【Huawei S Series Switches Routing Policy】4 Filter-Policy

Created: Mar 22, 2017 11:12:02Latest reply: Apr 7, 2018 23:10:05 3106 2 1 0

1      Filter-Policy

In the section "Routing Policy", a filter-policy is also considered as a routing policy. A filter-policy has different filtering rules and usage than a route-policy. The following describes filter-policy principles and applications.

1.1  Filter-Policy Overview

A filter-policy is a common routing information filtering tool. In Figure 4-1, SwitchA, SwitchB, and SwitchC run a routing protocol, and routes are transmitted among these devices. A route-policy can be used to filter specific routing information as required.

Filter-policy application

图1 filter-policy的应用场景.png

 

Precautions for using a filter-policy:

l   A filter-policy is a tool often used to control receiving and advertisement of routes.

l   A filter-policy can filter only routing information but not LSAs.

l   A filter-policy can filter routing information but not change route attributes.

In the section "Routing Policy", routing policy provides two major functions: filter routing information and change route attributes. The preceding precautions indicate that a filter-policy can only filter routing information.

1.2  Filter-Policy Filtering Rules

Distance-vector routing protocols (such as RIP) and link-state routing protocols (such as OSPF) vary in principles. Therefore, filter-policy filtering rules vary between the two types of routing protocols. Table 4-1 lists differences in routing information transmission between distance-vector routing protocols and link-state routing protocols.

Differences in routing information transmission between distance-vector routing protocols and link-state routing protocols

Routing Protocol Type

Route Transmission Principles

Distance-vector routing protocols

(such as RIP)

Routing devices transmit routing information. This routing information is like roadmap for packets. The devices guide packet forwarding based on the roadmap.

Link-state routing protocols

(such as OSPF)

Routing devices transmit link state advertisements (LSAs). An LSDB is a set of LSAs and describes the entire network topology, which is like a map. The devices find the optimal forwarding path for packets based on the map and shortest path algorithm.

 

In Figure 4-2, when using distance-vector routing protocols, devices transmit routing information. To filter the routing information, use a filter-policy. Table 4-1 shows where a filter-policy takes effect in the inbound and outbound directions. To filter the routing information transmitted from an upstream device to a downstream device, you only need to configure filter-policy export on the upstream device or configure filter-policy import on the downstream device.

Filter-policy in distance-vector routing protocols

20170322111154681002.png

 

In Figure 4-3, when using link-state routing protocols, routing devices transmit LSAs and then calculate their routing tables based on the LSDB of LSAs.

The following uses OSPF as an example to describe filter-policy filtering rules:

l   The filter-policy import command filters the routes calculated by OSPF but not the LSAs advertised and received.

l   The filter-policy export command filters the imported routes to be advertised so that only eligible external routes are translated into Type 5 LSAs (AS-external-LSAs) and advertised. In this manner, imported external routes can be filtered as required to prevent routing loops.

Filter-policy in link-state routing protocols

20170322111155983003.png

 

1.3  Example for Using a Filter-Policy to Filter RIP Routes

1.3.1            Using a Filter-Policy to Filter the Routes Advertised by RIP

Requirement Description

In Figure 4-4, three switches exchange routes through RIP. Three static routes (used as test routes) are imported into the RIP process of SwitchA. It is required that the filter-policy export command be configured on SwitchB to filter the routes advertised to SwitchC, that is, deny the route 192.168.3.0/24 and permit other routes.

Using a filter-policy to filter the routes advertised by RIP

图4 对RIP发送的路由做过滤.png

 

Configuration

Define an IP prefix list on SwitchB to filter routes as required.

[SwitchB] ip ip-prefix huawei index 10 deny 192.168.3.0 24 //Deny this route.

[SwitchB] ip ip-prefix huawei index 20 permit 0.0.0.0 0 less-equal 32//Permit all routes.

Configure the filter-policy export command in the RIP view of SwitchB.

[SwitchB]rip

[SwitchB-rip-1] filter-policy ip-prefix huawei export Vlanif20

Verification

After the preceding configurations are complete, check the IP routing tables of SwitchB and SwitchC.

