefOriginPath
--------------------------------------------------------------------------
#^I192.168.1.0 10.0.0.2 0 1300 IGP
#^I192.168.2.0 10.0.0.2 0 100 IGP
Routestotal:
2
[AR2810-B]
四、 permit+deny的route-policy
#
route-policyt2permitnode10
if-matchacl3001
applylocal-preference2300
route-policyt2permitnode20
对于route-policy的permit规则来说,凡是明确和ACL的deny规则匹配的则不执行node10中的apply规则。
并且会继续执行下一个node20进行匹配。
对于上述配置的结果是:
192.168.1.0/24和node10匹配,被DENY。
但是会继续和后面的nod20匹配。
上述规则192.168.1.0/24192.168.2.0/24条目都可被通告。
[AR2810-B]disbgprouting
Flags:
#-valid ^-active I-internal
D-damped H-history S-aggregatesuppressed
Dest/Mask Next-Hop Med Local-prefOriginPath
--------------------------------------------------------------------------
#^I192.168.1.0 10.0.0.2 0 100 IGP
#^I192.168.2.0 10.0.0.2 0 100 IGP
Routestotal:
2
[AR2810-B]
五、 deny+permit的route-policy
#
route-policyt3denynode10
if-matchacl3000
applylocal-preference1300
route-policyt3permitnode20
对于route-policy的deny规则来说,凡是和ACL的permit规则匹配的条目都被DENY掉。
未匹配的条目则继续向下匹配。
对于上述配置的结果是:
192.168.1.0/24和node10匹配,被DENY掉。
而192.168.2.0/24则和node20匹配。
上述规则只有192.168.2.0/24可被通告。
[AR2810-B]disbgprouting
Flags:
#-valid ^-active I-internal
D-damped H-history S-aggregatesuppressed
Dest/Mask Next-Hop Med Local-prefOriginPath
--------------------------------------------------------------------------
#^I192.168.2.0 10.0.0.2 0 100 IGP
Routestotal:
1
[AR2810-B]
六、 deny+deny的route-policy
#
route-policyt4denynode10
if-matchacl3001
applylocal-preference2300
route-policyt4permitnode20
对于route-policy的Deny规则来说,凡是和ACL的deny规则明确匹配的条目被node10Deny,并且向下继续匹配后续的规则。
这就产生了双重DENY变成permit的效果。
对于上述配置的结果是:
192.168.1.0/24192.168.2.0/24都和node20匹配。
即都可发布。
[AR2810-B]disbgprouting
Flags:
#-valid ^-active I-internal
D-damped H-history S-aggregatesuppressed
Dest/Mask Next-Hop Med Local-prefOriginPath
--------------------------------------------------------------------------
#^I192.168.1.0 10.0.0.2 0 100 IGP
#^I192.168.2.0 10.0.0.2 0 100 IGP
Routestotal:
2
[AR2810-B]
对于上述论述总结如下如下:
1、route-policy中的DENY和applay配合无任何意义。
2、凡是在ACL中被DENY过的条目,可以继续向下匹配。
3、在route-policy中被DENY匹配过的条目则被DENY不会继续匹配。
4、Route-policy用于路由策略时有一个隐含的规则为DENYALL,而用于策略路由时则是PERMITALL
附件1:
一、 实验相关信息
A(s3/0)---------(S3/0)B
1)本次测试中用到的设备为H3CAR2810相关版本及配置信息如下:
AR2810-A:
[AR2810-A]disver
HuaweiVersatileRoutingPlatformSoftware
VRPsoftware,Version3.40,Release0201P29
Copyright(c)1998-2008HuaweiTechnologiesCo.,Ltd.Allrightsreserved.
Withouttheowner'spriorwrittenconsent,nodecompiling
norreverse-engineeringshallbeallowed.
QuidwayAR28-10uptimeis0week,0day,1hour,13minutes
Lastreboot2008/11/2806:
04:
07
SystemreturnedtoROMByCommand.
CPUtype:
PowerPC8241200MHz
128MbytesSDRAMMemory
32MbytesFlashMemory
PCB Version:
4.0
Logic Version:
1.0
BootROM Version:
9.23
[SLOT0]AUX (Hardware)4.0,(Driver)1.0,(CPLD)1.0
[SLOT0]1FE (Hardware)4.0,(Driver)1.0,(CPLD)1.0
[SLOT0]WAN (Hardware)4.0,(Driver)1.0,(CPLD)1.0
[SLOT3]1SA (Hardware)1.0,(Driver)1.0,(CPLD)2.0
[AR2810-A]vrbd
RoutingPlatformSoftware
VersionAR28-108040V300R003B04D040SP73(COMWAREV300R002B62D014),RELEASESOFTWARE
CompiledOct22200818:
24:
10byjiahua
[AR2810-A]discu
[AR2810-A]discurrent-configuration
#
sysnameAR2810-A
#
aclnumber2000
rule0permitsource192.168.1.00.0.0.255
#
aclnumber3000
rule0permitipsource192.168.1.00destination255.255.255.00
aclnumber3001
rule0denyipsource192.168.1.00destination255.255.255.00
#
interfaceSerial3/0
link-protocolppp
ipaddress10.0.0.2255.255.255.252
#
bgp100
network192.168.1.0
network192.168.2.0
undosynchronization
grouptolocalinternal
peertolocalroute-policyt4export
peer10.0.0.1grouptolocal
#
route-policyt1permitnode10
if-matchacl3000
applylocal-preference1300
route-policyt1permitnode20
route-policyt2permitnode10
if-matchacl3001
applylocal-preference2300
route-policyt2permitnode20
route-policyt3denynode10
if-matchacl3000
applylocal-preference1300
route-policyt3permitnode20
route-policyt4denynode10
if-matchacl3001
applylocal-preference2300
route-policyt4permitnode20
#
iproute-static192.168.1.0255.255.255.0NULL0preference60
iproute-static192.168.2.0255.255.255.0NULL0preference60
[AR2810-A]
Ar2810-B:
[AR2810-B]disver
HuaweiVersatileRoutingPlatformSoftware
VRPsoftware,Version3.40,Release0201P29
Copyright(c)1998-2008HuaweiTechnologiesCo.,Ltd.Allrightsreserved.
