资源描述
ROUTE-POLICY 策略路由规则详解
在工程中经常遇到route-policy用于策略路由的情况,下面就对route-polic和ACL间的匹配规则详解如下:
一、 试验环境
A(E0/0)--192.168.1.0--(E0/0)B(S0/0)--10.0.0.0--(S0/0)C(E0/0)--192.168.2.0--(E0/0)D
拓扑说明:
AB之间的网段为192.168.1.0 。AB分别通过E0/0口互联。
CD之间的网段为192.168.2.0 。CD分别通过E0/0口互联。
BC之间分别通过S0/0 中间通过帧中继交换机互联,共配置3个子接口,DLCI分别是100 200 300(两端相同)。
二、 测试结论:
未做任何策略
#
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0=
在路由器A Tracert路由结果如下:
<AR2810-A>dis clock
08:48:03 UTC Fri 11/28/2008
<AR2810-A>tracert -m 5 -a 192.168.1.2 192.168.2.2
traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packet
Press CTRL_C to break
1 192.168.1.1 3 ms 1 ms 2 ms
2 10.0.0.10 19 ms 18 ms 19 ms
3 192.168.2.2 20 ms 21 ms 20 ms
由此可得出未做route-policy的时候,是按照全局路由表中的路由条目转发数据流的。
1、 permit+permit
#
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip policy route-policy t1
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3001
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
route-policy t1 permit node 10
if-match acl 3000
apply ip-address next-hop 10.0.0.2
route-policy t1 permit node 20
apply ip-address next-hop 10.0.0.6
在路由器A Tracert路由结果如下:
<AR2810-A>dis clock
08:50:33 UTC Fri 11/28/2008
<AR2810-A>tracert -m 5 -a 192.168.1.2 192.168.2.2
traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packet
Press CTRL_C to break
1 192.168.1.1 2 ms 2 ms 1 ms
2 10.0.0.2 20 ms 20 ms 22 ms
3 192.168.2.2 19 ms 20 ms 19 ms
由此结果可得出此时数据流匹配了规则node 10 。也就是route-policy permit对于和ACL permit规则匹配的数据流执行node 10中的匹配规则。
2、 permit+deny
#
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip policy route-policy t2
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3001
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
route-policy t2 permit node 10
if-match acl 3001
apply local-preference 2300
route-policy t2 permit node 20
apply ip-address next-hop 10.0.0.6
在路由器A Tracert路由结果如下:
<AR2810-A>dis clock
08:53:00 UTC Fri 11/28/2008
<AR2810-A>tracert -m 5 -a 192.168.1.2 192.168.2.2
traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packet
Press CTRL_C to break
1 192.168.1.1 2 ms 2 ms 4 ms
2 10.0.0.6 19 ms 19 ms 20 ms
3 192.168.2.2 20 ms 20 ms 20 ms
由此结果的得出route-policy 的permit 对于和ACL DENY 规则相匹配的数据流,不执行node 10 中的策略,而是继续匹配下面的规则。
3、 deny+permit
#
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip policy route-policy t3
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3001
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
route-policy t3 deny node 10
if-match acl 3000
apply ip-address next-hop 10.0.0.2
route-policy t3 permit node 20
apply ip-address next-hop 10.0.0.6
在路由器A Tracert路由结果如下:
<AR2810-A>dis clock
08:54:42 UTC Fri 11/28/2008
<AR2810-A>tracert -m 5 -a 192.168.1.2 192.168.2.2
traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packet
Press CTRL_C to break
1 192.168.1.1 2 ms 2 ms 1 ms
2 10.0.0.10 19 ms 18 ms 19 ms
3 192.168.2.2 20 ms 20 ms 22 ms
由此结果可得出,route-policy 的deny 对于和ACL permit规则相匹配的数据流直接进行DENY ,并且不再匹配后续的规则,而是转入了系统全局路由表执行常规的路由策略。
4、 deny+deny
#
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip policy route-policy t4
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3001
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
route-policy t4 deny node 10
if-match acl 3001
apply local-preference 2300
route-policy t4 permit node 20
apply ip-address next-hop 10.0.0.6
在路由器A Tracert路由结果如下:
<AR2810-A>tracert -m 5 -a 192.168.1.2 192.168.2.2
traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packet
Press CTRL_C to break
1 192.168.1.1 3 ms 2 ms 2 ms
2 10.0.0.6 19 ms 18 ms 22 ms
3 192.168.2.2 20 ms 21 ms 19 ms
有此结果可得出:route-policy deny 对于和ACL deny 规则相匹配的数据流,不会执行node 10的规则,但是会继续匹配下面的规则。
三、 总结策略路由规则如下:
1、 对于和ACL的匹配和常规的ACL匹配规则完全一致,没有什么不同。
2、 对于策略路由来说router-policy 尽管也有缺省DENY的规则,但是被DENY的数据流不会丢弃,只是不进行策略路由而已。(对于路由策略则不一样)。
附件1:
相关版本和配置信息:
路由器A:
<AR2810-A> dis ver
Huawei Versatile Routing Platform Software
VRP software, Version 3.40, Release 0201P29
Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Quidway AR28-10 uptime is 0 week, 0 day, 1 hour, 39 minutes
Last reboot 2008/11/28 07:22:50
System returned to ROM By <Reboot> Command.
