Routing Policy Introduction and Configuration Examples
-
definition
The routing policy mainly realizes setting functions such as routing filtering and routing attributes. It changes the path through which network traffic passes by changing routing attributes (including reachability).
-
purpose advantage
Purpose
When the routing protocol publishes, receives, and imports routing information, it implements some strategies according to the actual networking requirements in order to filter the routing information and change the attributes of the routing information, such as:
-
Controlling the receiving and publishing of routes
Only publish and receive necessary and legal routing information to control the capacity of the routing table and improve network security.
-
Importing control routes
When a routing protocol imports routing information discovered by other routing protocols to enrich its own routing information, only a part of routing information that meets the conditions is imported.
-
Set properties for a specific route
Modify the attributes of the routes filtered by the routing policy to meet your own needs.
Advantage
-
Save system resources by controlling the routing table size of the router
-
Improve network security by controlling the receiving, publishing and importing of routes
-
By modifying the routing attributes, the network data flow can be reasonably planned to improve the network performance
-
-
Basic Principles of Routing Policies
-
Routing Policy Principle
Routing Policy Principle
Routing policies use different matching conditions and matching modes to select routes and change route attributes. In specific scenarios, the six filters of the routing policy can also be used independently to implement routing filtering. If the device supports the BGP to IGP function, it can also use BGP private attributes as matching conditions when IGP imports BGP routes.
Schematic diagram of routing policy
A routing policy contains N≥1 nodes (Node). After the route enters the routing policy, it checks whether each node matches according to the node sequence number from small to large. The matching conditions are defined by if-match clauses. Design routing information and routing policy 6 kind of filter
When the route successfully matches all the If-match clauses of the node , it enters the matching mode selection and no longer matches other nodes. There are two matching modes : permit and deny :
-
Permit: The route will be allowed to pass, and execute the Apply clause of the node to set some attributes of the route information
-
Deny: The route will be rejected
-
-
filter
The six types of filters in the if-match clause in the routing policy include ACL, prefix list, AS path filter, community attribute filter, extended community attribute filter and RD attribute filter
-
ACL
ACL is a filter that uses the incoming interface, source or destination address, protocol type, and source or destination port number in a packet as a matching condition. It is used independently when each routing protocol publishes and receives routes. Only basic ACLs are supported in the If-match clause of Route-Policy .
-
address prefix list
address prefix list
-
The address prefix list uses the original address, destination address, and next-hop address as a filter for matching conditions, and is used independently when each routing protocol publishes and receives routes.
-
Each address prefix list contains multiple indexes (index), each index corresponds to a node, and the routing index numbers are checked in order from small to large to see if each node matches. If any node matches successfully, the KIA node will not be checked again. If all nodes match Fail, Lu yo will be filtered
-
Depending on the matched prefixes, the prefix list can be matched exactly or within a certain range of mask fields
-
When the IP address is 0.0.0.0, it means a wildcard address, which means that all routes within the mask length range are Permit or Deny.
-
-
AS path filter
The AS path filter is a filter that uses the AS_Path attribute in BGP as a matching condition, and is used alone when BGP advertises and receives routes.
The AS_Path attribute records all AS numbers that BGP routes pass through.
-
community attribute filter
The extended community attribute filter is a filter that takes the extended community attribute in BGP as the matching condition and is used alone when BGP advertises and receives routes. The community attribute of BGP is used to identify a group of routes with common properties
-
Extended community attribute filter
The extended community attribute filter is a filter that takes the extended community attribute in BGP as the matching condition, and can be used alone when using VPN Target to distinguish routes in VPN configuration.
Currently, the extended community attribute filter is only applied to match the VPN target attribute in the VPN. The VPN Target attribute controls the distribution and reception of VPN routing information between sites in a BGP/MPLS IP VPN network.
-
RD attribute filter
The RD community attribute filter is a filter that uses the RD attribute in the VPN as a matching condition. It can be used alone when using the RD attribute to distinguish routes in the VPN configuration.
