Route-Policy 路由策略规则详解

(2017-09-04 00:55:26)

标签：

网络技术

Route-Policy 路由策略规则详解

2016-07-14 10:18 2683人阅读评论(0) 收藏举报

http://static.blog.csdn.net/images/category_icon.jpg路由策略规则详解" TITLE="Route-Policy 路由策略规则详解" /> 分类：

网络（87） http://static.blog.csdn.net/images/arrow_triangle%20_down.jpg路由策略规则详解" TITLE="Route-Policy 路由策略规则详解" />

ROUTE-POLICY 路由策略规则详解

在实际工程中经常用到route-policy的情况，下面对route-policy和ACL的详细匹配规则做以说明：

http://img.blog.csdn.net/20170627165218878?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQveWlsdXlhbmdndWFuZzEyMzQ=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center路由策略规则详解" />
一、标准访问列表：
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.255

此类ACL用于route-policy时做前缀匹配，即路由条目和规则条目做 AND 运算，结果落在反掩码的包含范围之内的则匹配成功。
对于上述配置：192.168.1.0/24  192.168.1.0 /25 192.168.1.0/30 等均可匹配，但是192.168.1.0/16 等则匹配不成功。 //掩码长度不能比源掩码短，否则不成功
二、扩展访问列表：
acl number 3000
rule 0 permit ip source 192.168.1.0 0 destination 255.255.255.0 0
acl number 3001
rule 0 deny ip source 192.168.1.0 0 destination 255.255.255.0 0
此类ACL比较特殊，源和目的的掩码均要为0 。用于route-policy 是要做严格的匹配，即前缀要和source 匹配，前缀的掩码部分要和destination匹配。
对于上述配置3000来说，则只有192.168.1.0/24可与之匹配。此类列表和Route-policy配合可用于严格的匹配一条路由条目。
三、 permit+permit的route-policy
route-policy t1 permit node 10
if-match acl 3000
apply local-preference 1300
route-policy t1 permit node 20
对于route-policy的permit规则来说，凡是能够匹配ACL permit规则的条目就执行node 10中的apply 规则，并不再继续匹配下面的规则。不能够匹配ACL permit规则的条目，就继续执行下一个 node 20中的相应规则。
对于上述配置的结果是192.168.1.0/24匹配node 10 被修改LP属性为1300 ，而192.168.2.0/24 则匹配node 20 不做任何修改。2个条目都可以通告。
[AR2810-B]dis bgp routing
Flags:  # - valid       ^ - active      I - internal
        D - damped      H - history     S - aggregate suppressed

    Dest/Mask          Next-Hop        Med        Local-pref Origin Path
   --------------------------------------------------------------------------
#^I 192.168.1.0        10.0.0.2        0          1300        IGP
#^I 192.168.2.0        10.0.0.2        0          100         IGP

  Routes total: 2

[AR2810-B]
四、permit+deny 的route-policy
#
route-policy t2 permit node 10
if-match acl 3001
apply local-preference 2300
route-policy t2 permit node 20

对于route-policy 的permit规则来说，凡是明确和ACL 的deny 规则匹配的则不执行node 10中的apply规则。并且会继续执行下一个node 20 进行匹配。
对于上述配置的结果是：192.168.1.0/24 和node 10 匹配，被 DENY 。但是会继续和后面的nod 20 匹配。上述规则192.168.1.0/24 192.168.2.0/24条目都可被通告。
[AR2810-B]dis bgp routing

Flags:  # - valid       ^ - active      I - internal
        D - damped      H - history     S - aggregate suppressed

    Dest/Mask          Next-Hop        Med        Local-pref Origin Path
   --------------------------------------------------------------------------
#^I 192.168.1.0        10.0.0.2        0          100         IGP
#^I 192.168.2.0        10.0.0.2        0          100         IGP

  Routes total: 2

[AR2810-B]

五、 deny+permit 的route-policy
#
route-policy t3 deny node 10
if-match acl 3000
apply local-preference 1300
route-policy t3 permit node 20

