【Huawei S Series Switches Routing Policy】3 IP Prefix List

Latest reply: Sep 10, 2019 07:24:57 5930 4 2 0

This post refers to the 3 IP prefix list, as part of the Huawei S Series Switches Routing Policy. Please have a look below for more details.


1      IP Prefix List

To filter received, advertised, and imported routes or to set attributes for routes, you first need to match the required routes using ACLs or an IP prefix list. In the preceding section about route-policy, ACLs are used to match routes. This section describes how to use an IP prefix list to match routes. First, let’s learn the differences between ACL and IP prefix list.

1.1  Differences Between ACL and IP Prefix List

The following two examples can help differentiate ACL and IP prefix list.

1.1.1            Example 1 Using ACLs to Filter Imported Routes

In Figure 3-1, ACLs are configured to import two RIP routes into OSPF and set attributes for the routes.

Using ACLs to filter imported routes

图1 通过ACL对引入的路由进行过滤.png

 

Check the IP routing table of SwitchB. The following command output shows that it contains two RIP routes 192.168.2.0/24 and 192.168.3.0/24. Now the two RIP routes need to be readvertised into OSPF and the costs of the two routes 192.168.2.0/24 and 192.168.3.0/24 need to be set to 10 and 20 respectively.

[SwitchB] display ip routing-table

Route Flags: R - relay, D - download to fib

-----------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 8        Routes : 8       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

       10.1.1.0/24  Direct  0    0           D   10.1.1.1        Vlanif20

       10.1.1.1/32  Direct  0    0           D   127.0.0.1       Vlanif20

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

    192.168.1.0/24  Direct  0    0           D   192.168.1.2     Vlanif10

    192.168.1.2/32  Direct  0    0           D   127.0.0.1       Vlanif10

    192.168.2.0/24  RIP     100  1           D   192.168.1.1     Vlanif10

192.168.3.0/24  RIP     100  1           D   192.168.1.1     Vlanif10

Configure ACLs to match the required routes.

# Configure a basic ACL 2001 to match the route 192.168.2.0.

[SwitchB] acl 2001

[SwitchB-acl-basic-2001] rule permit source 192.168.2.0 0

[SwitchB-acl-basic-2001] quit

# Configure a basic ACL 2002 to match the route 192.168.3.0.

[SwitchB] acl 2002

[SwitchB-acl-basic-2002] rule permit source 192.168.3.0 0

[SwitchB-acl-basic-2002] quit

Configure a route-policy and apply it to the imported routes.

# Configure node 10 in the route-policy RP to set the cost of the route matching the basic ACL 2001 to 10.

[SwitchB] route-policy RP permit node 10

[SwitchB-route-policy] if-match acl 2001

[SwitchB-route-policy] apply cost 10

[SwitchB-route-policy] quit

# Configure node 20 in the route-policy RP to set the cost of the route matching the basic ACL 2002 to 20.

[SwitchB] route-policy RP permit node 20

[SwitchB-route-policy] if-match acl 2002

[SwitchB-route-policy] apply cost 20

[SwitchB-route-policy] quit

# Import the RIP routes permitted by the route-policy RP into OSPF.

[SwitchB] OSPF

[SwitchB-ospf-1] import-route rip 1 route-policy RP

[SwitchB-ospf-1] quit

After the preceding configurations are complete, check the IP routing table of SwitchC. The following command output shows that the two RIP routes have been imported and their costs have been configured as required.

<SwitchC> display ip routing-table

Route Flags: R - relay, D - download to fib

-----------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 6        Routes : 6       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

       10.1.1.0/24  Direct  0    0           D   10.1.1.2        Vlanif20

       10.1.1.2/32  Direct  0    0           D   127.0.0.1       Vlanif20

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

    192.168.2.0/24  O_ASE   150  10          D   10.1.1.1        Vlanif20

    192.168.3.0/24  O_ASE   150  20          D   10.1.1.1        Vlanif20

1.1.2            Example 2 Using an IP Prefix List to Filter Imported Routes

In Figure 3-2, SwitchB has two static routes, but only the static route 192.168.0.0/16 needs to be imported into OSPF.