CPU type: PowerPC 8241 200MHz
128M bytes SDRAM Memory
32M bytes Flash Memory
PCB Version:4.0
Logic Version:1.0
BootROM Version:9.23
[SLOT 0] AUX (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 0] 1FE (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 0] WAN (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 3] 1SA (Hardware)1.0, (Driver)1.0, (CPLD)2.0
<AR2810-A>vrbd
Routing Platform Software
Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE
Compiled Oct 22 2008 18:24:10 by jiahua
<AR2810-A>dis cu
<AR2810-A>dis current-configuration
#
sysname AR2810-A
#
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.1.1 preference 60
路由器B:
[AR2810-B]dis version
Huawei Versatile Routing Platform Software
VRP software, Version 3.40, Release 0201P29
Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Quidway AR28-10 uptime is 0 week, 0 day, 0 hour, 53 minutes
Last reboot 2021/08/22 03:19:36
System returned to ROM By <Reboot> Command.
CPU type: PowerPC 8241 200MHz
128M bytes SDRAM Memory
32M bytes Flash Memory
PCB Version:4.0
Logic Version:1.0
BootROM Version:9.23
[SLOT 0] AUX (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 0] 1FE (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 0] WAN (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 3] 1SA (Hardware)1.0, (Driver)1.0, (CPLD)2.0
[AR2810-B]vrbd
Routing Platform Software
Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE
Compiled Oct 22 2008 18:24:10 by jiahua
[AR2810-B]dis current-configuration
#
sysname AR2810-B
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3001
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip policy route-policy t4
#
interface Serial0/0
link-protocol fr
#
interface Serial0/0.100
fr dlci 100
ip address 10.0.0.1 255.255.255.252
#
interface Serial0/0.200
fr dlci 200
ip address 10.0.0.5 255.255.255.252
#
interface Serial0/0.300
fr dlci 300
ip address 10.0.0.9 255.255.255.252
#
route-policy t1 permit node 10
if-match acl 3000
apply ip-address next-hop 10.0.0.2
route-policy t1 permit node 20
apply ip-address next-hop 10.0.0.6
route-policy t2 permit node 10
if-match acl 3001
apply local-preference 2300
route-policy t2 permit node 20
apply ip-address next-hop 10.0.0.6
route-policy t3 deny node 10
if-match acl 3000
apply ip-address next-hop 10.0.0.2
route-policy t3 permit node 20
apply ip-address next-hop 10.0.0.6
route-policy t4 deny node 10
if-match acl 3001
apply local-preference 2300
route-policy t4 permit node 20
apply ip-address next-hop 10.0.0.6
#
ip route-static 192.168.2.0 255.255.255.0 10.0.0.10 preference 60
路由器C:
[AR2810-C]dis ver
Huawei Versatile Routing Platform Software
VRP software, Version 3.40, Release 0201P29
Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Quidway AR28-10 uptime is 0 week, 0 day, 2 hours, 59 minutes
Last reboot 2000/10/11 00:54:49
System returned to ROM By <Reboot> Command.
CPU type: PowerPC 8241 200MHz
128M bytes SDRAM Memory
32M bytes Flash Memory
PCB Version:4.0
Logic Version:1.0
BootROM Version:9.23
[SLOT 0] AUX (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 0] 1FE (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[SLOT 0] WAN (Hardware)4.0, (Driver)1.0, (CPLD)1.0
[AR2810-C]vrbd
Routing Platform Software
Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE
Compiled Oct 22 2008 18:24:10 by jiahua
[AR2810-C]dis cu
#
sysname AR2810-C
#
interface Ethernet0/0
ip address 192.168.2.1 255.255.255.0
#
interface Serial0/0
clock DTECLK1
link-protocol fr
#
interface Serial0/0.100
fr dlci 100
ip address 10.0.0.2 255.255.255.252
#
interface Serial0/0.200
fr dlci 200
ip address 10.0.0.6 255.255.255.252
#
interface Serial0/0.300
fr dlci 300
ip address 10.0.0.10 255.255.255.252
#
ip route-static 192.168.1.0 255.255.255.0 10.0.0.9 preference 60
路由器D:
<AR2810-D>dis ver
Huawei Versatile Routing Platform Software
VRP software, Version 3.40, Release 0201P29
Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Quidway AR28-10 uptime is 0 week, 0 day, 3 hours, 0 minute
Last reboot 2000/10/11 01:00:09
System returned to ROM By <Reboot> Command.
CPU type: PowerPC 8241 200MHz
128M bytes SDRAM Memory
32M bytes Flash Memory
PCB Version:1.0
Logic Version:1.0
BootROM Version:9.23
[SLOT 0] AUX (Hardware)1.0, (Driver)1.0, (CPLD)1.0
[SLOT 0] 1FE (Hardware)1.0, (Driver)1.0, (CPLD)1.0
[SLOT 0] WAN (Hardware)1.0, (Driver)1.0, (CPLD)1.0
<AR2810-D>vrbd
Routing Platform Software
Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE
Compiled Oct 22 2008 18:24:10 by jiahua
<AR2810-D>dis cu
#
sysname AR2810-D
#
interface Ethernet0/0
ip address 192.168.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.2.1 preference 60
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