[SwitchB] display ip routing-table 

Route Flags: R - relay, D - download to fib

-----------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 9        Routes : 9       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

    192.168.1.0/24  RIP     100  1           D   192.168.10.1    Vlanif10

    192.168.2.0/24  RIP     100  1           D   192.168.10.1    Vlanif10

    192.168.3.0/24  RIP     100  1           D   192.168.10.1    Vlanif10

   192.168.10.0/24  Direct  0    0           D   192.168.10.2    Vlanif10

   192.168.10.2/32  Direct  0    0           D   127.0.0.1       Vlanif10

   192.168.20.0/24  Direct  0    0           D   192.168.20.1    Vlanif20

   192.168.20.1/32  Direct  0    0           D   127.0.0.1       Vlanif20

 

[SwitchC] display ip routing-table 

Route Flags: R - relay, D - download to fib

-----------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 7        Routes : 7       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

    192.168.1.0/24  RIP     100  2           D   192.168.20.1    Vlanif20

    192.168.2.0/24  RIP     100  2           D   192.168.20.1    Vlanif20

   192.168.10.0/24  RIP     100  1           D   192.168.20.1    Vlanif20

   192.168.20.0/24  Direct  0    0           D   192.168.20.2    Vlanif20

   192.168.20.2/32  Direct  0    0           D   127.0.0.1       Vlanif20

The preceding command output shows that after the filter-policy export command is configured on SwitchB, SwitchB still has a complete IP routing table; however, SwitchC cannot learn the route 192.168.3.0/24 through RIP because this route has been filtered out before being advertised by SwitchB.

1.3.2            Using a Filter-Policy to Filter the Routes Received by RIP

Requirement Description

In Figure 4-5, three switches exchange routes through RIP. Three static routes (used as test routes) are imported into the RIP process of SwitchA. It is required that the filter-policy import command be configured on SwitchB to deny the route 192.168.3.0/24 and permit other routes.

Using a filter-policy to filter the routes received by RIP

图5 对RIP接收的路由做过滤.png

 

Configuration

Define an IP prefix list on SwitchB to filter routes as required.

[SwitchB] ip ip-prefix huawei index 10 deny 192.168.3.0 24 //Deny this route.

[SwitchB] ip ip-prefix huawei index 20 permit 0.0.0.0 0 less-equal 32//Permit all routes.

Configure the filter-policy import command in the RIP view of SwitchB.

[SwitchB]rip

[SwitchB-rip-1] filter-policy ip-prefix huawei import Vlanif10

Verification

After the preceding configurations are complete, check the IP routing tables of SwitchB and SwitchC.

[SwitchB] display ip routing-table 

Route Flags: R - relay, D - download to fib

-----------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 8        Routes : 8       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

    192.168.1.0/24  RIP     100  1           D   192.168.10.1    Vlanif10

    192.168.2.0/24  RIP     100  1           D   192.168.10.1    Vlanif10

   192.168.10.0/24  Direct  0    0           D   192.168.10.2    Vlanif10

   192.168.10.2/32  Direct  0    0           D   127.0.0.1       Vlanif10

   192.168.20.0/24  Direct  0    0           D   192.168.20.1    Vlanif20

   192.168.20.1/32  Direct  0    0           D   127.0.0.1       Vlanif20

 

[SwitchC] display ip routing-table

Route Flags: R - relay, D - download to fib

-----------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 7        Routes : 7       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

    192.168.1.0/24  RIP     100  2           D   192.168.20.1    Vlanif20

    192.168.2.0/24  RIP     100  2           D   192.168.20.1    Vlanif20

   192.168.10.0/24  RIP     100  1           D   192.168.20.1    Vlanif20

   192.168.20.0/24  Direct  0    0           D   192.168.20.2    Vlanif20

   192.168.20.2/32  Direct  0    0           D   127.0.0.1       Vlanif20

The preceding command output shows that after the filter-policy import command is configured on SwitchB, the IP routing tables of SwitchB and SwitchC do not contain the route 192.168.3.0/24.

RIP is a distance-vector routing protocol and a RIP device advertises its routing table to its neighbors. When the route 192.168.3.0/24 is filtered out from the IP routing table of SwitchB, SwitchC can no longer learn this route through RIP. That is, if routes in an IP routing table of a RIP device are filtered, the IP routing tables of upstream devices of this RIP device are also affected.