The VPN instance implements address space independence through the routing identifier RD, and distinguishes prefixes using the same address space.
-
-
BGP to IGP
-
The BGP to IGP function enables IGP to identify private attributes such as Community, Extcommunity, and AS-Path of BGP routes.
-
When IGP imports BGP routes, routing policies can be applied. Only when the device supports the BGP to IGP function, the BGP private attribute can be used as the matching condition in the routing policy. If the device does not support the BGP to IGP function, the IGP cannot recognize the private attributes of the BGP route, which will cause the matching condition to fail.
-
-
-
Routing Policy Configuration Example
-
Example of filtering received and advertised routes
Networking requirements
On a network running OSPF, R1 receives routes from the Internet and provides Internet routes for the OSPF network.
Require
-
In the OSPF network, only the networks of the three network segments 172.16.17.0/24, 172.16.18.0/24 and 172.16.19.0/24 can be accessed.
-
The network connected to R3 can only access the network in the 172.16.18.0/24 network segment.
Configuration idea
-
Configure a routing policy on R1, and use the routing policy when advertising routes, so that R1 only provides routes 172.16.17.0/24, 172.16.18.0/24, and 172.16.19.0/24 to R2, so that only 172.16.17.0 can be accessed in the OSPF network /24, 172.16.18.0/24 and 172.16.19.0/24 three network segments.
-
Configure a routing policy on R3 and use the routing policy when importing routes so that R3 only receives the route 172.16.18.0/24, and the network connected to R3 can only access the network in the 172.16.18.0/24 network segment.
Configuration:
Configuring Basic OSPF Functions
Configure 5 static routes on RouterA, and import these static routes into OSPF
[AR1]ip route-static 172.16.16.0 24 NULL 0 [AR1]ip route-static 172.16.17.0 24 NULL 0 [AR1]ip route-static 172.16.18.0 24 NULL 0 [AR1]ip route-static 172.16.19.0 24 NULL 0 [AR1]ip route-static 172.16.20.0 24 NULL 0
-
Route publishing strategy
Configure route advertisement policy
[AR1]ip ip-prefix 789 permit 172.16.17.0 24 [AR1]ip ip-prefix 789 permit 172.16.18.0 24 [AR1]ip ip-prefix 789 permit 172.16.19.0 24 [AR1]dis ip ip-prefix 789 Prefix-list 789 Permitted 0 Denied 0 index: 10 permit 172.16.17.0/24 index: 20 permit 172.16.18.0/24 index: 30 permit 172.16.19.0/24
Configure the release policy on R1, refer to the address prefix list 789 for filtering
[R1-ospf-1] filter-policy ip-prefix a2b export static
Check the IP routing table on other routers to see that only those defined in the 789 list are accepted
Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 16 Routes : 16 Destination/Mask Proto Pre Cost Flags NextHop Interface 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 172.16.17.0/24 O_ASE 150 1 D 192.168.12.1 GigabitEthernet 0/0/1 172.16.18.0/24 O_ASE 150 1 D 192.168.12.1 GigabitEthernet 0/0/1 172.16.19.0/24 O_ASE 150 1 D 192.168.12.1 GigabitEthernet 0/0/1 192.168.12.0/24 Direct 0 0 D 192.168.12.2 GigabitEthernet 0/0/1 192.168.12.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/1 192.168.12.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/1 192.168.23.0/24 Direc
-
Configure route receiving policy
When no receiving policy is configured
[AR3-ospf-1]dis ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 12 Routes : 12 Destination/Mask Proto Pre Cost Flags NextHop Interface 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 172.16.17.0/24 O_ASE 150 1 D 192.168.23.2 GigabitEthernet 0/0/1 172.16.18.0/24 O_ASE 150 1 D 192.168.23.2 GigabitEthernet 0/0/1 172.16.19.0/24 O_ASE 150 1 D 192.168.23.2 GigabitEthernet 0/0/1 192.168.12.0/24 OSPF 10 2 D 192.168.23.2 GigabitEthernet 0/0/1 192.168.23.0/24 Direct 0 0 D 192.168.23.3 GigabitEthernet 0/0/1 192.168.23.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/1 192.168.23.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/1 192.168.24.0/24 OSPF 10 2 D 192.168.23.2 GigabitEthernet 0/0/1 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Configure the address prefix list on R3
[AR3]ospf 1 [AR3-ospf-1]filter-policy ip-prefix 18 import 查看路由表 [AR3-ospf-1]dis ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost Flags NextHop Interface 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 172.16.18.0/24 O_ASE 150 1 D 192.168.23.2 GigabitEthernet 0/0/1 192.168.23.0/24 Direct 0 0 D 192.168.23.3 GigabitEthernet 0/0/1 192.168.23.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/1 192.168.23.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/1 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 [AR3-ospf-1]
-
filter-policy import
It can be seen that three routes defined in list 789 are received in the OSPF routing table
The filter-policy import command is used to filter the routes added to the local core routing table from the protocol routing table.