对于route-policy的deny规则来说，凡是和ACL的permit规则匹配的条目都被DENY掉。未匹配的条目则继续向下匹配。
对于上述配置的结果是：192.168.1.0/24和node 10 匹配，被DENY 掉。而192.168.2.0/24则和node 20 匹配。上述规则只有192.168.2.0/24可被通告。

[AR2810-B]dis bgp routing

Flags:  # - valid       ^ - active      I - internal
        D - damped      H - history     S - aggregate suppressed

    Dest/Mask          Next-Hop        Med        Local-pref Origin Path
   --------------------------------------------------------------------------
#^I 192.168.2.0        10.0.0.2        0          100         IGP

  Routes total: 1

[AR2810-B]
六、 deny+deny 的 route-policy
#
route-policy t4 deny node 10
if-match acl 3001
apply local-preference 2300
route-policy t4 permit node 20

对于route-policy的Deny规则来说，凡是和ACL 的deny规则明确匹配的条目被node 10 Deny，并且向下继续匹配后续的规则。这就产生了双重DENY 变成 permit的效果。
对于上述配置的结果是：192.168.1.0/24 192.168.2.0/24 都和node 20匹配。即都可发布。
[AR2810-B]dis bgp routing

Flags:  # - valid       ^ - active      I - internal
        D - damped      H - history     S - aggregate suppressed

    Dest/Mask          Next-Hop        Med        Local-pref Origin Path
   --------------------------------------------------------------------------
#^I 192.168.1.0        10.0.0.2        0          100         IGP
#^I 192.168.2.0        10.0.0.2        0          100         IGP

  Routes total: 2

[AR2810-B]

对于上述论述总结如下如下：
1、route-policy 中的DENY 和applay配合无任何意义。
2、凡是在ACL 中被DENY过的条目，可以继续向下匹配。
3、在route-policy中被DENY 匹配过的条目则被DENY 不会继续匹配。
4、Route-policy用于路由策略时有一个隐含的规则为DENY ALL ，而用于策略路由时则是PERMIT ALL

附件1：
一、实验相关信息
A (s3/0) ---------(S3/0) B
1）本次测试中用到的设备为H3C AR2810 相关版本及配置信息如下:
AR2810-A:

[AR2810-A]dis ver
Huawei Versatile Routing Platform Software
VRP software, Version 3.40, Release 0201P29
Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Quidway AR28-10 uptime is 0 week, 0 day, 1 hour, 13 minutes
Last reboot 2008/11/28 06:04:07
System returned to ROM By  Command.

CPU type: PowerPC 8241 200MHz
128M bytes SDRAM Memory
32M bytes Flash Memory
PCB      Version:4.0
Logic    Version:1.0
BootROM  Version:9.23
  [SLOT 0] AUX      (Hardware)4.0, (Driver)1.0, (CPLD)1.0
  [SLOT 0] 1FE      (Hardware)4.0, (Driver)1.0, (CPLD)1.0
  [SLOT 0] WAN      (Hardware)4.0, (Driver)1.0, (CPLD)1.0
  [SLOT 3] 1SA      (Hardware)1.0, (Driver)1.0, (CPLD)2.0
[AR2810-A]vrbd
Routing Platform Software
Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE
Compiled Oct 22 2008 18:24:10 by jiahua

[AR2810-A]dis cu
[AR2810-A]dis current-configuration
#
sysname AR2810-A
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.255
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0 destination 255.255.255.0 0
acl number 3001
rule 0 deny ip source 192.168.1.0 0 destination 255.255.255.0 0
#
interface Serial3/0
link-protocol ppp
ip address 10.0.0.2 255.255.255.252
#
bgp 100
network 192.168.1.0
network 192.168.2.0
undo synchronization
group tolocal internal
peer tolocal route-policy t4 export
peer 10.0.0.1 group tolocal
#
route-policy t1 permit node 10
if-match acl 3000
apply local-preference 1300
route-policy t1 permit node 20
route-policy t2 permit node 10
if-match acl 3001
apply local-preference 2300
route-policy t2 permit node 20
route-policy t3 deny node 10
if-match acl 3000
apply local-preference 1300
route-policy t3 permit node 20
route-policy t4 deny node 10
if-match acl 3001
apply local-preference 2300
route-policy t4 permit node 20
#
ip route-static 192.168.1.0 255.255.255.0 NULL 0 preference 60
ip route-static 192.168.2.0 255.255.255.0 NULL 0 preference 60
[AR2810-A]
Ar2810-B:
[AR2810-B]dis ver
Huawei Versatile Routing Platform Software
VRP software, Version 3.40, Release 0201P29
Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Quidway AR28-10 uptime is 0 week, 0 day, 1 hour, 13 minutes
Last reboot 2021/08/22 01:14:25
System returned to ROM By  Command.