Precautions:

Both the filter-policy export and filter-policy import commands are configured in the RIP process view. If routes are filtered based on interfaces or protocols, only one filter-policy can be configured for one interface or protocol. If no interface or protocol is specified, a global filter-policy is configured and similarly, only one filter-policy is configured. If multiple filter-policies are configured, only the latest filter-policy takes effect.

1.4  Example for Using a Filter-Policy to Filter OSPF Routes

1.4.1            Using a Filter-Policy to Filter the Intra-Area Routes Received by OSPF

Requirement Description

In Figure 4-6, three switches belong to OSPF Area 0. SwitchA advertises the test network segment 10.1.1.0/24. It is required that the filter-policy import command be configured on SwitchB so that the IP routing table of SwitchB does not contain the route 10.1.1.0/24.

Using a filter-policy to filter the intra-area routes received by OSPF

图6 通过filter-policy对OSPF接收的路由过滤(区域内).png

 

Configuration

Define an IP prefix list on SwitchB to filter routes as required.

[SwitchB] ip ip-prefix huawei index 10 deny 10.1.1.0 24 //Deny this route.

[SwitchB] ip ip-prefix huawei index 20 permit 0.0.0.0 0 less-equal 32//Permit all routes.

Configure the filter-policy import command in the OSPF view of SwitchB.

[SwitchB] ospf

[SwitchB-ospf-1] filter-policy ip-prefix huawei import

Verification

After the preceding configurations are complete, check the IP routing tables of SwitchB and SwitchC.

[SwitchB] display ip routing-table 

Route Flags: R - relay, D - download to fib

-----------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 6        Routes : 6       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

   192.168.12.0/24  Direct  0    0           D   192.168.12.2    Vlanif12

   192.168.12.2/32  Direct  0    0           D   127.0.0.1       Vlanif12

   192.168.23.0/24  Direct  0    0           D   192.168.23.1    Vlanif23

   192.168.23.1/32  Direct  0    0           D   127.0.0.1       Vlanif23

 

[SwitchC] display  ip routing-table 

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 6        Routes : 6       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

       10.1.1.0/24  OSPF    10   3           D   192.168.23.1    Vlanif23

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

   192.168.12.0/24  OSPF    10   2           D   192.168.23.1    Vlanif23

   192.168.23.0/24  Direct  0    0           D   192.168.23.2    Vlanif23

   192.168.23.2/32  Direct  0    0           D   127.0.0.1       Vlanif23

The preceding command output shows that, although the route 10.1.1.0/24 has been filtered out on SwitchB, its LSA is still transmitted to SwitchC, so the IP routing table of SwitchC still contains this route. This result also confirms that in link-state routing protocols, a filter-policy filters only routing information but not LSAs.

The LSDBs of SwitchB and SwitchC still contain the LSA describing the route 10.1.1.0/24. To verify this, check LSA information on SwitchB and SwitchC.

[SwitchB] display  ospf lsdb  router 

 

    OSPF Process 1 with Router ID 10.10.10.2

                Area: 0.0.0.0

        Link State Database

……

 

  Type      : Router

  Ls id     : 10.10.10.1

  Adv rtr   : 10.10.10.1 

  Ls age    : 139

  Len       : 48

  Options   :  E 

  seq#      : 80000005

  chksum    : 0x41c4

  Link count: 2

   * Link ID: 10.1.1.0    

     Data   : 255.255.255.0

     Link Type: StubNet     

     Metric : 1

     Priority : Low

   * Link ID: 192.168.12.2

     Data   : 192.168.12.1

     Link Type: TransNet    

     Metric : 1

 

[SwitchC] display  ospf lsdb  router 

 

    OSPF Process 1 with Router ID 10.10.10.3

                Area: 0.0.0.0

        Link State Database

…….

 

  Type      : Router

  Ls id     : 10.10.10.1

  Adv rtr   : 10.10.10.1 

  Ls age    : 81

  Len       : 48

  Options   :  E 

  seq#      : 80000005

  chksum    : 0x41c4

  Link count: 2

   * Link ID: 10.1.1.0    

     Data   : 255.255.255.0

     Link Type: StubNet     

     Metric : 1

     Priority : Low

   * Link ID: 192.168.12.2

     Data   : 192.168.12.1

     Link Type: TransNet    

     Metric : 1

The preceding command output shows that the LSDBs of SwitchB and SwitchC still contain the LSA describing the route 10.1.1.0/24.

