ACL and IpPrefix
- x
- convention:
- Emotion(0)
|
This post refers to the 3 IP prefix list, as part of the Huawei S Series Switches Routing Policy. Please have a look below for more details. 1 IP Prefix ListTo filter received, advertised, and imported routes or to set attributes for routes, you first need to match the required routes using ACLs or an IP prefix list. In the preceding section about route-policy, ACLs are used to match routes. This section describes how to use an IP prefix list to match routes. First, let’s learn the differences between ACL and IP prefix list. 1.1 Differences Between ACL and IP Prefix ListThe following two examples can help differentiate ACL and IP prefix list. 1.1.1 Example 1 Using ACLs to Filter Imported RoutesIn Figure 3-1, ACLs are configured to import two RIP routes into OSPF and set attributes for the routes. Using ACLs to filter imported routes
Check the IP routing table of SwitchB. The following command output shows that it contains two RIP routes 192.168.2.0/24 and 192.168.3.0/24. Now the two RIP routes need to be readvertised into OSPF and the costs of the two routes 192.168.2.0/24 and 192.168.3.0/24 need to be set to 10 and 20 respectively. [SwitchB] display ip routing-table Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------- Routing Tables: Public Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20 10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.1.0/24 Direct 0 0 D 192.168.1.2 Vlanif10 192.168.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10 192.168.2.0/24 RIP 100 1 D 192.168.1.1 Vlanif10 192.168.3.0/24 RIP 100 1 D 192.168.1.1 Vlanif10 Configure ACLs to match the required routes. # Configure a basic ACL 2001 to match the route 192.168.2.0. [SwitchB] acl 2001 [SwitchB-acl-basic-2001] rule permit source 192.168.2.0 0 [SwitchB-acl-basic-2001] quit # Configure a basic ACL 2002 to match the route 192.168.3.0. [SwitchB] acl 2002 [SwitchB-acl-basic-2002] rule permit source 192.168.3.0 0 [SwitchB-acl-basic-2002] quit Configure a route-policy and apply it to the imported routes. # Configure node 10 in the route-policy RP to set the cost of the route matching the basic ACL 2001 to 10. [SwitchB] route-policy RP permit node 10 [SwitchB-route-policy] if-match acl 2001 [SwitchB-route-policy] apply cost 10 [SwitchB-route-policy] quit # Configure node 20 in the route-policy RP to set the cost of the route matching the basic ACL 2002 to 20. [SwitchB] route-policy RP permit node 20 [SwitchB-route-policy] if-match acl 2002 [SwitchB-route-policy] apply cost 20 [SwitchB-route-policy] quit # Import the RIP routes permitted by the route-policy RP into OSPF. [SwitchB] OSPF [SwitchB-ospf-1] import-route rip 1 route-policy RP [SwitchB-ospf-1] quit After the preceding configurations are complete, check the IP routing table of SwitchC. The following command output shows that the two RIP routes have been imported and their costs have been configured as required. <SwitchC> display ip routing-table Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------- Routing Tables: Public Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif20 10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif20 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.2.0/24 O_ASE 150 10 D 10.1.1.1 Vlanif20 192.168.3.0/24 O_ASE 150 20 D 10.1.1.1 Vlanif20 1.1.2 Example 2 Using an IP Prefix List to Filter Imported RoutesIn Figure 3-2, SwitchB has two static routes, but only the static route 192.168.0.0/16 needs to be imported into OSPF. Using an IP prefix list to filter imported routes
Check the IP routing table of SwitchB. The following command output shows that it has two static routes 192.168.0.0/16 and 192.168.0.0/24. Now only the route 192.168.0.0/16 needs to be readvertised into OSPF. [SwitchB] display ip routing-table Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------- Routing Tables: Public Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.10.12.0/24 Direct 0 0 D 10.10.12.1 Vlanif10 10.10.12.1/32 Direct 0 0 D 127.0.0.1 Vlanif10 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/16 Static 60 0 D 0.0.0.0 NULL0 192.168.0.0/24 Static 60 0 D 0.0.0.0 NULL0 First, you try to use an ACL to meet this requirement. Configure