route-policy-路由策略规则详解
《route-policy-路由策略规则详解》由会员分享,可在线阅读,更多相关《route-policy-路由策略规则详解(8页珍藏版)》请在装配图网上搜索。
1、ROUTE-POLICY 路由策略 规则详解 在实际工程中经常用到route-policy的情况,下面对route-policy和ACL的详细匹配规则做以说明:一、 标准访问列表:#acl number 2000rule 0 permit source 192.168.1.0 0.0.0.255此类ACL用于route-policy时做前缀匹配,即路由条目和规则条目做 AND 运算 ,结果落在反掩码的包含范围之内的则匹配成功。对于上述配置:192.168.1.0/24192.168.1.0 /25 192.168.1.0/30 等均可匹配,但是192.168.1.0/16 等则匹配不成功。二、
2、 扩展访问列表:#acl number 3000rule 0 permit ip source 192.168.1.0 0 destination 255.255.255.0 0acl number 3001rule 0 deny ip source 192.168.1.0 0 destination 255.255.255.0 0此类ACL比较特殊,源和目的的掩码均要为0 。用于route-policy 是要做严格的匹配,即前缀要和source 匹配,前缀的掩码部分要和destination匹配。对于上述配置3000来说,则只有192.168.1.0/24可与之匹配。此类列表和Route-p
3、olicy配合可用于严格的匹配一条路由条目。三、 permit+permit的route-policy#route-policy t1 permit node 10if-match acl 3000apply local-preference 1300 route-policy t1 permit node 20对于route-policy的permit规则来说,凡是能够匹配ACL permit规则的条目就执行node 10中的apply 规则,并不再继续匹配下面的规则。不能够匹配ACL permit规则的条目,就继续执行下一个 node 20中的相应规则。对于上述配置的结果是192.168.
4、1.0/24匹配node 10 被修改LP属性为1300 ,而192.168.2.0/24 则匹配node 20 不做任何修改。2个条目都可以通告。AR2810-Bdis bgp routingFlags:# - valid - active I - internal D - damped H - history S - aggregate suppressed Dest/Mask Next-Hop Med Local-pref Origin Path -#I 192.168.1.0 10.0.0.2 0 1300 IGP #I 192.168.2.0 10.0.0.2 0 100 IGP R
5、outes total: 2AR2810-B四、 permit+deny 的route-policy#route-policy t2 permit node 10if-match acl 3001apply local-preference 2300route-policy t2 permit node 20对于route-policy 的permit规则来说,凡是明确和ACL 的deny 规则匹配的则不执行node 10中的apply规则。并且会继续执行下一个node 20 进行匹配 。对于上述配置的结果是:192.168.1.0/24 和node 10 匹配,被 DENY 。但是会继续和后
6、面的nod 20 匹配 。上述规则192.168.1.0/24 192.168.2.0/24条目都可被通告。AR2810-Bdis bgp routingFlags:# - valid - active I - internal D - damped H - history S - aggregate suppressed Dest/Mask Next-Hop Med Local-pref Origin Path -#I 192.168.1.0 10.0.0.2 0 100 IGP #I 192.168.2.0 10.0.0.2 0 100 IGP Routes total: 2AR2810-
7、B五、 deny+permit 的route-policy#route-policy t3 deny node 10if-match acl 3000apply local-preference 1300 route-policy t3 permit node 20对于route-policy的deny规则来说,凡是和ACL的permit规则匹配的条目都被DENY掉。未匹配的条目则继续向下匹配。对于上述配置的结果是:192.168.1.0/24和node 10 匹配,被DENY 掉。而192.168.2.0/24则和node 20 匹配。上述规则只有192.168.2.0/24可被通告。AR2
8、810-Bdis bgp routingFlags:# - valid - active I - internal D - damped H - history S - aggregate suppressed Dest/Mask Next-Hop Med Local-pref Origin Path -#I 192.168.2.0 10.0.0.2 0 100 IGP Routes total: 1AR2810-B六、 deny+deny 的 route-policy#route-policy t4 deny node 10if-match acl 3001apply local-prefe
9、rence 2300route-policy t4 permit node 20对于route-policy的Deny规则来说,凡是和ACL 的deny规则明确匹配的条目被node 10 Deny,并且向下继续匹配后续的规则。这就产生了双重DENY 变成 permit的效果。对于上述配置的结果是:192.168.1.0/24 192.168.2.0/24 都和node 20匹配。即都可发布。AR2810-Bdis bgp routingFlags:# - valid - active I - internal D - damped H - history S - aggregate suppr
