2023年6月26日发(作者：)

ROUTE-POLICY 策略路由规则详解

在工程中经常遇到route-policy用于策略路由的情况，下面就对route-polic和ACL间的匹配规则详解如下：

一、 试验环境

A(E0/0)--192.168.1.0--(E0/0)B(S0/0)--10.0.0.0--(S0/0)C(E0/0)--192.168.2.0--(E0/0)D

拓扑说明：

AB之间的网段为192.168.1.0 。AB分别通过E0/0口互联。

CD之间的网段为192.168.2.0 。CD分别通过E0/0口互联。

BC之间分别通过S0/0 中间通过帧中继交换机互联,共配置3个子接口，DLCI分别是100 200 300（两端相同）。

二、 测试结论：

未做任何策略

#

interface Ethernet0/0

ip address 192.168.1.1 255.255.255.0=

在路由器A Tracert路由结果如下：

dis clock

08:48:03 UTC Fri 11/28/2008

tracert -m 5 -a 192.168.1.2 192.168.2.2

traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packet

Press CTRL_C to break

1 192.168.1.1 3 ms 1 ms 2 ms

2 10.0.0.10 19 ms 18 ms 19 ms

3 192.168.2.2 20 ms 21 ms 20 ms

由此可得出未做route-policy的时候，是按照全局路由表中的路由条目转发数据流的。

1、 permit+permit

#

interface Ethernet0/0

ip address 192.168.1.1 255.255.255.0

ip policy route-policy t1

#

acl number 3000

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

acl number 3001

rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

#

route-policy t1 permit node 10

if-match acl 3000

apply ip-address next-hop 10.0.0.2

route-policy t1 permit node 20

apply ip-address next-hop 10.0.0.6

在路由器A Tracert路由结果如下： dis clock

08:50:33 UTC Fri 11/28/2008

tracert -m 5 -a 192.168.1.2 192.168.2.2

traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packet

Press CTRL_C to break

1 192.168.1.1 2 ms 2 ms 1 ms

2 10.0.0.2 20 ms 20 ms 22 ms

3 192.168.2.2 19 ms 20 ms 19 ms

由此结果可得出此时数据流匹配了规则node 10 。也就是route-policy permit对于和ACL permit规则匹配的数据流执行node 10中的匹配规则。

2、 permit+deny

#

interface Ethernet0/0

ip address 192.168.1.1 255.255.255.0

ip policy route-policy t2

#

acl number 3000

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

acl number 3001

rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

#

route-policy t2 permit node 10

if-match acl 3001

apply local-preference 2300

route-policy t2 permit node 20

apply ip-address next-hop 10.0.0.6

在路由器A Tracert路由结果如下：

dis clock

08:53:00 UTC Fri 11/28/2008

tracert -m 5 -a 192.168.1.2 192.168.2.2

traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packet

Press CTRL_C to break

1 192.168.1.1 2 ms 2 ms 4 ms

2 10.0.0.6 19 ms 19 ms 20 ms

3 192.168.2.2 20 ms 20 ms 20 ms

由此结果的得出route-policy 的permit 对于和ACL DENY 规则相匹配的数据流，不执行node 10 中的策略，而是继续匹配下面的规则。

3、 deny+permit

#

interface Ethernet0/0

ip address 192.168.1.1 255.255.255.0

ip policy route-policy t3 #

acl number 3000

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

acl number 3001

rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

#

route-policy t3 deny node 10

if-match acl 3000

apply ip-address next-hop 10.0.0.2

route-policy t3 permit node 20

apply ip-address next-hop 10.0.0.6

在路由器A Tracert路由结果如下：

dis clock

08:54:42 UTC Fri 11/28/2008

tracert -m 5 -a 192.168.1.2 192.168.2.2

traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packet

Press CTRL_C to break

1 192.168.1.1 2 ms 2 ms 1 ms

2 10.0.0.10 19 ms 18 ms 19 ms

3 192.168.2.2 20 ms 20 ms 22 ms

由此结果可得出，route-policy 的deny 对于和ACL permit规则相匹配的数据流直接进行DENY ,并且不再匹配后续的规则，而是转入了系统全局路由表执行常规的路由策略。