Using an IP prefix list to filter imported routes

20170322111019654002.png

 

Check the IP routing table of SwitchB. The following command output shows that it has two static routes 192.168.0.0/16 and 192.168.0.0/24. Now only the route 192.168.0.0/16 needs to be readvertised into OSPF.

 [SwitchB] display ip routing-table

Route Flags: R - relay, D - download to fib

-----------------------------------------------------------------------------

Routing Tables: Public         Destinations : 6        Routes : 6       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

     10.10.12.0/24  Direct  0    0           D   10.10.12.1      Vlanif10

     10.10.12.1/32  Direct  0    0           D   127.0.0.1       Vlanif10

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

    192.168.0.0/16  Static  60   0           D   0.0.0.0         NULL0

192.168.0.0/24  Static  60   0           D   0.0.0.0         NULL0

First, you try to use an ACL to meet this requirement.

Configure a basic ACL 2001.

[SwitchB] acl 2001

[SwitchB-acl-basic-2001] rule permit source 192.168.0.0 0.0.255.255

[SwitchB-acl-basic-2001] quit

Configure a route-policy and apply it to the imported routes.

# Configure node 10 in the route-policy RP to permit the route matching the basic ACL 2001 and deny all the unmatched routes.

[SwitchB] route-policy RP permit node 10

[SwitchB-route-policy] if-match acl 2001

[SwitchB-route-policy] quit

# Import the static route permitted by the route-policy RP into OSPF.

[SwitchB] OSPF

[SwitchB-ospf-1] import-route static route-policy RP

[SwitchB-ospf-1] quit

After the preceding configurations are complete, check the IP routing table of SwitchC. The following command output shows that the two routes to 192.168.0.0 have been imported. This is because in the ACL 2001 rule permit source 192.168.0.0 0.0.255.255, 0.0.255.255 indicates a wildcard but not the mask length.

After a wildcard is converted into a binary number, 0 indicates that routes need to match this ACL, while 1 indicates that routes do not. For example, 192.168.0.0 0.0.255.255 specifies a route prefix range: 192.168.0.0 to 192.168.255.255. The two routes 192.168.0.0/16 and 192.168.0.0/24 both match the ACL 2001. Therefore, the two routes match node 10 in the route-policy RP and both are imported into OSPF. ACLs cannot ensure that only the route 192.168.0.0/16 or 192.168.0.0/24 is matched because ACLs can match only network ID but not mask.

<SwitchC> display ip routing-table

Route Flags: R - relay, D - download to fib

-----------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 6        Routes : 6       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

     10.10.12.0/24  Direct  0    0           D   10.10.12.2      Vlanif10

     10.10.12.2/32  Direct  0    0           D   127.0.0.1       Vlanif10

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

    192.168.0.0/16  O_ASE   150  1           D   10.10.12.1      Vlanif10

    192.168.0.0/24  O_ASE   150  1           D   10.10.12.1      Vlanif10

The following uses an IP prefix list to filter the imported routes. Check whether an IP prefix list can ensure that only the route 192.168.0.0/16 is imported and the route 192.168.0.0/24 is filtered out.

Configure an IP prefix list to permit the required route.

# Configure an IP prefix list huawei and configure node 10 to permit the route 192.168.0.0/16.

[SwitchB] ip ip-prefix huawei index 10 permit 192.168.0.0 16

Configure a route-policy and apply it to the imported routes.

# Configure a route-policy RP and configure node 10 to permit the route that matches the IP prefix list huawei and deny all the unmatched routes.

[SwitchB] route-policy RP permit node 10

[SwitchB-route-policy] if-match ip-prefix huawei

[SwitchB-route-policy] quit

# Import the static route permitted by the route-policy RP into OSPF.

[SwitchB] OSPF

[SwitchB-ospf-1] import-route static route-policy RP

[SwitchB-ospf-1] quit

After the preceding configurations are complete, check the IP routing table of SwitchC. The following command output shows that only the route 192.168.0.0/16 is imported into OSPF.