a basic ACL 2001. [SwitchB] acl 2001 [SwitchB-acl-basic-2001] rule permit source 192.168.0.0 0.0.255.255 [SwitchB-acl-basic-2001] quit Configure a route-policy and apply it to the imported routes. # Configure node 10 in the route-policy RP to permit the route matching the basic ACL 2001 and deny all the unmatched routes. [SwitchB] route-policy RP permit node 10 [SwitchB-route-policy] if-match acl 2001 [SwitchB-route-policy] quit # Import the static route permitted by the route-policy RP into OSPF. [SwitchB] OSPF [SwitchB-ospf-1] import-route static route-policy RP [SwitchB-ospf-1] quit After the preceding configurations are complete, check the IP routing table of SwitchC. The following command output shows that the two routes to 192.168.0.0 have been imported. This is because in the ACL 2001 rule permit source 192.168.0.0 0.0.255.255, 0.0.255.255 indicates a wildcard but not the mask length. After a wildcard is converted into a binary number, 0 indicates that routes need to match this ACL, while 1 indicates that routes do not. For example, 192.168.0.0 0.0.255.255 specifies a route prefix range: 192.168.0.0 to 192.168.255.255. The two routes 192.168.0.0/16 and 192.168.0.0/24 both match the ACL 2001. Therefore, the two routes match node 10 in the route-policy RP and both are imported into OSPF. ACLs cannot ensure that only the route 192.168.0.0/16 or 192.168.0.0/24 is matched because ACLs can match only network ID but not mask. <SwitchC> display ip routing-table Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------- Routing Tables: Public Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.10.12.0/24 Direct 0 0 D 10.10.12.2 Vlanif10 10.10.12.2/32 Direct 0 0 D 127.0.0.1 Vlanif10 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/16 O_ASE 150 1 D 10.10.12.1 Vlanif10 192.168.0.0/24 O_ASE 150 1 D 10.10.12.1 Vlanif10 The following uses an IP prefix list to filter the imported routes. Check whether an IP prefix list can ensure that only the route 192.168.0.0/16 is imported and the route 192.168.0.0/24 is filtered out. Configure an IP prefix list to permit the required route. # Configure an IP prefix list huawei and configure node 10 to permit the route 192.168.0.0/16. [SwitchB] ip ip-prefix huawei index 10 permit 192.168.0.0 16 Configure a route-policy and apply it to the imported routes. # Configure a route-policy RP and configure node 10 to permit the route that matches the IP prefix list huawei and deny all the unmatched routes. [SwitchB] route-policy RP permit node 10 [SwitchB-route-policy] if-match ip-prefix huawei [SwitchB-route-policy] quit # Import the static route permitted by the route-policy RP into OSPF. [SwitchB] OSPF [SwitchB-ospf-1] import-route static route-policy RP [SwitchB-ospf-1] quit After the preceding configurations are complete, check the IP routing table of SwitchC. The following command output shows that only the route 192.168.0.0/16 is imported into OSPF. <SwitchC> display ip routing-table Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------- Routing Tables: Public Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.10.12.0/24 Direct 0 0 D 10.10.12.2 Vlanif10 10.10.12.2/32 Direct 0 0 D 127.0.0.1 Vlanif10 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/16 O_ASE 150 1 D 10.10.12.1 Vlanif10
1.2 Principles and Applications of IP Prefix List1.2.1 Filtering RulesAn IP prefix list can contain multiple index entries, each of which corresponds to a filtering rule. In Figure 3-3, the system matches the routes to be filtered against entries in ascending order of index number. l If a route matches a permit entry, this route is permitted. If a route matches a deny entry, this route is denied. l If a route does not match any entry in the IP prefix list, this route is denied. Matching principles of an IP prefix list