Withouttheowner'spriorwrittenconsent,nodecompiling
norreverse-engineeringshallbeallowed.
QuidwayAR28-10uptimeis0week,0day,1hour,13minutes
Lastreboot2021/08/2201:
14:
25
SystemreturnedtoROMByCommand.
CPUtype:
PowerPC8241200MHz
128MbytesSDRAMMemory
32MbytesFlashMemory
PCB Version:
4.0
Logic Version:
1.0
BootROM Version:
9.23
[SLOT0]AUX (Hardware)4.0,(Driver)1.0,(CPLD)1.0
[SLOT0]1FE (Hardware)4.0,(Driver)1.0,(CPLD)1.0
[SLOT0]WAN (Hardware)4.0,(Driver)1.0,(CPLD)1.0
[SLOT3]1SA (Hardware)1.0,(Driver)1.0,(CPLD)2.0
[AR2810-B]vrbd
RoutingPlatformSoftware
VersionAR28-108040V300R003B04D040SP73(COMWAREV300R002B62D014),RELEASESOFTWARE
CompiledOct22200818:
24:
10byjiahua
[AR2810-B] discu
#
sysnameAR2810-B
#
interfaceSerial3/0
clockDTECLK1
link-protocolppp
ipaddress10.0.0.1255.255.255.252
#
bgp100
undosynchronization
grouptolocalinternal
peer10.0.0.2grouptolocal
[AR2810-B]
2)将上述拓扑中的路由器A替换成CISCO3640。
再次重复以上试验,得出结论与H3C的route-policy相同。
相关CISCO设备版本及配置如下:
C3640#showver
CiscoInternetworkOperatingSystemSoftware
IOS(tm)3600Software(C3640-IK9O3S-M),Version12.2(
T10, RELEASESOFTWARE(fc1)
TACSupport:
Copyright(c)1986-2003byciscoSystems,Inc.
CompiledSat31-May-0300:
17bykellythw
Imagetext-base:
0x60008930,data-base:
0x6171C000
ROM:
SystemBootstrap,Version11.1(20)AA1,EARLYDEPLOYMENTRELEASESOFTWARE(fc1)
C3640uptimeis16minutes
SystemreturnedtoROMbyreload
Systemimagefileis"flash:
c3640-ik9o3s-mz.122-8.t10.bin"
cisco3640(R4700)processor(revision0x00)with125952K/5120Kbytesofmemory.
ProcessorboardID13894963
R4700CPUat100Mhz,Implementation33,Rev1.0
Bridgingsoftware.
X.25software,Version3.0.0.
SuperLATsoftware(copyright1990byMeridianTechnologyCorp).
5Ethernet/IEEE802.3interface(s)
4Serialnetworkinterface(s)
DRAMconfigurationis64bitswidewithparitydisabled.
125Kbytesofnon-volatileconfigurationmemory.
16384KbytesofprocessorboardSystemflash(Read/Write)
Configurationregisteris0x2102
C3640#showrunning-config
!
hostnameC3640
!
interfaceSerial1/1
ipaddress10.0.0.2255.255.255.0
encapsulationppp
serialrestart_delay0
!
routerbgp100
nosynchronization
bgplog-neighbor-changes
network192.168.1.0
network192.168.2.0
neighbor10.0.0.1remote-as100
neighbor10.0.0.1route-mapt4out
noauto-summary
!
ipclassless
iproute192.168.1.0255.255.255.0Null0
iproute192.168.2.0255.255.255.0Null0
noiphttpserver
ippimbidir-enable
!
!
access-list101permitiphost192.168.1.0host255.255.255.0
access-list102deny iphost192.168.1.0host255.255.255.0
!
route-mapt4deny10
matchipaddress102
setlocal-preference1300
!
route-mapt4permit20
!
route-mapt1permit10
matchipaddress101
setlocal-preference1300
!
route-mapt1permit20
!
route-mapt2permit10
matchipaddress102
setlocal-preference1300
!
route-mapt2permit20
!
route-mapt3deny10
matchipaddress101
setlocal-preference1300
!
route-mapt3permit20
C3640#
升级会员 