1.4.2            Using a Filter-Policy to Filter the Inter-Area Routes Received by OSPF

In Figure 4-7, there are two OSPF areas, Area 0 and Area 1. SwitchB and SwitchC transmit Type 3 LSAs, which are generated by SwitchB to describe inter-area routes. The configuration is similar to the configuration in the previous scenario. The following describes the experimental result.

Using a filter-policy to filter the inter-area routes received by OSPF

图7 通过filter-policy对OSPF接收的路由过滤(区域间).png

 

Before configuring a filter-policy, check the IP routing tables of SwitchB and SwitchC.

[SwitchB] display  ip routing-table 

Route Flags: R - relay, D - download to fib

-----------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 7        Routes : 7       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

       10.1.1.0/24  OSPF    10   2           D   192.168.12.1    Vlanif12

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

   192.168.12.0/24  Direct  0    0           D   192.168.12.2    Vlanif12

   192.168.12.2/32  Direct  0    0           D   127.0.0.1       Vlanif12

   192.168.23.0/24  Direct  0    0           D   192.168.23.1    Vlanif23

   192.168.23.1/32  Direct  0    0           D   127.0.0.1       Vlanif23

 

[SwitchC] display  ip routing-table 

Route Flags: R - relay, D - download to fib

-----------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 6        Routes : 6       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

       10.1.1.0/24  OSPF    10   3           D   192.168.23.1    Vlanif23

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

   192.168.12.0/24  OSPF    10   2           D   192.168.23.1    Vlanif23

   192.168.23.0/24  Direct  0    0           D   192.168.23.2    Vlanif23

   192.168.23.2/32  Direct  0    0           D   127.0.0.1       Vlanif23

The preceding command output shows that before a filter-policy is configured, the IP routing tables of SwitchB and SwitchC contain the route 10.1.1.0/24.

Verification

After the filter-policy import command is configured on SwitchB, check the IP routing tables of SwitchB and SwitchC.

[SwitchB] display  ip routing-table 

Route Flags: R - relay, D - download to fib

-----------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 6        Routes : 6       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

   192.168.12.0/24  Direct  0    0           D   192.168.12.2    Vlanif12

   192.168.12.2/32  Direct  0    0           D   127.0.0.1       Vlanif12

   192.168.23.0/24  Direct  0    0           D   192.168.23.1    Vlanif23

   192.168.23.1/32  Direct  0    0           D   127.0.0.1       Vlanif23

 

[SwitchC] display ip routing-table

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 5        Routes : 5       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

   192.168.12.0/24  OSPF    10   2           D   192.168.23.1    Vlanif23

   192.168.23.0/24  Direct  0    0           D   192.168.23.2    Vlanif23

   192.168.23.2/32  Direct  0    0           D   127.0.0.1       Vlanif23

There are two OSPF areas. The route 10.1.1.0/24 on SwitchC is described by the Type 3 LSA generated by SwitchB, but this route has been filtered out by SwitchB. Therefore, the Type 3 LSA describing an inter-area route cannot be generated, and SwitchC cannot learn the route 10.1.1.0/24 again.

For more details, click the following hyperlink:

1 Routing Policy

Describes various tools used in routing policy and invoking between these tools.

2 Route-Policy

Describes the components, matching rules, and applications of route-policy.

3 IP Prefix List

Describes how to use an IP prefix list and differences between it and ACL.

4 Filter-Policy

Describes filter-policy principles and applications.

5 BGP Routing Policy (1)

Describes applications of IP prefix list, filter-policy, and route-policy in BGP.

6 BGP Routing Policy (2)

Describes applications of AS_Path filter and Community attribute in BGP.

Collection of Chapters 1 Through 6 (Click Here to Download the PDF Document)

Provides the collection of the preceding chapters.

 

 

This post was last edited by 交换机在江湖 at 2017-03-22 11:39.
  • x
  • convention:

user_2790689     Created Mar 22, 2017 13:39:47 Helpful(0) Helpful(0)

Good
  • x
  • convention:

wissal  Visitor   Created Apr 7, 2018 23:10:05 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top