Route filtering rules of an IP prefix list: sequential match, unique match, and deny by default. l Sequential match: Routes to be filtered are matched against entries in ascending order of index number. If different index numbers are configured for entries in the same IP prefix list, different filtering results may be obtained. Therefore, exercise caution when configuring index numbers. l Unique match: If a route to be filtered matches one entry, it no longer tries to match other entries. l Deny by default: By default, all the routes that do not match any entry are denied. Therefore, after one or multiple deny entries are created in an IP prefix list, one entry needs to be created to permit all the other routes. 1.2.2 Mask MatchingAn IP prefix list can be used to match a route mask, which is an advantage compared to ACL. In the preceding example, a mask has been used in exact route match. Additionally, an IP prefix list can also be used to match a mask range. An IP prefix list is configured using the ip ip-prefix command, for example: ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ipv4-address mask-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ] In this command, ipv4-address mask-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ] defines the network ID and mask range of routes to be filtered. Table 3-1 describes parameters in this command. An address range in an IP prefix list
When a route to be filtered has matched a network ID, the mask length can be matched exactly or within a specified mask length. l If both greater-equal and less-equal are not configured in the command, exact match is performed on routes. That is, only the routes with the specified mask-length are matched. l If only greater-equal is configured in the command, the mask length range used for matching routes is [greater-equal-value, 32]. l If only less-equal is configured in the command, the mask length range used for matching routes is [mask-length, less-equal-value]. l If both greater-equal and less-equal are configured in the command, the mask length range used for matching routes is [greater-equal-value, less-equal-value]. 1.2.3 ApplicationsAssume that there are routes 10.1.1.0/24, 10.1.1.0/26, 10.1.1.1/32, 10.2.2.0/24, and 10.1.0.0/16. How to use an IP prefix list to filter routes as required to meet the following requirements? Permit only one route, for example, permit only the route 10.1.1.0/24. Permit only the routes with the same network ID but different masks and deny other routes. For example, permit only three routes 10.1.1.0/24, 10.1.1.0/26, and 10.1.1.1/32. Deny only one route and permit the other routes, for example, deny only the route 10.1.1.0/24. Find the answers in the following examples: --------------------------------Example 1 Single-node exact match------------------------------------------ l Example 1 ip ip-prefix test index 10 permit 10.1.1.0 24 Matching result: Only the route 10.1.1.0/24 is permitted, and other routes are denied.
Only the route with the specified network ID and mask is permitted. ------------------------------Examples 2 through 4 Match against the specified mask range---------------------------------- l Example 2 ip ip-prefix test index 10 permit 10.1.1.0 24 less-equal 32 Matching result: Only the routes 10.1.1.0/24, 10.1.1.0/26, and 10.1.1.1/32 are permitted, and other routes are denied.
The routes with the network ID 10.1.1.0 and mask length 24-32 are permitted. l Example 3 ip ip-prefix test index 10 permit 10.1.1.0 24 greater-equal 26 Matching result: Only the routes 10.1.1.0/26 and 10.1.1.1/32 are permitted, and other routes are denied.
The routes with the network ID 10.1.1.0 and mask length 26-32 are permitted. l Example 4 ip ip-prefix test index 10 permit 10.1.1.0 24 greater-equal 26 less-equal 32 Matching result: Only the routes 10.1.1.0/26 and 10.1.1.1/32 are permitted, and other routes are denied.
The routes with the network ID 10.1.1.0 and mask length 26-32 are permitted. The matching result is the same as that of Example 3. --------------------Examples 5 and 6 Match against the wildcard address (0.0.0.0)----------------------- The wildcard address 0.0.0.0 indicates that the network ID is not specified and only the mask range needs to be matched. Table 3-2 lists special wildcard addresses. Special wildcard addresses
An IP prefix list uses the matching rule of deny by default. After one or multiple deny entries are created, an entry permit 0.0.0.0 0 less-equal 32 needs to be created to permit other routes. l Example 5 ip ip-prefix test index 10 permit 0.0.0.0 8 less-equal 32 Matching result: All the five routes are permitted.
