route-policy&traffic-policy

[复制链接]
发表于 : 2016-10-7 10:46:39 最新回复:2019-08-18 13:12:55
2571 7
说明:本表旨在对route-policy和traffic-policy中与ip-prefix和acl结合使用的各种情况进行比较
20161007104543437001.png
序号 场景 策略类型 R4的配置 R6的配置 结果与分析
1 缺省情况 route-policy ip ip-prefix cc-test index 10 permit 40.40.40.40 32
#(50.50.50.50/32不属于这个前缀列表)
route-policy cc-test permit node 10
 if-match ip-prefix cc-test   
#
bgp 100
 ipv4-family unicast
  peer 6.6.6.6 route-policy cc-test import
#
ip route-static 50.50.50.50 255.255.255.255 NULL0
#
bgp 100
 ipv4-family unicast
  network 50.50.50.50 255.255.255.255
#
结果:R4上接收不到50.50.50.50/32的路由。
分析:route-policy缺省node为deny,即一条路由如果未命中配置的所有node,则会匹配缺省node,会被deny掉。
traffic-policy acl 3000
   rule 5 permit ip source 5.5.5.5 0 destination 4.4.4.4 0(从6.6.6.6访问4.4.4.4不属于这个acl)
#
 traffic classifier cc-test
  if-match acl 3000
 #
 traffic behavior cc-test
  permit
 #
 traffic policy cc-test
  share-mode
  classifier cc-test behavior cc-test
#
interface GigabitEthernet2/0/1
 traffic-policy cc-test inbound
#
  结果:R4上ping -a 6.6.6.6 4.4.4.4可以ping通。
分析:traffic-policy下缺省是permit的,即没有匹配到任何策略的,执行默认的permit动作。
2 ip-prefix或acl不存在 route-policy route-policy cc-test permit node 10
 if-match ip-prefix cc-test ip-prefix cc-test不存在)  
#
route-policy cc-test deny node 20
#
bgp 100
 ipv4-family unicast
  peer 6.6.6.6 route-policy cc-test import
#
ip route-static 50.50.50.50 255.255.255.255 NULL0
#
bgp 100
 ipv4-family unicast
  network 50.50.50.50 255.255.255.255
#
结果:R4上可以接收到50.50.50.50/32的路由。
分析:对于不存在的ip-prefix,设备并不是当作都没匹配上,而是把if-match ip-prefix cc-test这条语句当作无效,跟没配置这一条一样处理,即全部匹配上,执行相应的permit动作。
traffic-policy traffic classifier cc-test operator or
 if-match acl 3000acl3000不存在)
traffic classifier cc-test1 operator or
 if-match any
#                                        
traffic behavior cc-test
 deny
traffic behavior cc-test1
 permit
#
traffic policy cc-test
 share-mode
 classifier cc-test behavior cc-test
 classifier cc-test1 behavior cc-test1
#
interface GigabitEthernet2/0/1
 traffic-policy cc-test inbound
#
  结果:R4上ping -a 6.6.6.6 4.4.4.4可以ping通。
分析:对于不存在的acl,设备把if-match acl 3000这条语句当作无效,跟没配置这一条一样处理(删除if-match语句后一样的结果),即全部没有匹配上, 未执行相应的deny动作。
3 route-policy与ip-prefix结合使用;traffic-policy与acl结合使用 route-policy ip ip-prefix cc-test index 10 deny 50.50.50.50 32
#
route-policy cc-test permit node 10
 if-match ip-prefix cc-test   
route-policy cc-test permit node 20

#
bgp 100
 ipv4-family unicast
  peer 6.6.6.6 route-policy cc-test import
#
ip route-static 50.50.50.50 255.255.255.255 NULL0
#
bgp 100
 ipv4-family unicast
  network 50.50.50.50 255.255.255.255
#
结果:R4上接收到50.50.50.50/32的路由。
分析:route-policy与ip-prefix结合使用时,如果ip-prefix中配置为deny,则在route-policy的某node命中的路由条目不执行该node的动作,但该路由条目可以继续进入route-policy的下一node进行继续匹配。即ip-prefix中的permit/deny只是选择的作用,deny仅代表没被选中,没执行该node的动作,但不跳出整个route-policy,而是到下一个node继续执行.
traffic-policy acl 3000
   rule 5 deny ip source 6.6.6.6 0 destination 4.4.4.4 0
#
 traffic classifier cc-test
  if-match acl 3000
 #
traffic classifier cc-test1 operator or
 if-match any
#
 traffic behavior cc-test
  permit
 #
traffic behavior cc-test1
 permit
#
traffic policy cc-test
 share-mode
 classifier cc-test behavior cc-test
 classifier cc-test1 behavior cc-test1
#
interface GigabitEthernet2/0/1
 traffic-policy cc-test inbound
#
  结果:R4上ping -a 6.6.6.6 4.4.4.4无法ping通。
分析:traffic-policy与acl结合使用时,如果acl中配置为permit,则执行traffic behavior的动作,确定是permit还是deny,如果acl配置为deny,则无论traffic behavior为permit还是deny,全部deny。
ip route-static 50.50.50.50 255.255.255.255 NULL0
#
bgp 100
 ipv4-family unicast
  network 50.50.50.50 255.255.255.255
#
ip ip-prefix cc-test index 10 deny 50.50.50.50 32 greater-equal 32 less-equal 32
route-policy cc-test permit node 10
 if-match ip-prefix cc-test
route-policy cc-test deny node 20         
#
bgp 100
 ipv4-family unicast
  peer 6.6.6.6 route-policy cc-test import
#
1、不配置路由策略时:
[R4-NE80E]dis bgp rou peer 6.6.6.6 received-routes
 BGP Local router ID is 4.4.4.4 
 Status codes: * - valid, > - best, d - damped,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete
 Total Number of Routes: 1
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
 *>i  50.50.50.50/32     6.6.6.6         0          100        0      i
 
