[Huawei] Route Filter Tool

Others 2020-10-26 01:23:36 views: null

table of Contents

1. Match interest traffic

1.1  ACL

1.2 IP-Prefix List

2. Routing strategy

2.1 Filter-Policy

2.2 Route-Policy

3. Experimental configuration

In a real enterprise network, various requirements may be encountered, which requires us to control the traffic in the network. Some tools will be used. This article summarizes the routing filtering tools of Huawei equipment. The general idea of ​​controlling traffic is: firstly, use tools to match and capture the traffic of interest, and then implement strategies for matching and capture traffic.

1. Match interest traffic

1.1  ACL

The Access Control List (ACL) is a set of sequential rules composed of permit or deny statements. It classifies packets by matching the information of the packets. Note that the value of ACL is what we call wildcards. The 0 part must be consistent, the 1 part can be 0 or 1; and 0 and 1 can be discontinuous.

Classification of ACL:
  • Basic ACL: The data packets are classified and defined based on the source address, fragment mark, and time period information. The number range is 2000-2999.
  • Advanced ACL: Data packets can be classified and defined in more detail based on information such as source address, destination address, source port number, destination port number, protocol type, priority, and time period. The number range is 3000-3999.
  • Layer 2 ACL: Classify and define data packets based on information such as source MAC address, destination MAC address, and message type. The number range is 4000-4999.
  • User-defined ACL: It mainly processes data packets according to user-defined rules, and the number range is 5000-5999.

An ACL can consist of multiple "deny | permit" statements, and each statement describes a rule. After the device receives the data traffic, it will match the ACL rules one by one to see if they match. If it does not match, continue to match the next one. Once a matching rule is found, the action defined in the rule will be executed, and no further matching will be performed with subsequent rules; if no matching rule is found, the device will forward the packet directly.

It should be noted that these rules defined in ACL may have duplicates or contradictions. The matching order of the rules determines the priority of the rules. ACL sets the priority of the rules to deal with the duplication or contradiction between the rules.

Problem: ACL can flexibly match the prefix of the IP address, but cannot match the mask length. (Because the routing table may receive network segment information, there may be a situation where the network bits are all 0s. In this case, the ACL cannot be accurately matched.) This leads to our next tool: the address prefix list .

1.2 IP-Prefix List

The address prefix list is the IP-Prefix List. Through the address prefix list, the routes matching the defined prefix filtering list can be filtered according to the defined matching mode to meet the needs of users. The IP-Prefix List can match the IP address prefix and mask length at the same time; and it can only be used for routing information filtering, not for filtering IP packets.

The composition and matching rules of the prefix list:

  1. The prefix filtering list is composed of an IP address and a mask. The IP address can be a network segment address or a host address. The mask length can be configured from 0 to 32.
  2. Each IP-Prefix in the IP-Prefix List has a serial number index, which will be matched according to the serial number from small to large.
  3. If the IP-Prefix index is not configured, then the corresponding index will increase with a step length of 10 based on the IP-Prefix index of the same name configured last time. If the name and index of the configured IP-Prefix are the same as those of an already configured IP-Prefix List, but only the matched content is different, the IP-Prefix List will overwrite the original IP-Prefix List.
  4. When none of the prefix filtering lists match, by default, there is the last default matching mode of deny. When the referenced prefix filtering list does not exist, the default matching mode is permit

Prefix mask length range:

The prefix filtering list can be matched exactly or within a certain mask length range, and the prefix mask length range to be matched can be specified by configuring the keywords greater-equal and less-equal. If the keyword greater-equal or less-equal is not configured, the prefix filtering list will perform exact matching , that is, only the IP address routes with the same mask length as the prefix filtering list mask length are matched; if only the keyword greater-equal is configured , The length of the mask to be matched is from the specified value of greater-equal to the length of 32 bits; if only the keyword less-equal is matched, the length of the mask to be matched is from the specified mask to the keyword less The specified value of -equal.

2. Routing strategy

When the traffic of interest is matched, some policies must be applied to the traffic. There are also two tools, namely Filter-Policy and Route-Policy.

2.1 Filter-Policy

Filter-Policy can only filter received or advertised routes, and can be applied to ISIS, OSPF, and BGP protocols.

 

Apply the Filter-Policy tool in each protocol to filter the received, advertised, and imported routes by referencing ACLs or address prefix lists.

For distance vector protocol and link state protocol, the operation process of Filter-Policy tool is different:

(1) The distance vector protocol generates routes based on the routing table, so the filter will affect the routes received from neighbors and the routes advertised to neighbors.

(2) The link state routing protocol generates routes based on the link state database, and the routing information is hidden in the link state LSA, but the Filter-Policy cannot filter the published and received LSAs, so the Filter-Policy does not affect Link state announcements or link state database integrity and protocol routing tables will only affect the local routing table, and only routes that pass the filter will be added to the routing table, and routes that have not passed the filter will not be added to the routing table table.

(3) Application of the filter-policy export command for different protocols has different impact ranges to be advertised:

  • For the distance vector protocol, the imported routing information and the routing information discovered by this protocol will be filtered.

  • For the link state protocol, only the imported routing information is filtered.

2.2 Route-Policy

Route-Policy is a very powerful routing policy tool. It can be used in conjunction with ACL, IP-Prefix List, AS-Path Filter and other tools flexibly.

 Route-Policy consists of several nodes, and there is an "or" relationship between nodes. And there can be several if-match and apply words under each node, and the relationship between if-match is "and".