All the routes with the mask length 8-32 are permitted. l Example 6 ip ip-prefix test index 10 deny 10.1.1.0 24 ip ip-prefix test index 20 permit 0.0.0.0 0 less-equal 32 Matching result: Only the route 10.1.1.0/24 is denied, and other routes are permitted.
The route 10.1.1.0/24 matches the entry with index number 10 in the IP prefix list test, but the matching mode is deny. Therefore, this route is denied. The entry with index number 20 permit 0.0.0.0 0 less-equal 32 indicates that all the routes are permitted. Therefore, the routes that do not match the entry with index number 10 match the entry with index number 20 and are all permitted. An IP prefix list can filter routes as required. To control routes, for example, control receiving, advertisement, and import of routes, you need to invoke an IP prefix list in a filter-policy or route-policy. The following describes how to use a filter-policy to filter routes. For more details, click the following hyperlink:
| ||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||
|
Both IP prefix list and ACL can be used to filter routes. ACLs can match only the network ID but not the mask (prefix length), but an IP prefix list is more flexible than ACLs because it can match both the network ID and mask, improving route matching accuracy.
In Figure 11-5, SwitchB has two static routes, but only the static route 192.168.0.0/16 needs to be imported into OSPF. <SwitchC> display ip routing-tableRoute Flags: R - relay, D - download to fib ----------------------------------------------------------------------------- Routing Tables: Public Destinations : 6 Routes : 6 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.10.12.0/24 Direct 0 0 D 10.10.12.2 Vlanif10 10.10.12.2/32 Direct 0 0 D 127.0.0.1 Vlanif10 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/16 O_ASE 150 1 D 10.10.12.1 Vlanif10 192.168.0.0/24 O_ASE 150 1 D 10.10.12.1 Vlanif10 The command output shows that the two routes to 192.168.0.0 have been imported. This is because in the ACL 2001 rule permit source 192.168.0.0 0.0.255.255, 0.0.255.255 indicates a wildcard but not the mask length. After a wildcard is converted into a binary number, 0 indicates that routes need to match this ACL, while 1 indicates that routes do not. For example, 192.168.0.0 0.0.255.255 specifies a route prefix range: 192.168.0.0 to 192.168.255.255. The two routes 192.168.0.0/16 and 192.168.0.0/24 both match the ACL 2001. Therefore, the two routes match node 10 in the route-policy RP and both are imported into OSPF. ACLs cannot ensure that only the route 192.168.0.0/16 or 192.168.0.0/24 is matched because ACLs can match only network ID but not mask. The following uses an IP prefix list to filter the imported routes. Check whether an IP prefix list can ensure that only the route 192.168.0.0/16 is imported and the route 192.168.0.0/24 is filtered out.
