ROUTE-POLICY 路由策略 規則詳解 node
在實際工程中常常用到route-policy的狀況,下面對route-policy和ACL的詳細匹配規則作以說明: app
1、 標準訪問列表:
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.255
此類ACL用於route-policy時作前綴匹配,即路由條目和規則條目作 AND 運算 ,結果落在反掩碼的包含範圍以內的則匹配成功。
對於上述配置:192.168.1.0/24 192.168.1.0 /25 192.168.1.0/30 等都可匹配,可是192.168.1.0/16 等則匹配不成功。 //掩碼長度不能比源掩碼短,不然不成功
2、 擴展訪問列表:
acl number 3000
rule 0 permit ip source 192.168.1.0 0 destination 255.255.255.0 0
acl number 3001
rule 0 deny ip source 192.168.1.0 0 destination 255.255.255.0 0
此類ACL比較特殊,源和目的的掩碼均要爲0 。用於route-policy 是要作嚴格的匹配,即前綴要和source 匹配,前綴的掩碼部分要和destination匹配。
對於上述配置3000來講,則只有192.168.1.0/24可與之匹配。此類列表和Route-policy配合可用於嚴格的匹配一條路由條目。
3、 permit+permit的route-policy
route-policy t1 permit node 10
if-match acl 3000
apply local-preference 1300
route-policy t1 permit node 20
對於route-policy的permit規則來講,凡是可以匹配ACL permit規則的條目就執行node 10中的apply 規則,並再也不繼續匹配下面的規則。不可以匹配ACL permit規則的條目,就繼續執行下一個 node 20中的相應規則。
對於上述配置的結果是192.168.1.0/24匹配node 10 被修改LP屬性爲1300 ,而192.168.2.0/24 則匹配node 20 不作任何修改。2個條目均可以通告。
[AR2810-B]dis bgp routing
Flags: # - valid ^ - active I - internal
D - damped H - history S - aggregate suppressed
Dest/Mask Next-Hop Med Local-pref Origin Path
--------------------------------------------------------------------------
#^I 192.168.1.0 10.0.0.2 0 1300 IGP
#^I 192.168.2.0 10.0.0.2 0 100 IGP
Routes total: 2
[AR2810-B]
4、permit+deny 的route-policy
#
route-policy t2 permit node 10
if-match acl 3001
apply local-preference 2300
route-policy t2 permit node 20
對於route-policy 的permit規則來講,凡是明確和ACL 的deny 規則匹配的則不執行node 10中的apply規則。而且會繼續執行下一個node 20 進行匹配 。
對於上述配置的結果是:192.168.1.0/24 和node 10 匹配,被 DENY 。可是會繼續和後面的nod 20 匹配 。上述規則192.168.1.0/24 192.168.2.0/24條目均可被通告。
[AR2810-B]dis bgp routing
Flags: # - valid ^ - active I - internal
D - damped H - history S - aggregate suppressed
Dest/Mask Next-Hop Med Local-pref Origin Path
--------------------------------------------------------------------------
#^I 192.168.1.0 10.0.0.2 0 100 IGP
#^I 192.168.2.0 10.0.0.2 0 100 IGP
Routes total: 2
[AR2810-B]
5、 deny+permit 的route-policy
#
route-policy t3 deny node 10
if-match acl 3000
apply local-preference 1300
route-policy t3 permit node 20
對於route-policy的deny規則來講,凡是和ACL的permit規則匹配的條目都被DENY掉。未匹配的條目則繼續向下匹配。
對於上述配置的結果是:192.168.1.0/24和node 10 匹配,被DENY 掉。而192.168.2.0/24則和node 20 匹配。上述規則只有192.168.2.0/24可被通告。
[AR2810-B]dis bgp routing
Flags: # - valid ^ - active I - internal
D - damped H - history S - aggregate suppressed
Dest/Mask Next-Hop Med Local-pref Origin Path
--------------------------------------------------------------------------
#^I 192.168.2.0 10.0.0.2 0 100 IGP
Routes total: 1
[AR2810-B]
6、 deny+deny 的 route-policy
#
route-policy t4 deny node 10
if-match acl 3001
apply local-preference 2300
route-policy t4 permit node 20
對於route-policy的Deny規則來講,凡是和ACL 的deny規則明確匹配的條目被node 10 Deny,而且向下繼續匹配後續的規則。這就產生了雙重DENY 變成 permit的效果。
對於上述配置的結果是:192.168.1.0/24 192.168.2.0/24 都和node 20匹配。即均可發佈。
[AR2810-B]dis bgp routing
Flags: # - valid ^ - active I - internal
D - damped H - history S - aggregate suppressed
Dest/Mask Next-Hop Med Local-pref Origin Path
--------------------------------------------------------------------------
#^I 192.168.1.0 10.0.0.2 0 100 IGP
#^I 192.168.2.0 10.0.0.2 0 100 IGP
Routes total: 2
[AR2810-B]
對於上述論述總結以下以下:
一、route-policy 中的DENY 和applay配合無任何意義。
二、凡是在ACL 中被DENY過的條目,能夠繼續向下匹配。
三、在route-policy中被DENY 匹配過的條目則被DENY 不會繼續匹配。
四、Route-policy用於路由策略時有一個隱含的規則爲DENY ALL ,而用於策略路由時則是PERMIT ALL
附件1:
1、 實驗相關信息
A (s3/0) ---------(S3/0) B
1)本次測試中用到的設備爲H3C AR2810 相關版本及配置信息以下:
AR2810-A:
[AR2810-A]dis ver
Huawei Versatile Routing Platform Software
VRP software, Version 3.40, Release 0201P29
Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Quidway AR28-10 uptime is 0 week, 0 day, 1 hour, 13 minutes
Last reboot 2008/11/28 06:04:07
System returned to ROM By Command.