 2、route-policy缺省为deny,即一条路由如果未命中配置的所有node,则会匹配缺省node,会被deny掉。
 route-policy cc-test permit node 10
 if-match ip-prefix cc-test
#
 ip ip-prefix cc-test index 10 permit 40.40.40.40 32 greater-equal 32 less-equal 32
#
[R4-NE80E]dis bgp routing-table peer 6.6.6.6 received-routes 
显示为空。
3、undo ip ip-prefix cc-test,同时为了消除缺省动作的干扰,直接增加以下命令:
route-policy cc-test deny node 20,此时路由能够学习到,说明对于不存在的ip-prefix,设备并不是当作都没匹配上,而是把if-match ip-prefix cc-test这条语句当作无效,跟没配置这一条一样处理,即全部匹配上。
<R4-NE80E>dis bgp rou peer 6.6.6.6 received-routes
 BGP Local router ID is 4.4.4.4 
 Status codes: * - valid, > - best, d - damped,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete
 Total Number of Routes: 1
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
 *>i  50.50.50.50/32     6.6.6.6         0          100        0      i
 
4、ip-prefix中的deny与route-policy上node的deny之间,是什么关系?
route-policy cc-test deny node 10
 if-match ip-prefix cc-test
#
route-policy cc-test permit node 20
#
[R4-NE80E-route-policy]dis bgp rou peer 6.6.6.6 rec       
 BGP Local router ID is 4.4.4.4 
 Status codes: * - valid, > - best, d - damped,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete
 Total Number of Routes: 1
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
 *>i  50.50.50.50/32     6.6.6.6         0          100        0      i
把node的deny改为permit: 
 route-policy cc-test permit node 10
 if-match ip-prefix cc-test
#
route-policy cc-test permit node 20
#
return
[R4-NE80E-route-policy]dis bgp rou peer 6.6.6.6 rec
 BGP Local router ID is 4.4.4.4 
 Status codes: * - valid, > - best, d - damped,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete
 Total Number of Routes: 1
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
 *>i  50.50.50.50/32     6.6.6.6         0          100        0      i
 
 
 
  traffic-policy
 
 1、 traffic policy下缺省是permit的,即没有匹配到任何策略的,执行默认的permit动作。 
  acl 3000
   rule 5 permit ip source 5.5.5.5 0 destination 4.4.4.4 0
   
 traffic classifier cc-test
  if-match acl 3000 
 #
 traffic behavior cc-test
  permit
 #
 traffic policy cc-test
 share-mode
 classifier cc-test behavior cc-test
#
interface GigabitEthernet2/0/1
 traffic-policy cc-test inbound
#
[NE40]ping -a 6.6.6.6 4.4.4.4
  PING 4.4.4.4: 56  data bytes, press CTRL_C to break
    Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=254 time=3 ms
    Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=254 time=2 ms
    Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=254 time=2 ms
    Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=254 time=3 ms
    Reply from 4.4.4.4: bytes=56 Sequence=5 ttl=254 time=2 ms
 
 2、
acl number 3000
 rule 5 deny ip source 6.6.6.6 0 destination 4.4.4.4 0
#
traffic classifier cc-test operator or
 if-match acl 3000
traffic classifier cc-test1 operator or
 if-match any
#                                         
traffic behavior cc-test
 deny
traffic behavior cc-test1
 permit
#
traffic policy cc-test
 share-mode
 classifier cc-test behavior cc-test
 classifier cc-test1 behavior cc-test1
#
<NE40>ping -a 6.6.6.6 4.4.4.4
  PING 4.4.4.4: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out
  --- 4.4.4.4 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss
 