REFERENCE : https://support.huawei.com/enterprise/en/doc/EDOC1000178171/4d8bdd30/ip-prefix-list |
|
|
This post refers to the 3 IP prefix list, as part of the Huawei S Series Switches Routing Policy. Please have a look below for more details. 1 IP Prefix ListTo filter received, advertised, and imported routes or to set attributes for routes, you first need to match the required routes using ACLs or an IP prefix list. In the preceding section about route-policy, ACLs are used to match routes. This section describes how to use an IP prefix list to match routes. First, let’s learn the differences between ACL and IP prefix list. 1.1 Differences Between ACL and IP Prefix ListThe following two examples can help differentiate ACL and IP prefix list. 1.1.1 Example 1 Using ACLs to Filter Imported RoutesIn Figure 3-1, ACLs are configured to import two RIP routes into OSPF and set attributes for the routes. Using ACLs to filter imported routes
Check the IP routing table of SwitchB. The following command output shows that it contains two RIP routes 192.168.2.0/24 and 192.168.3.0/24. Now the two RIP routes need to be readvertised into OSPF and the costs of the two routes 192.168.2.0/24 and 192.168.3.0/24 need to be set to 10 and 20 respectively. [SwitchB] display ip routing-table Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------- Routing Tables: Public Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20 10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.1.0/24 Direct 0 0 D 192.168.1.2 Vlanif10 192.168.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10 192.168.2.0/24 RIP 100 1 D 192.168.1.1 Vlanif10 192.168.3.0/24 RIP 100 1 D 192.168.1.1 Vlanif10 Configure ACLs to match the required routes. # Configure a basic ACL 2001 to match the route 192.168.2.0. [SwitchB] acl 2001 [SwitchB-acl-basic-2001] rule permit source 192.168.2.0 0 [SwitchB-acl-basic-2001] quit # Configure a basic ACL 2002 to match the route 192.168.3.0. [SwitchB] acl 2002 [SwitchB-acl-basic-2002] rule permit source 192.168.3.0 0 [SwitchB-acl-basic-2002] quit Configure a route-policy and apply it to the imported routes. # Configure node 10 in the route-policy RP to set the cost of the route matching the basic ACL 2001 to 10. [SwitchB] route-policy RP permit node 10 [SwitchB-route-policy] if-match acl 2001 [SwitchB-route-policy] apply cost 10 [SwitchB-route-policy] quit # Configure node 20 in the route-policy RP to set the cost of the route matching the basic ACL 2002 to 20. [SwitchB] route-policy RP permit node 20 [SwitchB-route-policy] if-match acl 2002 [SwitchB-route-policy] apply cost 20 [SwitchB-route-policy] quit # Import the RIP routes permitted by the route-policy RP into OSPF. [SwitchB] OSPF [SwitchB-ospf-1] import-route rip 1 route-policy RP [SwitchB-ospf-1] quit After the preceding configurations are complete, check the IP routing table of SwitchC. The following command output shows that the two RIP routes have been imported and their costs have been configured as required. <SwitchC> display ip routing-table Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------- Routing Tables: Public Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif20 10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif20 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.2.0/24 O_ASE 150 10 D 10.1.1.1 Vlanif20 192.168.3.0/24 O_ASE 150 20 D 10.1.1.1 Vlanif20 1.1.2 Example 2 Using an IP Prefix List to Filter Imported RoutesIn Figure 3-2, SwitchB has two static routes, but only the static route 192.168.0.0/16 needs to be imported into OSPF. Using an IP prefix list to filter imported routes
Check the IP routing table of SwitchB. The following command output shows that it has two static routes 192.168.0.0/16 and 192.168.0.0/24. Now only the route 192.168.0.0/16 needs to be readvertised into OSPF. [SwitchB] display ip routing-table Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------- Routing Tables: Public Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.10.12.0/24 Direct 0 0 D 10.10.12.1 Vlanif10 10.10.12.1/32 Direct 0 0 D 127.0.0.1 Vlanif10 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/16 Static 60 0 D 0.0.0.0 NULL0 192.168.0.0/24 Static 60 0 D 0.0.0.0 NULL0 First, you try to use an ACL to meet this requirement. Configure a basic ACL 2001. [SwitchB] acl 2001 [SwitchB-acl-basic-2001] rule permit source 192.168.0.0 0.0.255.255 [SwitchB-acl-basic-2001] quit Configure a route-policy and apply it to the imported routes. # Configure node 10 in the route-policy RP to permit the route matching the basic ACL 2001 and deny all the unmatched routes. [SwitchB] route-policy RP permit node 10 [SwitchB-route-policy] if-match acl 2001 [SwitchB-route-policy] quit # Import the static route permitted by the route-policy RP into OSPF. [SwitchB] OSPF [SwitchB-ospf-1] import-route static route-policy RP [SwitchB-ospf-1] quit After the preceding configurations are complete, check the IP routing table of SwitchC. The following command output shows that the two routes to 192.168.0.0 have been imported. This is because in the ACL 2001 rule permit source 192.168.0.0 0.0.255.255, 0.0.255.255 indicates a wildcard but not the mask length. After a wildcard is converted into a binary number, 0 indicates that routes need to match this ACL, while 1 indicates that routes do not. For example, 192.168.0.0 0.0.255.255 specifies a route prefix range: 192.168.0.0 to 192.168.255.255. The two routes 192.168.0.0/16 and 192.168.0.0/24 both match the ACL 2001. Therefore, the two routes match node 10 in the route-policy RP and both are imported into OSPF. ACLs cannot ensure that only the route 192.168.0.0/16 or 192.168.0.0/24 is matched because ACLs can match only network ID but not mask. <SwitchC> display ip routing-table Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------- Routing Tables: Public Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.10.12.0/24 Direct 0 0 D 10.10.12.2 Vlanif10 10.10.12.2/32 Direct 0 0 D 127.0.0.1 Vlanif10 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/16 O_ASE 150 1 D 10.10.12.1 Vlanif10 192.168.0.0/24 O_ASE 150 1 D 10.10.12.1 Vlanif10 The following uses an IP prefix list to filter the imported routes. Check whether an IP prefix list can ensure that only the route 192.168.0.0/16 is imported and the route 192.168.0.0/24 is filtered out. Configure an IP prefix list to permit the required route. # Configure an IP prefix list huawei and configure node 10 to permit the route 192.168.0.0/16. [SwitchB] ip ip-prefix huawei index 10 permit 192.168.0.0 16 Configure a route-policy and apply it to the imported routes. # Configure a route-policy RP and configure node 10 to permit the route that matches the IP prefix list huawei and deny all the unmatched routes. [SwitchB] route-policy RP permit node 10 [SwitchB-route-policy] if-match ip-prefix huawei [SwitchB-route-policy] quit # Import the static route permitted by the route-policy RP into OSPF. [SwitchB] OSPF [SwitchB-ospf-1] import-route static route-policy RP [SwitchB-ospf-1] quit After the preceding configurations are complete, check the IP routing table of SwitchC. The following command output shows that only the route 192.168.0.0/16 is imported into OSPF. <SwitchC> display ip routing-table Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------- Routing Tables: Public Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.10.12.0/24 Direct 0 0 D 10.10.12.2 Vlanif10 10.10.12.2/32 Direct 0 0 D 127.0.0.1 Vlanif10 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/16 O_ASE 150 1 D 10.10.12.1 Vlanif10
1.2 Principles and Applications of IP Prefix List1.2.1 Filtering RulesAn IP prefix list can contain multiple index entries, each of which corresponds to a filtering rule. In Figure 3-3, the system matches the routes to be filtered against entries in ascending order of index number. l If a route matches a permit entry, this route is permitted. If a route matches a deny entry, this route is denied. l If a route does not match any entry in the IP prefix list, this route is denied. Matching principles of an IP prefix list
Route filtering rules of an IP prefix list: sequential match, unique match, and deny by default. l Sequential match: Routes to be filtered are matched against entries in ascending order of index number. If different index numbers are configured for entries in the same IP prefix list, different filtering results may be obtained. Therefore, exercise caution when configuring index numbers. l Unique match: If a route to be filtered matches one entry, it no longer tries to match other entries. l Deny by default: By default, all the routes that do not match any entry are denied. Therefore, after one or multiple deny entries are created in an IP prefix list, one entry needs to be created to permit all the other routes. 1.2.2 Mask MatchingAn IP prefix list can be used to match a route mask, which is an advantage compared to ACL. In the preceding example, a mask has been used in exact route match. Additionally, an IP prefix list can also be used to match a mask range. An IP prefix list is configured using the ip ip-prefix command, for example: ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ipv4-address mask-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ] In this command, ipv4-address mask-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ] defines the network ID and mask range of routes to be filtered. Table 3-1 describes parameters in this command. An address range in an IP prefix list