CPU type: PowerPC 8241 200MHz
128M bytes SDRAM Memory
32M bytes Flash Memory
PCB      Version:4.0
Logic    Version:1.0
BootROM  Version:9.23
  [SLOT 0] AUX      (Hardware)4.0, (Driver)1.0, (CPLD)1.0
  [SLOT 0] 1FE      (Hardware)4.0, (Driver)1.0, (CPLD)1.0
  [SLOT 0] WAN      (Hardware)4.0, (Driver)1.0, (CPLD)1.0
  [SLOT 3] 1SA      (Hardware)1.0, (Driver)1.0, (CPLD)2.0
[AR2810-B]vrbd
Routing Platform Software
Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE
Compiled Oct 22 2008 18:24:10 by jiahua

[AR2810-B]         dis cu
#
sysname AR2810-B
#
interface Serial3/0
clock DTECLK1
link-protocol ppp
ip address 10.0.0.1 255.255.255.252
#
bgp 100
undo synchronization
group tolocal internal
peer 10.0.0.2 group tolocal

[AR2810-B]

2）将上述拓扑中的路由器A 替换成CISCO 3640 。再次重复以上试验，得出结论与H3C的route-policy相同。相关CISCO设备版本及配置如下：
C3640#show ver
Cisco Internetwork Operating System Software
iOS (tm) 3600 Software (C3640-IK9O3S-M), Version 12.2(8)T10,  RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Sat 31-May-03 00:17 by kellythw
Image text-base: 0x60008930, data-base: 0x6171C000

ROM: System Bootstrap, Version 11.1(20)AA1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

C3640 uptime is 16 minutes
System returned to ROM by reload
System image file is "flash:c3640-ik9o3s-mz.122-8.t10.bin"

cisco 3640 (R4700) processor (revision 0x00) with 125952K/5120K bytes of memory.
Processor board ID 13894963
R4700 CPU at 100Mhz, Implementation 33, Rev 1.0
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
5 Ethernet/IEEE 802.3 interface(s)
4 Serial network interface(s)
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

C3640#show running-config
!
hostname C3640
!
interface Serial1/1
ip address 10.0.0.2 255.255.255.0
encapsulation ppp
serial restart_delay 0
!
router bgp 100
no synchronization
bgp log-neighbor-changes
network 192.168.1.0
network 192.168.2.0
neighbor 10.0.0.1 remote-as 100
neighbor 10.0.0.1 route-map t4 out
no auto-summary
!
ip classless
ip route 192.168.1.0 255.255.255.0 Null0
ip route 192.168.2.0 255.255.255.0 Null0
no ip http server
ip pim bidir-enable
!
!
access-list 101 permit ip host 192.168.1.0 host 255.255.255.0
access-list 102 deny   ip host 192.168.1.0 host 255.255.255.0
!
route-map t4 deny 10
match ip address 102
set local-preference 1300
!
route-map t4 permit 20
!
route-map t1 permit 10
match ip address 101
set local-preference 1300
!
route-map t1 permit 20
!
route-map t2 permit 10
match ip address 102
set local-preference 1300
!
route-map t2 permit 20
!
route-map t3 deny 10
match ip address 101
set local-preference 1300
!
route-map t3 permit 20
C3640#

阅读┊ 收藏 ┊ 喜欢 ▼ ┊打印┊举报/Report

前一篇：SDNLAB技术分享(十六)：SPRING/Segment Routing

后一篇：ip prefix中0.0.0.0的应用

新浪BLOG意见反馈留言板　欢迎批评指正