 
 3、
 acl number 3000
 rule 5 deny ip source 6.6.6.6 0 destination 4.4.4.4 0
#
traffic classifier cc-test operator or
 if-match acl 3000
traffic classifier cc-test1 operator or
 if-match any
#                                         
traffic behavior cc-test
 permit
traffic behavior cc-test1
 permit
#
traffic policy cc-test
 share-mode
 classifier cc-test behavior cc-test
 classifier cc-test1 behavior cc-test1
#
<NE40>ping -a 6.6.6.6 4.4.4.4
  PING 4.4.4.4: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out
  --- 4.4.4.4 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss
4、
acl number 3000
 rule 5 permit ip source 6.6.6.6 0 destination 4.4.4.4 0
#
traffic classifier cc-test operator or
 if-match acl 3000
traffic classifier cc-test1 operator or
 if-match any
#                                         
traffic behavior cc-test
 deny
traffic behavior cc-test1
 permit
#
traffic policy cc-test
 share-mode
 classifier cc-test behavior cc-test
 classifier cc-test1 behavior cc-test1
#
[NE40]ping -a 6.6.6.6 4.4.4.4
  PING 4.4.4.4: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out
  --- 4.4.4.4 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss
#
5、undo acl 3000,acl 3000不存在,此时R6能够ping通R4,说明对于不存在的acl,设备把if-match acl 3000这条语句当作无效,跟没配置这一条一样处理(删除if-match语句后一样的结果),即全部没有匹配上。
[NE40]ping -a 6.6.6.6 4.4.4.4
  PING 4.4.4.4: 56  data bytes, press CTRL_C to break
    Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=254 time=3 ms
    Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=254 time=2 ms
    Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=254 time=2 ms
    Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=254 time=2 ms
    Reply from 4.4.4.4: bytes=56 Sequence=5 ttl=254 time=2 ms
  --- 4.4.4.4 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 2/2/3 ms
  • x
  • 常规:

点评 回复

跳转到指定楼层
hiking
hiking  专家 发表于 2016-10-7 12:03:52 已赞(1) 赞(1)

多谢分享,表格没有显示完整
  • x
  • 常规:

点评 回复

华为企业互动社区,您身边的答疑解惑专家!
肥肥猫
肥肥猫   发表于 2016-10-8 09:23:42 已赞(1) 赞(1)

hiking 发表于 2016-10-07 12:03 多谢分享,表格没有显示完整
为啥显示不完整呢?是不是有什么限制呢 @天才樱木 是不是樱木管呐
  • x
  • 常规:

点评 回复

天才樱木
天才樱木  精英 发表于 2016-10-11 11:10:21 已赞(1) 赞(1)

肥肥猫 发表于 2016-10-08 09:23为啥显示不完整呢?是不是有什么限制呢 @天才樱木 是不是樱木管呐

@BetterMan 企业互动社区的技术问题找大熊~~:P
  • x
  • 常规:

点评 回复

肥肥猫
肥肥猫   发表于 2016-10-11 11:20:50 已赞(1) 赞(1)

天才樱木 发表于 2016-10-11 11:10 肥肥猫 发表于 2016-10-11 11:10为啥显示不完整呢?是不是有什么限制呢 @天才樱木 是不是樱木管呐@BetterMan ...
好的,谢谢樱木route-policy&traffic-policy-2025615-1
  • x
  • 常规:

点评 回复

浪里小白脸1
浪里小白脸1  精英 发表于 2016-10-11 14:43:03 已赞(1) 赞(1)

额,你的隐藏格式有点多……表格好像太宽啦。需要我帮忙重新排版吗
  • x
  • 常规:

点评 回复

这不是bug
肥肥猫
肥肥猫   发表于 2016-10-12 09:03:53 已赞(0) 赞(0)

BetterMan 发表于 2016-10-11 14:43 额,你的隐藏格式有点多……表格好像太宽啦。需要我帮忙重新排版吗
啊,暂时不用了,有需要在呼叫大神,谢谢~~~
  • x
  • 常规:

点评 回复

你白哥
你白哥   发表于 2019-8-18 13:12:55 已赞(0) 赞(0)

表格问题能修复下吗
  • x
  • 常规:

点评 回复

发表回复
您需要登录后才可以回帖 登录 | 注册

警告 内容安全提示:尊敬的用户您好,为了保障您、社区及第三方的合法权益,请勿发布可能给各方带来法律风险的内容,包括但不限于政治敏感内容,涉黄赌毒内容,泄露、侵犯他人商业秘密的内容,侵犯他人商标、版本、专利等知识产权的内容,侵犯个人隐私的内容等。也请勿向他人共享您的账号及密码,通过您的账号执行的所有操作,将视同您本人的行为,由您本人承担操作后果。详情请参看“隐私声明
如果附件按钮无法使用,请将Adobe Flash Player 更新到最新版本!
登录参与交流分享

登录参与交流分享

登录