CPU type: PowerPC 8241 200MHz
128M bytes SDRAM Memory
32M bytes Flash Memory
PCB Version:4.0
Logic Version:1.0
BootROM Version:9.23
[SLOT 0] AUX (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 0] 1FE (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 0] WAN (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 3] 1SA (Hardware)1.0, (Driver)1.0, (CPLD)2.0
[AR2810-A]vrbd
Routing Platform Software
Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE
Compiled Oct 22 2008 18:24:10 by jiahua
[AR2810-A]dis cu
[AR2810-A]dis current-configuration
#
sysname AR2810-A
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.255
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0 destination 255.255.255.0 0
acl number 3001
rule 0 deny ip source 192.168.1.0 0 destination 255.255.255.0 0
#
interface Serial3/0
link-protocol ppp
ip address 10.0.0.2 255.255.255.252
#
bgp 100
network 192.168.1.0
network 192.168.2.0
undo synchronization
group tolocal internal
peer tolocal route-policy t4 export
peer 10.0.0.1 group tolocal
#
route-policy t1 permit node 10
if-match acl 3000
apply local-preference 1300
route-policy t1 permit node 20
route-policy t2 permit node 10
if-match acl 3001
apply local-preference 2300
route-policy t2 permit node 20
route-policy t3 deny node 10
if-match acl 3000
apply local-preference 1300
route-policy t3 permit node 20
route-policy t4 deny node 10
if-match acl 3001
apply local-preference 2300
route-policy t4 permit node 20
#
ip route-static 192.168.1.0 255.255.255.0 NULL 0 preference 60
ip route-static 192.168.2.0 255.255.255.0 NULL 0 preference 60
[AR2810-A]
Ar2810-B:
[AR2810-B]dis ver
Huawei Versatile Routing Platform Software
VRP software, Version 3.40, Release 0201P29
Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Quidway AR28-10 uptime is 0 week, 0 day, 1 hour, 13 minutes
Last reboot 2021/08/22 01:14:25
System returned to ROM By Command.
CPU type: PowerPC 8241 200MHz
128M bytes SDRAM Memory
32M bytes Flash Memory
PCB Version:4.0
Logic Version:1.0
BootROM Version:9.23
[SLOT 0] AUX (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 0] 1FE (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 0] WAN (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 3] 1SA (Hardware)1.0, (Driver)1.0, (CPLD)2.0
[AR2810-B]vrbd
Routing Platform Software
Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE
Compiled Oct 22 2008 18:24:10 by jiahua
[AR2810-B] dis cu
#
sysname AR2810-B
#
interface Serial3/0
clock DTECLK1
link-protocol ppp
ip address 10.0.0.1 255.255.255.252
#
bgp 100
undo synchronization
group tolocal internal
peer 10.0.0.2 group tolocal
[AR2810-B]
2)將上述拓撲中的路由器A 替換成CISCO 3640 。再次重複以上試驗,得出結論與H3C的route-policy相同。相關CISCO設備版本及配置以下:
C3640#show ver
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-IK9O3S-M), Version 12.2(8)T10, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Sat 31-May-03 00:17 by kellythw
Image text-base: 0x60008930, data-base: 0x6171C000
ROM: System Bootstrap, Version 11.1(20)AA1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
C3640 uptime is 16 minutes
System returned to ROM by reload
System p_w_picpath file is "flash:c3640-ik9o3s-mz.122-8.t10.bin"
cisco 3640 (R4700) processor (revision 0x00) with 125952K/5120K bytes of memory.
Processor board ID 13894963
R4700 CPU at 100Mhz, Implementation 33, Rev 1.0
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
5 Ethernet/IEEE 802.3 interface(s)
4 Serial network interface(s)
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
C3640#show running-config
!
hostname C3640
!
interface Serial1/1
ip address 10.0.0.2 255.255.255.0
encapsulation ppp
serial restart_delay 0
!
router bgp 100
no synchronization
bgp log-neighbor-changes
network 192.168.1.0
network 192.168.2.0
neighbor 10.0.0.1 remote-as 100
neighbor 10.0.0.1 route-map t4 out
no auto-summary
!
ip classless
ip route 192.168.1.0 255.255.255.0 Null0
ip route 192.168.2.0 255.255.255.0 Null0
no ip http server
ip pim bidir-enable
!
!
access-list 101 permit ip host 192.168.1.0 host 255.255.255.0
access-list 102 deny ip host 192.168.1.0 host 255.255.255.0
!
route-map t4 deny 10
match ip address 102
set local-preference 1300
!
route-map t4 permit 20
!
route-map t1 permit 10
match ip address 101
set local-preference 1300
!
route-map t1 permit 20
!
route-map t2 permit 10
match ip address 102
set local-preference 1300
!
route-map t2 permit 20
!
route-map t3 deny 10
match ip address 101
set local-preference 1300
!
route-map t3 permit 20
C3640#less