10、essed Dest/Mask Next-Hop Med Local-pref Origin Path -#I 192.168.1.0 10.0.0.2 0 100 IGP #I 192.168.2.0 10.0.0.2 0 100 IGP Routes total: 2AR2810-B对于上述论述总结如下如下:1、route-policy 中的DENY 和applay配合无任何意义。2、凡是在ACL 中被DENY过的条目,可以继续向下匹配。3、在route-policy中被DENY 匹配过的条目则被DENY 不会继续匹配。4、Route-policy用于路由策略时有一个隐含的规则为DENY
11、ALL ,而用于策略路由时则是PERMIT ALL附件1:一、 实验相关信息A (s3/0) -(S3/0) B1)本次测试中用到的设备为H3C AR2810 相关版本及配置信息如下:AR2810-A:AR2810-Adis verHuawei Versatile Routing Platform SoftwareVRP software, Version 3.40, Release 0201P29Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.Without the owners prior
12、written consent, no decompilingnor reverse-engineering shall be allowed.Quidway AR28-10 uptime is 0 week, 0 day, 1 hour, 13 minutesLast reboot 2008/11/28 06:04:07System returned to ROM By Command.CPU type: PowerPC 8241 200MHz128M bytes SDRAM Memory32M bytes Flash MemoryPCB Version:4.0Logic Version:1
13、.0BootROMVersion:9.23SLOT 0 AUX (Hardware)4.0, (Driver)1.0, (CPLD)1.0SLOT 0 1FE (Hardware)4.0, (Driver)1.0, (CPLD)1.0SLOT 0 WAN (Hardware)4.0, (Driver)1.0, (CPLD)1.0SLOT 3 1SA (Hardware)1.0, (Driver)1.0, (CPLD)2.0AR2810-AvrbdRouting Platform SoftwareVersion AR28-10 8040V300R003B04D040SP73 (COMWAREV3
14、00R002B62D014), RELEASE SOFTWARECompiled Oct 22 2008 18:24:10 by jiahuaAR2810-Adis cuAR2810-Adis current-configuration#sysname AR2810-A#acl number 2000rule 0 permit source 192.168.1.0 0.0.0.255#acl number 3000rule 0 permit ip source 192.168.1.0 0 destination 255.255.255.0 0acl number 3001rule 0 deny
15、 ip source 192.168.1.0 0 destination 255.255.255.0 0#interface Serial3/0link-protocol pppip address 10.0.0.2 255.255.255.252#bgp 100network 192.168.1.0network 192.168.2.0undo synchronizationgroup tolocal internalpeer tolocal route-policy t4 exportpeer 10.0.0.1 group tolocal# route-policy t1 permit n
16、ode 10if-match acl 3000apply local-preference 1300route-policy t1 permit node 20route-policy t2 permit node 10if-match acl 3001apply local-preference 2300route-policy t2 permit node 20route-policy t3 deny node 10if-match acl 3000apply local-preference 1300route-policy t3 permit node 20route-policy t
17、4 deny node 10if-match acl 3001apply local-preference 2300route-policy t4 permit node 20#ip route-static 192.168.1.0 255.255.255.0 NULL 0 preference 60ip route-static 192.168.2.0 255.255.255.0 NULL 0 preference 60AR2810-AAr2810-B:AR2810-Bdis verHuawei Versatile Routing Platform SoftwareVRP software,
18、 Version 3.40, Release 0201P29Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.Without the owners prior written consent, no decompilingnor reverse-engineering shall be allowed.Quidway AR28-10 uptime is 0 week, 0 day, 1 hour, 13 minutesLast reboot 2021/08/22 01:14:25System re
