ROUTE-POLICY 策略路由规则详解.docxVIP

ROUTE-POLICY?策略路由规则详解在工程中经常遇到route-policy用于策略路由的情况，下面就对route-polic和ACL间的匹配规则详解如下：一、试验环境A(E0/0)--192.168.1.0--(E0/0)B(S0/0)--10.0.0.0--(S0/0)C(E0/0)--192.168.2.0--(E0/0)D 拓扑说明：AB之间的网段为192.168.1.0?。AB分别通过E0/0口互联。CD之间的网段为192.168.2.0?。CD分别通过E0/0口互联。BC之间分别通过S0/0?中间通过帧中继交换机互联,共配置3个子接口，DLCI分别是100?200?300（两端相同）。二、测试结论：未做任何策略# interface?Ethernet0/0 ?ip?address?192.168.1.1?255.255.255.0= 在路由器A?Tracert路由结果如下：AR2810-Adis?clock 08:48:03?UTC?Fri?11/28/2008 AR2810-Atracert?-m?5?-a?192.168.1.2?192.168.2.2 ?traceroute?to??192.168.2.2(192.168.2.2)?5?hops?max,40?bytes?packet ?Press?CTRL_C?to?break ?1?192.168.1.1?3?ms??1?ms??2?ms? ?2?10.0.0.10?19?ms??18?ms??19?ms? ?3?192.168.2.2?20?ms??21?ms??20?ms 由此可得出未做route-policy的时候，是按照全局路由表中的路由条目转发数据流的。1、 permit+permit # interface?Ethernet0/0 ?ip?address?192.168.1.1?255.255.255.0? ?ip?policy?route-policy?t1 # acl?number?3000 ?rule?0?permit?ip?source?192.168.1.0?0.0.0.255?destination?192.168.2.0?0.0.0.255 acl?number?3001 ?rule?0?deny?ip?source?192.168.1.0?0.0.0.255?destination?192.168.2.0?0.0.0.255 # route-policy?t1?permit?node?10 ??if-match?acl?3000 ?apply?ip-address?next-hop?10.0.0.2 route-policy?t1?permit?node?20 ?apply?ip-address?next-hop?10.0.0.6 在路由器A?Tracert路由结果如下：AR2810-Adis?clock?????????????????????????????? 08:50:33?UTC?Fri?11/28/2008 AR2810-Atracert?-m?5?-a?192.168.1.2?192.168.2.2 ?traceroute?to??192.168.2.2(192.168.2.2)?5?hops?max,40?bytes?packet ?Press?CTRL_C?to?break ?1?192.168.1.1?2?ms??2?ms??1?ms? ?2?10.0.0.2?20?ms??20?ms??22?ms? ?3?192.168.2.2?19?ms??20?ms??19?ms 由此结果可得出此时数据流匹配了规则node?10?。也就是route-policy?permit对于和ACL?permit规则匹配的数据流执行node?10中的匹配规则。2、 permit+deny # interface?Ethernet0/0 ?ip?address?192.168.1.1?255.255.255.0? ?ip?policy?route-policy?t2 # acl?number?3000 ?rule?0?permit?ip?source?192.168.1.0?0.0.0.255?destination?192.168.2.0?0.0.0.255 acl?number?3001 ?rule?0?deny?ip?source?192.168.1.0?0.0.0.255?destination?192.168.2.0?0.0.0.255 # route-policy?t2?permit?node?10 ?if-match?acl?3001 ?apply?local-preference?2300 route-poli