When a route to be filtered has matched a network ID, the mask length can be matched exactly or within a specified mask length. l If both greater-equal and less-equal are not configured in the command, exact match is performed on routes. That is, only the routes with the specified mask-length are matched. l If only greater-equal is configured in the command, the mask length range used for matching routes is [greater-equal-value, 32]. l If only less-equal is configured in the command, the mask length range used for matching routes is [mask-length, less-equal-value]. l If both greater-equal and less-equal are configured in the command, the mask length range used for matching routes is [greater-equal-value, less-equal-value]. 1.2.3 ApplicationsAssume that there are routes 10.1.1.0/24, 10.1.1.0/26, 10.1.1.1/32, 10.2.2.0/24, and 10.1.0.0/16. How to use an IP prefix list to filter routes as required to meet the following requirements? Permit only one route, for example, permit only the route 10.1.1.0/24. Permit only the routes with the same network ID but different masks and deny other routes. For example, permit only three routes 10.1.1.0/24, 10.1.1.0/26, and 10.1.1.1/32. Deny only one route and permit the other routes, for example, deny only the route 10.1.1.0/24. Find the answers in the following examples: --------------------------------Example 1 Single-node exact match------------------------------------------ l Example 1 ip ip-prefix test index 10 permit 10.1.1.0 24 Matching result: Only the route 10.1.1.0/24 is permitted, and other routes are denied.
Only the route with the specified network ID and mask is permitted. ------------------------------Examples 2 through 4 Match against the specified mask range---------------------------------- l Example 2 ip ip-prefix test index 10 permit 10.1.1.0 24 less-equal 32 Matching result: Only the routes 10.1.1.0/24, 10.1.1.0/26, and 10.1.1.1/32 are permitted, and other routes are denied.
The routes with the network ID 10.1.1.0 and mask length 24-32 are permitted. l Example 3 ip ip-prefix test index 10 permit 10.1.1.0 24 greater-equal 26 Matching result: Only the routes 10.1.1.0/26 and 10.1.1.1/32 are permitted, and other routes are denied.
The routes with the network ID 10.1.1.0 and mask length 26-32 are permitted. l Example 4 ip ip-prefix test index 10 permit 10.1.1.0 24 greater-equal 26 less-equal 32 Matching result: Only the routes 10.1.1.0/26 and 10.1.1.1/32 are permitted, and other routes are denied.
The routes with the network ID 10.1.1.0 and mask length 26-32 are permitted. The matching result is the same as that of Example 3. --------------------Examples 5 and 6 Match against the wildcard address (0.0.0.0)----------------------- The wildcard address 0.0.0.0 indicates that the network ID is not specified and only the mask range needs to be matched. Table 3-2 lists special wildcard addresses. Special wildcard addresses
An IP prefix list uses the matching rule of deny by default. After one or multiple deny entries are created, an entry permit 0.0.0.0 0 less-equal 32 needs to be created to permit other routes. l Example 5 ip ip-prefix test index 10 permit 0.0.0.0 8 less-equal 32 Matching result: All the five routes are permitted.
All the routes with the mask length 8-32 are permitted. l Example 6 ip ip-prefix test index 10 deny 10.1.1.0 24 ip ip-prefix test index 20 permit 0.0.0.0 0 less-equal 32 Matching result: Only the route 10.1.1.0/24 is denied, and other routes are permitted.
The route 10.1.1.0/24 matches the entry with index number 10 in the IP prefix list test, but the matching mode is deny. Therefore, this route is denied. The entry with index number 20 permit 0.0.0.0 0 less-equal 32 indicates that all the routes are permitted. Therefore, the routes that do not match the entry with index number 10 match the entry with index number 20 and are all permitted. An IP prefix list can filter routes as required. To control routes, for example, control receiving, advertisement, and import of routes, you need to invoke an IP prefix list in a filter-policy or route-policy. The following describes how to use a filter-policy to filter routes. For more details, click the following hyperlink:
| ||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||
Comment
- Politically sensitive content
- Content concerning pornography, gambling, and drug abuse
- Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