19、turned to ROM By Command.CPU type: PowerPC 8241 200MHz128M bytes SDRAM Memory32M bytes Flash MemoryPCB Version:4.0Logic Version:1.0BootROMVersion:9.23SLOT 0 AUX (Hardware)4.0, (Driver)1.0, (CPLD)1.0SLOT 0 1FE (Hardware)4.0, (Driver)1.0, (CPLD)1.0SLOT 0 WAN (Hardware)4.0, (Driver)1.0, (CPLD)1.0SLOT 3
20、 1SA (Hardware)1.0, (Driver)1.0, (CPLD)2.0AR2810-BvrbdRouting Platform SoftwareVersion AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARECompiled Oct 22 2008 18:24:10 by jiahuaAR2810-B dis cu#sysname AR2810-B#interface Serial3/0clock DTECLK1link-protocol pppip address 10.0.0.
21、1 255.255.255.252#bgp 100undo synchronizationgroup tolocal internalpeer 10.0.0.2 group tolocal AR2810-B 2)将上述拓扑中的路由器A 替换成CISCO 3640 。再次重复以上试验,得出结论与H3C的route-policy相同。相关CISCO设备版本及配置如下:C3640#show verCisco Internetwork Operating System SoftwareIOS (tm) 3600 Software (C3640-IK9O3S-M), Version 12.2(T10,R
22、ELEASE SOFTWARE (fc1)TAC Support:Copyright (c) 1986-2003 by cisco Systems, Inc.Compiled Sat 31-May-03 00:17 by kellythwImage text-base: 0x60008930, data-base: 0x6171C000ROM: System Bootstrap, Version 11.1(20)AA1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)C3640 uptime is 16 minutesSystem returned to ROM
23、 by reloadSystem image file is flash:c3640-ik9o3s-mz.122-8.t10.bincisco 3640 (R4700) processor (revision 0x00) with 125952K/5120K bytes of memory.Processor board ID 13894963R4700 CPU at 100Mhz, Implementation 33, Rev 1.0Bridging software.X.25 software, Version 3.0.0.SuperLAT software (copyright 1990
24、 by Meridian Technology Corp).5 Ethernet/IEEE 802.3 interface(s)4 Serial network interface(s)DRAM configuration is 64 bits wide with parity disabled.125K bytes of non-volatile configuration memory.16384K bytes of processor board System flash (Read/Write)Configuration register is 0x2102C3640#show run
25、ning-config!hostname C3640!interface Serial1/1ip address 10.0.0.2 255.255.255.0encapsulation pppserial restart_delay 0!router bgp 100no synchronizationbgp log-neighbor-changesnetwork 192.168.1.0network 192.168.2.0neighbor 10.0.0.1 remote-as 100neighbor 10.0.0.1 route-map t4 outno auto-summary!ip cla
26、sslessip route 192.168.1.0 255.255.255.0 Null0ip route 192.168.2.0 255.255.255.0 Null0no ip http serverip pim bidir-enable!access-list 101 permit ip host 192.168.1.0 host 255.255.255.0access-list 102 deny ip host 192.168.1.0 host 255.255.255.0!route-map t4 deny 10match ip address 102set local-prefer
27、ence 1300!route-map t4 permit 20!route-map t1 permit 10match ip address 101set local-preference 1300!route-map t1 permit 20!route-map t2 permit 10match ip address 102set local-preference 1300!route-map t2 permit 20!route-map t3 deny 10match ip address 101set local-preference 1300!route-map t3 permit 20C3640#
- 温馨提示:
1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
2: 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
3.本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 装配图网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