<SwitchC> display ip routing-table

Route Flags: R - relay, D - download to fib

-----------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 5        Routes : 5       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

     10.10.12.0/24  Direct  0    0           D   10.10.12.2      Vlanif10

     10.10.12.2/32  Direct  0    0           D   127.0.0.1       Vlanif10

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

192.168.0.0/16  O_ASE   150  1           D   10.10.12.1      Vlanif10

¿¡¡¡¡ì¬Í¡¡¡¡ì¬²©Ê¿2.pngThe preceding two examples indicate that both ACL and IP prefix list can be used to filter routes. ACLs can match only the network ID but not the mask (prefix length), but an IP prefix list is more flexible than ACLs because it can match both the network ID and mask, improving route matching accuracy.

1.2  Principles and Applications of IP Prefix List

1.2.1            Filtering Rules

An IP prefix list can contain multiple index entries, each of which corresponds to a filtering rule. In Figure 3-3, the system matches the routes to be filtered against entries in ascending order of index number.

l   If a route matches a permit entry, this route is permitted. If a route matches a deny entry, this route is denied.

l   If a route does not match any entry in the IP prefix list, this route is denied.

Matching principles of an IP prefix list

20170322111020014004.png

 

Route filtering rules of an IP prefix list: sequential match, unique match, and deny by default.

l   Sequential match: Routes to be filtered are matched against entries in ascending order of index number. If different index numbers are configured for entries in the same IP prefix list, different filtering results may be obtained. Therefore, exercise caution when configuring index numbers.

l   Unique match: If a route to be filtered matches one entry, it no longer tries to match other entries.

l   Deny by default: By default, all the routes that do not match any entry are denied. Therefore, after one or multiple deny entries are created in an IP prefix list, one entry needs to be created to permit all the other routes.

1.2.2            Mask Matching

An IP prefix list can be used to match a route mask, which is an advantage compared to ACL. In the preceding example, a mask has been used in exact route match. Additionally, an IP prefix list can also be used to match a mask range.

An IP prefix list is configured using the ip ip-prefix command, for example:

ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ipv4-address mask-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ]

In this command, ipv4-address mask-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ] defines the network ID and mask range of routes to be filtered. Table 3-1 describes parameters in this command.

An address range in an IP prefix list

Parameter

Description

ipv4-address

Specifies a network ID.

mask-length

Specifies the mask length for exact match.

greater-equal greater-equal-value

Indicates that the mask length must be larger than or equal to greater-equal-value.

less-equal less-equal-value

Indicates that the mask length must be less than or equal to greater-equal-value.

 

When a route to be filtered has matched a network ID, the mask length can be matched exactly or within a specified mask length.

l   If both greater-equal and less-equal are not configured in the command, exact match is performed on routes. That is, only the routes with the specified mask-length are matched.

l   If only greater-equal is configured in the command, the mask length range used for matching routes is [greater-equal-value, 32].

l   If only less-equal is configured in the command, the mask length range used for matching routes is [mask-length, less-equal-value].

l   If both greater-equal and less-equal are configured in the command, the mask length range used for matching routes is [greater-equal-value, less-equal-value].

1.2.3            Applications

Assume that there are routes 10.1.1.0/24, 10.1.1.0/26, 10.1.1.1/32, 10.2.2.0/24, and 10.1.0.0/16. How to use an IP prefix list to filter routes as required to meet the following requirements?

Permit only one route, for example, permit only the route 10.1.1.0/24.

Permit only the routes with the same network ID but different masks and deny other routes. For example, permit only three routes 10.1.1.0/24, 10.1.1.0/26, and 10.1.1.1/32.

Deny only one route and permit the other routes, for example, deny only the route 10.1.1.0/24.

Find the answers in the following examples:

--------------------------------Example 1 Single-node exact match------------------------------------------

l   Example 1

ip ip-prefix test index 10 permit 10.1.1.0 24 

Matching result: Only the route 10.1.1.0/24 is permitted, and other routes are denied.

note

Only the route with the specified network ID and mask is permitted.