Each node of Route-Policy has a corresponding permit mode or deny mode. If it is in permit mode, when the routing item satisfies all the if-match clauses of the node, it is allowed to pass the node's filtering and execute the apply clause of the node, and not enter the next node; if the routing item does not If all the if-match clauses of the node are satisfied, it will enter the next node to continue filtering. If it is in deny mode, when the routing item satisfies all the if- match clauses of the node, it will be rejected to pass the filtering of the node. Then the apply clause will not be executed and the next node will not be entered; otherwise, it will enter The next node continues to filter.

Example:

  • Pref1 is used to match 5.5.5.5/32 or 1.1.2.0/24, they will be filtered out (deny) by node 10 of route-policy RP, so 5.5.5.5/32 and 1.1.2.0/ are not visible in Table-2 twenty four.
  • Pref2 is used to filter 6.6.6.6/32 (deny), so even though the node 20 of route-policy RP is permit, 6.6.6.6/32 will still be filtered out. Therefore, 6.6.6.6/32 is not seen in Table-2.
  • The node 30 of the route-policy RP defines two if-match statements, respectively for ACL 2001 and ACL 2002. The routes matching ACL 2001 are 1.1.3.0/24 (the next hop is 34.34.34.2), 1.1.3.0/24 (the next hop is 13.13.13.1), 1.1.3.0/25 (the next hop is 34.34.34.2) , 1.1.3.0/25 (the next hop is 13.13.13.1), and the routes matching ACL 2002 are 1.1.3.0/24 (the next hop is 13.13.13.1) and 1.1.3.0/25 (the next hop is 13.13) .13.1). Therefore, the cost of 1.1.3.0/24 (the next hop is 13.13.13.1) and 1.1.3.0/25 (the next hop is 13.13.13.1) is modified to 21.
  • 1.1.3.0/24 (the next hop is 34.34.34.2) and 1.1.3.0/25 (the next hop is 34.34.34.2) continue to try to pass the node 40 of the route-policy RP. Since 1.1.3.0/25 satisfies Pref3, the cost of 1.1.3.0/25 (the next hop is 34.34.34.2) is modified to 11.
  • Finally, 1.1.3.0/24 (the next hop is 34.34.34.2) passed the node 50 of route-policy RP.

3. Experimental configuration

The address and configuration requirements are shown in the figure. Note: The address of the small router is .1, and the address of the large router is .2. Here we use OSPF protocol to make them communicate

Address and OSPF configuration:

R1:
interface GigabitEthernet0/0/0
 ip address 13.1.1.1 255.255.255.0 
interface LoopBack0
 ip address 10.1.4.1 255.255.255.0 
#
ospf 1 
 area 0.0.0.0 
  network 10.1.4.0 0.0.0.255 
  network 13.1.1.0 0.0.0.255
R2:
interface GigabitEthernet0/0/0
 ip address 23.1.1.1 255.255.255.0 
interface LoopBack0
 ip address 10.1.5.1 255.255.255.0 
#
ospf 1 
 area 0.0.0.0 
  network 10.1.5.0 0.0.0.255 
  network 23.1.1.0 0.0.0.255
R3:
interface GigabitEthernet0/0/0
 ip address 13.1.1.2 255.255.255.0 
interface GigabitEthernet0/0/1
 ip address 23.1.1.2 255.255.255.0 
interface GigabitEthernet0/0/2
 ip address 34.1.1.1 255.255.255.0
#
ospf 1 
 area 0.0.0.0 
  network 13.1.1.0 0.0.0.255 
  network 23.1.1.0 0.0.0.255 
  network 34.1.1.0 0.0.0.255 
R4:
interface GigabitEthernet0/0/0
 ip address 34.1.1.2 255.255.255.0 
interface LoopBack0
 ip address 10.1.1.1 255.255.255.0 
interface LoopBack1
 ip address 10.1.2.1 255.255.255.0 
interface LoopBack2
 ip address 10.1.3.1 255.255.255.0 
#
ospf 1 
 import-route direct
 area 0.0.0.0 
  network 34.1.1.0 0.0.0.255

Configure routing policy:

Idea: According to the requirements, the marketing department cannot access, the finance department and the R&D department, and the company headquarters cannot access the R&D department, so we can make a strategy on R1 to reject the traffic of the finance department when introducing; while the R&D department we publish routes on the R4 router It is enough to exclude the network segment of the R&D department, that is, the R3 router cannot learn the network segment of the R&D department.

R1:
#
acl number 2000  
 rule 5 deny source 10.1.1.0 0.0.0.255 
 rule 10 permit any
#
ospf 1 
 filter-policy 2000 import
R4:
#
ip ip-prefix ab index 10 permit 10.1.1.0 24
ip ip-prefix ab index 20 permit 10.1.3.0 24
#
ospf 1 
 filter-policy ip-prefix ab export direct

Route-Policy can also be used on R4  to achieve:

acl 2000
 rule 0 permit source 10.1.1.0 0.0.0.255
 rule 5 permit source 10.1.3.0 0.0.0.255
route-policy huawei-control permit node 10
 if-match acl 2000
ospf 1
 import-route direct route-policy huawei-control

 

Guess you like

Origin blog.csdn.net/weixin_43997530/article/details/108916660
Recommended
Ranking
SpringBoot Learning (Five) - springboot rapid integration Druid
map / reduce + lambda allow simplification program
Zookeeper distributed reliable coordination system
How to use GPU to run tensorflow 2.12 on Windows WSL
Use numpy to generate random multidimensional matrices and perform dimension conversion
169. Tower of Hanoi
Basic attribute mapping
About JS traversing ul li
C++ extern “C“
PIM (on)
Daily
More
2024-06-12(0)
2024-06-11(0)
2024-06-10(0)
2024-06-09(0)
2024-06-08(0)
2024-06-07(0)
2024-06-06(0)
2024-06-05(0)
2024-06-04(0)
2024-06-03(1)

Code World

© 2018 codetd.com