View the OSPF routing table of R3
[AR3-ospf-1]dis ospf routing OSPF Process 1 with Router ID 3.3.3.3 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 192.168.23.0/24 1 Transit 192.168.23.3 3.3.3.3 0.0.0.0 192.168.12.0/24 2 Transit 192.168.23.2 1.1.1.1 0.0.0.0 192.168.24.0/24 2 Transit 192.168.23.2 2.2.2.2 0.0.0.0 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 172.16.17.0/24 1 Type2 1 192.168.23.2 1.1.1.1 172.16.18.0/24 1 Type2 1 192.168.23.2 1.1.1.1 172.16.19.0/24 1 Type2 1 192.168.23.2 1.1.1.1 Total Nets: 6 Intra Area: 3 Inter Area: 0 ASE: 3 NSSA: 0
-
-
Apply routing policies when importing routes
R1 and R2 exchange routing information through the OSPF protocol, and R2 and R3 exchange routing information through the IS-IS protocol. It is required that after the routes in the IS-IS network are imported to the OSPF network on R2, the route selection priority of the route 172.17.1.0/24 in the OSPF network is lower; the route 172.17.2.0/24 has an identifier to facilitate the use of routing policies in the future
Networking requirements
Configuration idea
Use the following ideas to configure the routing policy when importing routes:
-
Configure a routing policy on RouterB, set the cost of the route 172.17.1.0/24 to 100, and apply the routing policy when OSPF imports IS-IS routes. Low
-
Configure a routing policy on RouterB, set the Tag attribute of the route 172.17.2.0/24 to 20, and apply the routing policy when OSPF imports IS-IS routes, so that the route 172.17.2.0/24 has an identifier to facilitate the use of routing policies in the future
Configuration:
-
AR1
# sysname AR1 # snmp-agent local-engineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00 # portal local-server load portalpage.zip # drop illegal-mac alarm # set cpu-usage threshold 80 restore 75 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http # firewall zone Local priority 15 # interface GigabitEthernet0/0/0 ip address 192.168.12.1 255.255.255.0 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface NULL0 # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 192.168.12.0 0.0.0.255 # user-interface con 0 authentication-mode password user-interface vty 0 4 user-interface vty 16 20 # wlan ac # return
-
AR2
# sysname AR2 # snmp-agent local-engineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00 # portal local-server load portalpage.zip # drop illegal-mac alarm # set cpu-usage threshold 80 restore 75 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http # isis 1 is-level level-2 network-entity 49.0000.0000.0002.00 # firewall zone Local priority 15 # interface GigabitEthernet0/0/0 ip address 192.168.23.2 255.255.255.0 isis enable 1 # interface GigabitEthernet0/0/1 ip address 192.168.12.2 255.255.255.0 # interface GigabitEthernet0/0/2 # interface NULL0 # ospf 1 router-id 2.2.2.2 import-route isis 1 area 0.0.0.0 network 192.168.12.0 0.0.0.255 # user-interface con 0 authentication-mode password user-interface vty 0 4 user-interface vty 16 20 # wlan ac # return
-