4、 deny+deny

#

interface Ethernet0/0

ip address 192.168.1.1 255.255.255.0

ip policy route-policy t4

#

acl number 3000

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

acl number 3001

rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

#

route-policy t4 deny node 10

if-match acl 3001

apply local-preference 2300

route-policy t4 permit node 20

apply ip-address next-hop 10.0.0.6

在路由器A Tracert路由结果如下：

tracert -m 5 -a 192.168.1.2 192.168.2.2

traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packet

Press CTRL_C to break 1 192.168.1.1 3 ms 2 ms 2 ms

2 10.0.0.6 19 ms 18 ms 22 ms

3 192.168.2.2 20 ms 21 ms 19 ms

有此结果可得出：route-policy deny 对于和ACL deny 规则相匹配的数据流，不会执行node 10的规则，但是会继续匹配下面的规则。

三、 总结策略路由规则如下：

1、 对于和ACL的匹配和常规的ACL匹配规则完全一致，没有什么不同。

2、 对于策略路由来说router-policy 尽管也有缺省DENY的规则，但是被DENY的数据流不会丢弃，只是不进行策略路由而已。（对于路由策略则不一样）。

附件1：

相关版本和配置信息：

路由器A:

dis ver

Huawei Versatile Routing Platform Software

VRP software, Version 3.40, Release 0201P29

Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.

Without the owner's prior written consent, no decompiling

nor reverse-engineering shall be allowed.

Quidway AR28-10 uptime is 0 week, 0 day, 1 hour, 39 minutes

Last reboot 2008/11/28 07:22:50

System returned to ROM By Command.

CPU type: PowerPC 8241 200MHz

128M bytes SDRAM Memory

32M bytes Flash Memory

PCB Version:4.0

Logic Version:1.0

BootROM Version:9.23

[SLOT 0] AUX (Hardware)4.0, (Driver)1.0, (CPLD)1.0

[SLOT 0] 1FE (Hardware)4.0, (Driver)1.0, (CPLD)1.0

[SLOT 0] WAN (Hardware)4.0, (Driver)1.0, (CPLD)1.0

[SLOT 3] 1SA (Hardware)1.0, (Driver)1.0, (CPLD)2.0

vrbd

Routing Platform Software

Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE

Compiled Oct 22 2008 18:24:10 by jiahua

dis cu

dis current-configuration #

sysname AR2810-A

#

interface Ethernet0/0

ip address 192.168.1.2 255.255.255.0

#

ip route-static 0.0.0.0 0.0.0.0 192.168.1.1 preference 60

路由器B：

[AR2810-B]dis version

Huawei Versatile Routing Platform Software

VRP software, Version 3.40, Release 0201P29

Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.

Without the owner's prior written consent, no decompiling

nor reverse-engineering shall be allowed.

Quidway AR28-10 uptime is 0 week, 0 day, 0 hour, 53 minutes

Last reboot 2021/08/22 03:19:36

System returned to ROM By Command.

