Route-Policy 路由策略規則詳解

時間 2020-01-27

原文原文鏈接

ROUTE-POLICY 路由策略規則詳解 node

在實際工程中常常用到route-policy的狀況，下面對route-policy和ACL的詳細匹配規則作以說明： app

1、標準訪問列表：
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.255

此類ACL用於route-policy時作前綴匹配，即路由條目和規則條目作 AND 運算，結果落在反掩碼的包含範圍以內的則匹配成功。
對於上述配置：192.168.1.0/24  192.168.1.0 /25 192.168.1.0/30 等都可匹配，可是192.168.1.0/16 等則匹配不成功。 //掩碼長度不能比源掩碼短，不然不成功
2、擴展訪問列表：
acl number 3000
rule 0 permit ip source 192.168.1.0 0 destination 255.255.255.0 0
acl number 3001
rule 0 deny ip source 192.168.1.0 0 destination 255.255.255.0 0
此類ACL比較特殊，源和目的的掩碼均要爲0 。用於route-policy 是要作嚴格的匹配，即前綴要和source 匹配，前綴的掩碼部分要和destination匹配。
對於上述配置3000來講，則只有192.168.1.0/24可與之匹配。此類列表和Route-policy配合可用於嚴格的匹配一條路由條目。
3、 permit+permit的route-policy
route-policy t1 permit node 10
if-match acl 3000
apply local-preference 1300
route-policy t1 permit node 20
對於route-policy的permit規則來講，凡是可以匹配ACL permit規則的條目就執行node 10中的apply 規則，並再也不繼續匹配下面的規則。不可以匹配ACL permit規則的條目，就繼續執行下一個 node 20中的相應規則。
對於上述配置的結果是192.168.1.0/24匹配node 10 被修改LP屬性爲1300 ，而192.168.2.0/24 則匹配node 20 不作任何修改。2個條目均可以通告。
[AR2810-B]dis bgp routing
Flags:  # - valid       ^ - active      I - internal
        D - damped      H - history     S - aggregate suppressed

    Dest/Mask          Next-Hop        Med        Local-pref Origin Path
   --------------------------------------------------------------------------
#^I 192.168.1.0        10.0.0.2        0          1300        IGP
#^I 192.168.2.0        10.0.0.2        0          100         IGP

  Routes total: 2

[AR2810-B]
4、permit+deny 的route-policy
#
route-policy t2 permit node 10
if-match acl 3001
apply local-preference 2300
route-policy t2 permit node 20

對於route-policy 的permit規則來講，凡是明確和ACL 的deny 規則匹配的則不執行node 10中的apply規則。而且會繼續執行下一個node 20 進行匹配。
對於上述配置的結果是：192.168.1.0/24 和node 10 匹配，被 DENY 。可是會繼續和後面的nod 20 匹配。上述規則192.168.1.0/24 192.168.2.0/24條目均可被通告。
[AR2810-B]dis bgp routing

Flags:  # - valid       ^ - active      I - internal
        D - damped      H - history     S - aggregate suppressed

    Dest/Mask          Next-Hop        Med        Local-pref Origin Path
   --------------------------------------------------------------------------
#^I 192.168.1.0        10.0.0.2        0          100         IGP
#^I 192.168.2.0        10.0.0.2        0          100         IGP

  Routes total: 2

[AR2810-B]

5、 deny+permit 的route-policy
#
route-policy t3 deny node 10
if-match acl 3000
apply local-preference 1300
route-policy t3 permit node 20

對於route-policy的deny規則來講，凡是和ACL的permit規則匹配的條目都被DENY掉。未匹配的條目則繼續向下匹配。
對於上述配置的結果是：192.168.1.0/24和node 10 匹配，被DENY 掉。而192.168.2.0/24則和node 20 匹配。上述規則只有192.168.2.0/24可被通告。

[AR2810-B]dis bgp routing

Flags:  # - valid       ^ - active      I - internal
        D - damped      H - history     S - aggregate suppressed

    Dest/Mask          Next-Hop        Med        Local-pref Origin Path
   --------------------------------------------------------------------------
#^I 192.168.2.0        10.0.0.2        0          100         IGP

  Routes total: 1

[AR2810-B]
6、 deny+deny 的 route-policy
#
route-policy t4 deny node 10
if-match acl 3001
apply local-preference 2300
route-policy t4 permit node 20

對於route-policy的Deny規則來講，凡是和ACL 的deny規則明確匹配的條目被node 10 Deny，而且向下繼續匹配後續的規則。這就產生了雙重DENY 變成 permit的效果。
對於上述配置的結果是：192.168.1.0/24 192.168.2.0/24 都和node 20匹配。即均可發佈。
[AR2810-B]dis bgp routing

Flags:  # - valid       ^ - active      I - internal
        D - damped      H - history     S - aggregate suppressed

    Dest/Mask          Next-Hop        Med        Local-pref Origin Path
   --------------------------------------------------------------------------
#^I 192.168.1.0        10.0.0.2        0          100         IGP
#^I 192.168.2.0        10.0.0.2        0          100         IGP

  Routes total: 2

[AR2810-B]

對於上述論述總結以下以下：
一、route-policy 中的DENY 和applay配合無任何意義。
二、凡是在ACL 中被DENY過的條目，能夠繼續向下匹配。
三、在route-policy中被DENY 匹配過的條目則被DENY 不會繼續匹配。
四、Route-policy用於路由策略時有一個隱含的規則爲DENY ALL ，而用於策略路由時則是PERMIT ALL

附件1：
1、實驗相關信息
A (s3/0) ---------(S3/0) B
1）本次測試中用到的設備爲H3C AR2810 相關版本及配置信息以下:
AR2810-A:

[AR2810-A]dis ver
Huawei Versatile Routing Platform Software
VRP software, Version 3.40, Release 0201P29
Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Quidway AR28-10 uptime is 0 week, 0 day, 1 hour, 13 minutes
Last reboot 2008/11/28 06:04:07
System returned to ROM By  Command.