AR3
# sysname AR3 # board add 0/4 4GET # snmp-agent local-engineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00 # portal local-server load portalpage.zip # drop illegal-mac alarm # set cpu-usage threshold 80 restore 75 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http # isis 1 is-level level-2 network-entity 49.0000.0000.0003.00 # firewall zone Local priority 15 # interface GigabitEthernet0/0/0 # interface GigabitEthernet0/0/1 ip address 192.168.23.3 255.255.255.0 isis enable 1 # interface GigabitEthernet0/0/2 # interface GigabitEthernet4/0/0 # interface GigabitEthernet4/0/1 ip address 172.17.1.1 255.255.255.0 isis enable 1 # interface GigabitEthernet4/0/2 ip address 172.17.2.1 255.255.255.0 isis enable 1 # interface GigabitEthernet4/0/3 ip address 172.17.3.1 255.255.255.0 isis enable 1 # interface NULL0 # user-interface con 0 authentication-mode password user-interface vty 0 4 user-interface vty 16 20 # wlan ac # return
-
Check the OSPF routing table of AR1
Check the OSPF routing table of R1, and you can see the imported routes.
<AR1>dis ospf routing OSPF Process 1 with Router ID 1.1.1.1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 192.168.12.0/24 1 Transit 192.168.12.1 1.1.1.1 0.0.0.0 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 172.17.1.0/24 1 Type2 1 192.168.12.2 2.2.2.2 172.17.2.0/24 1 Type2 1 192.168.12.2 2.2.2.2 172.17.3.0/24 1 Type2 1 192.168.12.2 2.2.2.2 192.168.23.0/24 1 Type2 1 192.168.12.2 2.2.2.2 Total Nets: 5 Intra Area: 1 Inter Area: 0 ASE: 4 NSSA: 0 <AR1>
-
Configure filter list
AR2
Principle of matching rules
[AR2]ip ip-prefix 171 index 10 permit 172.17.1.0 24 [AR2]ip ip-prefix 172 index 10 permit 172.17.2.0 24 #匹配172.17.1.0 24 修改cost为100 [AR2]route-policy isisospf permit node 10 [AR2-route-policy]if-match ip-prefix 171 [AR2-route-policy]apply cost 100 #匹配172.17.2.0 24 修改tag为20 [AR2]route-policy isisospf permit node 20 [AR2-route-policy]if-match ip-prefix 172 [AR2-route-policy]apply tag 20 也可用访问控制列表匹配 acl 2002 rule permit source 172.17.2.0 0.0.0.255 acl 2001 rule permit source 172.17.1.0 0.0.0.255 route-policy isisospf permit node 20 if-match acl 2001 apply cost 100 route-policy isisospf permit node 20 if-match acl 2002 apply tag 20 #匹配其它路由 不修改属性 [AR2]route-policy isisospf permit node 30 [AR2-ospf-1]import-route isis 1 route-policy isisospf
-
View the OSPF routing table of the AR
<AR1>dis ospf routing OSPF Process 1 with Router ID 1.1.1.1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 192.168.12.0/24 1 Transit 192.168.12.1 1.1.1.1 0.0.0.0 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 172.17.1.0/24 100 Type2 1 192.168.12.2 2.2.2.2 172.17.2.0/24 1 Type2 20 192.168.12.2 2.2.2.2 172.17.3.0/24 1 Type2 1 192.168.12.2 2.2.2.2 192.168.23.0/24 1 Type2 1 192.168.12.2 2.2.2.2 Total Nets: 5 Intra Area: 1 Inter Area: 0 ASE: 4 NSSA: 0
-
-