CPU type: PowerPC 8241 200MHz

128M bytes SDRAM Memory

32M bytes Flash Memory

PCB Version:4.0

Logic Version:1.0

BootROM Version:9.23

[SLOT 0] AUX (Hardware)4.0, (Driver)1.0, (CPLD)1.0

[SLOT 0] 1FE (Hardware)4.0, (Driver)1.0, (CPLD)1.0

[SLOT 0] WAN (Hardware)4.0, (Driver)1.0, (CPLD)1.0

[SLOT 3] 1SA (Hardware)1.0, (Driver)1.0, (CPLD)2.0

[AR2810-B]vrbd

Routing Platform Software

Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE

Compiled Oct 22 2008 18:24:10 by jiahua

[AR2810-B]dis current-configuration

#

sysname AR2810-B

#

acl number 3000

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

acl number 3001

rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

# interface Ethernet0/0

ip address 192.168.1.1 255.255.255.0

ip policy route-policy t4

#

interface Serial0/0

link-protocol fr

#

interface Serial0/0.100

fr dlci 100

ip address 10.0.0.1 255.255.255.252

#

interface Serial0/0.200

fr dlci 200

ip address 10.0.0.5 255.255.255.252

#

interface Serial0/0.300

fr dlci 300

ip address 10.0.0.9 255.255.255.252

#

route-policy t1 permit node 10

if-match acl 3000

apply ip-address next-hop 10.0.0.2

route-policy t1 permit node 20

apply ip-address next-hop 10.0.0.6

route-policy t2 permit node 10

if-match acl 3001

apply local-preference 2300

route-policy t2 permit node 20

apply ip-address next-hop 10.0.0.6

route-policy t3 deny node 10

if-match acl 3000

apply ip-address next-hop 10.0.0.2

route-policy t3 permit node 20

apply ip-address next-hop 10.0.0.6

route-policy t4 deny node 10

if-match acl 3001

apply local-preference 2300

route-policy t4 permit node 20

apply ip-address next-hop 10.0.0.6

#

ip route-static 192.168.2.0 255.255.255.0 10.0.0.10 preference 60

路由器C：

[AR2810-C]dis ver Huawei Versatile Routing Platform Software

VRP software, Version 3.40, Release 0201P29

Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.

Without the owner's prior written consent, no decompiling

nor reverse-engineering shall be allowed.

Quidway AR28-10 uptime is 0 week, 0 day, 2 hours, 59 minutes

Last reboot 2000/10/11 00:54:49

System returned to ROM By Command.

CPU type: PowerPC 8241 200MHz

128M bytes SDRAM Memory

32M bytes Flash Memory

PCB Version:4.0

Logic Version:1.0

BootROM Version:9.23

[SLOT 0] AUX (Hardware)4.0, (Driver)1.0, (CPLD)1.0

[SLOT 0] 1FE (Hardware)4.0, (Driver)1.0, (CPLD)1.0

[SLOT 0] WAN (Hardware)4.0, (Driver)1.0, (CPLD)1.0

[AR2810-C]vrbd

Routing Platform Software

Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE

Compiled Oct 22 2008 18:24:10 by jiahua

[AR2810-C]dis cu

#

sysname AR2810-C

#

interface Ethernet0/0

ip address 192.168.2.1 255.255.255.0

#

interface Serial0/0

clock DTECLK1

link-protocol fr

#

interface Serial0/0.100

fr dlci 100

ip address 10.0.0.2 255.255.255.252

#

interface Serial0/0.200

fr dlci 200

ip address 10.0.0.6 255.255.255.252

#

interface Serial0/0.300 fr dlci 300

ip address 10.0.0.10 255.255.255.252

#

ip route-static 192.168.1.0 255.255.255.0 10.0.0.9 preference 60

路由器D：

dis ver

Huawei Versatile Routing Platform Software

VRP software, Version 3.40, Release 0201P29

Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.

Without the owner's prior written consent, no decompiling

nor reverse-engineering shall be allowed.

Quidway AR28-10 uptime is 0 week, 0 day, 3 hours, 0 minute

Last reboot 2000/10/11 01:00:09

System returned to ROM By Command.

CPU type: PowerPC 8241 200MHz

128M bytes SDRAM Memory

32M bytes Flash Memory

PCB Version:1.0

Logic Version:1.0

BootROM Version:9.23

[SLOT 0] AUX (Hardware)1.0, (Driver)1.0, (CPLD)1.0

[SLOT 0] 1FE (Hardware)1.0, (Driver)1.0, (CPLD)1.0

[SLOT 0] WAN (Hardware)1.0, (Driver)1.0, (CPLD)1.0

vrbd

Routing Platform Software

Version AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), RELEASE SOFTWARE

Compiled Oct 22 2008 18:24:10 by jiahua

dis cu

#

sysname AR2810-D

#

interface Ethernet0/0

ip address 192.168.2.2 255.255.255.0

#

ip route-static 0.0.0.0 0.0.0.0 192.168.2.1 preference 60