------------------------------Examples 2 through 4 Match against the specified mask range----------------------------------

l   Example 2

ip ip-prefix test index 10 permit 10.1.1.0 24 less-equal 32

Matching result: Only the routes 10.1.1.0/24, 10.1.1.0/26, and 10.1.1.1/32 are permitted, and other routes are denied.

note

The routes with the network ID 10.1.1.0 and mask length 24-32 are permitted.

l   Example 3

ip ip-prefix test index 10 permit 10.1.1.0 24 greater-equal 26

Matching result: Only the routes 10.1.1.0/26 and 10.1.1.1/32 are permitted, and other routes are denied.

note

The routes with the network ID 10.1.1.0 and mask length 26-32 are permitted.

l   Example 4

ip ip-prefix test index 10 permit 10.1.1.0 24 greater-equal 26 less-equal 32

Matching result: Only the routes 10.1.1.0/26 and 10.1.1.1/32 are permitted, and other routes are denied.

note

The routes with the network ID 10.1.1.0 and mask length 26-32 are permitted. The matching result is the same as that of Example 3.

--------------------Examples 5 and 6 Match against the wildcard address (0.0.0.0)-----------------------

The wildcard address 0.0.0.0 indicates that the network ID is not specified and only the mask range needs to be matched. Table 3-2 lists special wildcard addresses.

Special wildcard addresses

Special Wildcard Address

Description

0.0.0.0 0

Indicates that only the default route is matched.

0.0.0.0 0 less-equal 32

Indicates that all routes are matched.

0.0.0.0 0 greater-equal 32

Indicates that all host routes are matched.

 

note

An IP prefix list uses the matching rule of deny by default. After one or multiple deny entries are created, an entry permit 0.0.0.0 0 less-equal 32 needs to be created to permit other routes.

l   Example 5

ip ip-prefix test index 10 permit 0.0.0.0 8 less-equal 32

Matching result: All the five routes are permitted.

note

All the routes with the mask length 8-32 are permitted.

l   Example 6

ip ip-prefix test index 10 deny 10.1.1.0 24

ip ip-prefix test index 20 permit 0.0.0.0 0 less-equal 32

Matching result: Only the route 10.1.1.0/24 is denied, and other routes are permitted.

note

The route 10.1.1.0/24 matches the entry with index number 10 in the IP prefix list test, but the matching mode is deny. Therefore, this route is denied. The entry with index number 20 permit 0.0.0.0 0 less-equal 32 indicates that all the routes are permitted. Therefore, the routes that do not match the entry with index number 10 match the entry with index number 20 and are all permitted.

An IP prefix list can filter routes as required. To control routes, for example, control receiving, advertisement, and import of routes, you need to invoke an IP prefix list in a filter-policy or route-policy. The following describes how to use a filter-policy to filter routes.

For more details, click the following hyperlink:


1 Routing Policy

Describes various tools used in routing policy and invoking between these tools.

2 Route-Policy

Describes the components, matching rules, and applications of route-policy.

3 IP Prefix List

Describes how to use an IP prefix list and differences between it and ACL.

4 Filter-Policy

Describes filter-policy principles and applications.

5 BGP Routing Policy (1)

Describes applications of IP prefix list, filter-policy, and route-policy in BGP.

6 BGP Routing Policy (2)

Describes applications of AS_Path filter and Community attribute in BGP.

Collection of Chapters 1 Through 6 (Click Here to Download the PDF Document)

Provides the collection of the preceding chapters.

 

  • x
  • convention:

user_2790689
Created Mar 22, 2017 05:39:33 Helpful(0) Helpful(0)

thank you
  • x
  • convention:

wissal
MVE Created Apr 7, 2018 15:09:34 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.
AngryProgrammer
Created Jul 16, 2019 06:05:35 Helpful(0) Helpful(0)

when you go to HCIP R&S it is materiel disappointment..【Huawei S Series Switches Routing Policy】3 IP Prefix List-3001957-1

thank you so much you help me to understand it from its root 【Huawei S Series Switches Routing Policy】3 IP Prefix List-3001957-2
  • x
  • convention:

user_3202385
Created Sep 10, 2019 07:24:57 Helpful(0) Helpful(0)

Thanks a lot. The material in HCIP-IERS is concept defective. Hope Huawei is thinking about fixing that.
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login