CPU type: PowerPC 8241 200MHz
128M bytes SDRAM Memory
32M bytes Flash Memory
PCB      Version:4.0
Logic    Version:1.0
BootROM  Version:9.23
  [SLOT 0] AUX      (Hardware)4.0, (Driver)1.0, (CPLD)1.0
  [SLOT 0] 1FE      (Hardware)4.0, (Driver)1.0, (CPLD)1.0
  [SLOT 0] WAN      (Hardware)4.0, (Driver)1.0, (CPLD)1.0
  [SLOT 3] 1SA      (Hardware)1.0, (Driver)1.0, (CPLD)2.0
[AR2810-A]vrbd
Routing Platform Software
Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE
Compiled Oct 22 2008 18:24:10 by jiahua

[AR2810-A]dis cu
[AR2810-A]dis current-configuration
#
sysname AR2810-A
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.255
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0 destination 255.255.255.0 0
acl number 3001
rule 0 deny ip source 192.168.1.0 0 destination 255.255.255.0 0
#
interface Serial3/0
link-protocol ppp
ip address 10.0.0.2 255.255.255.252
#
bgp 100
network 192.168.1.0
network 192.168.2.0
undo synchronization
group tolocal internal
peer tolocal route-policy t4 export
peer 10.0.0.1 group tolocal
#
route-policy t1 permit node 10
if-match acl 3000
apply local-preference 1300
route-policy t1 permit node 20
route-policy t2 permit node 10
if-match acl 3001
apply local-preference 2300
route-policy t2 permit node 20
route-policy t3 deny node 10
if-match acl 3000
apply local-preference 1300
route-policy t3 permit node 20
route-policy t4 deny node 10
if-match acl 3001
apply local-preference 2300
route-policy t4 permit node 20
#
ip route-static 192.168.1.0 255.255.255.0 NULL 0 preference 60
ip route-static 192.168.2.0 255.255.255.0 NULL 0 preference 60
[AR2810-A]
Ar2810-B:
[AR2810-B]dis ver
Huawei Versatile Routing Platform Software
VRP software, Version 3.40, Release 0201P29
Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Quidway AR28-10 uptime is 0 week, 0 day, 1 hour, 13 minutes
Last reboot 2021/08/22 01:14:25
System returned to ROM By  Command.

CPU type: PowerPC 8241 200MHz
128M bytes SDRAM Memory
32M bytes Flash Memory
PCB      Version:4.0
Logic    Version:1.0
BootROM  Version:9.23
  [SLOT 0] AUX      (Hardware)4.0, (Driver)1.0, (CPLD)1.0
  [SLOT 0] 1FE      (Hardware)4.0, (Driver)1.0, (CPLD)1.0
  [SLOT 0] WAN      (Hardware)4.0, (Driver)1.0, (CPLD)1.0
  [SLOT 3] 1SA      (Hardware)1.0, (Driver)1.0, (CPLD)2.0
[AR2810-B]vrbd
Routing Platform Software
Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE
Compiled Oct 22 2008 18:24:10 by jiahua

[AR2810-B]         dis cu
#
sysname AR2810-B
#
interface Serial3/0
clock DTECLK1
link-protocol ppp
ip address 10.0.0.1 255.255.255.252
#
bgp 100
undo synchronization
group tolocal internal
peer 10.0.0.2 group tolocal

[AR2810-B]

2）將上述拓撲中的路由器A 替換成CISCO 3640 。再次重複以上試驗，得出結論與H3C的route-policy相同。相關CISCO設備版本及配置以下：
C3640#show ver
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-IK9O3S-M), Version 12.2(8)T10,  RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Sat 31-May-03 00:17 by kellythw
Image text-base: 0x60008930, data-base: 0x6171C000

ROM: System Bootstrap, Version 11.1(20)AA1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

C3640 uptime is 16 minutes
System returned to ROM by reload
System p_w_picpath file is "flash:c3640-ik9o3s-mz.122-8.t10.bin"

cisco 3640 (R4700) processor (revision 0x00) with 125952K/5120K bytes of memory.
Processor board ID 13894963
R4700 CPU at 100Mhz, Implementation 33, Rev 1.0
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
5 Ethernet/IEEE 802.3 interface(s)
4 Serial network interface(s)
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

C3640#show running-config
!
hostname C3640
!
interface Serial1/1
ip address 10.0.0.2 255.255.255.0
encapsulation ppp
serial restart_delay 0
!
router bgp 100
no synchronization
bgp log-neighbor-changes
network 192.168.1.0
network 192.168.2.0
neighbor 10.0.0.1 remote-as 100
neighbor 10.0.0.1 route-map t4 out
no auto-summary
!
ip classless
ip route 192.168.1.0 255.255.255.0 Null0
ip route 192.168.2.0 255.255.255.0 Null0
no ip http server
ip pim bidir-enable
!
!
access-list 101 permit ip host 192.168.1.0 host 255.255.255.0
access-list 102 deny   ip host 192.168.1.0 host 255.255.255.0
!
route-map t4 deny 10
match ip address 102
set local-preference 1300
!
route-map t4 permit 20
!
route-map t1 permit 10
match ip address 101
set local-preference 1300
!
route-map t1 permit 20
!
route-map t2 permit 10
match ip address 102
set local-preference 1300
!
route-map t2 permit 20
!
route-map t3 deny 10
match ip address 101
set local-preference 1300
!
route-map t3 permit 20
C3640#less