Beruflich Dokumente
Kultur Dokumente
Carrier-Class Router
Configuration Guide (Policy Template)
Version: 1.00.60
ZTE CORPORATION
NO. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: +86-755-26771900
Fax: +86-755-26770801
URL: http://ensupport.zte.com.cn
E-mail: support@zte.com.cn
LEGAL INFORMATION
Copyright © 2013 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.
Revision History
Figures............................................................................................................. I
Glossary ........................................................................................................ III
II
Intended Audience
This manual is intended for:
l Network planning engineers
l Commissioning engineers
l On-duty personnel
Chapter Summary
3, SAMGR Configuration Describes the SAMGR principle. For the configuration of SAMGR,
refer to the ZXR10 M6000 Carrier-Class Router Configuration Guide
(Reliability).
7, ROUTE-MAP Policy Describes the ROUTE-MAP, related routing policies and policy
Configuration routing principles, configuration commands, maintenance
commands, and configuration examples of the route-map policy.
Conventions
This manual uses the following typographical conventions:
Typeface Meaning
Italics Variables in commands. It may also refer to other related manuals and documents.
Bold Menus, menu options, function names, input fields, option button names, check boxes,
drop-down lists, dialog box names, window names, parameters, and commands.
Constant Text that you type, program codes, filenames, directory names, and function names.
width
[] Optional parameters.
{} Mandatory parameters.
II
When not called, the policy templates do not affect any services. The policy templates
can be called only when other services are interested in the policies provided by the policy
templates.
Once called, policy templates will function to make the services more flexible.
AAA Template
An AAA template provides templates for authentication, authorization and accounting.
SAMGR
In practical applications, a router provides multiple detection technologies. At the same
time, there are also many protection switching applications that need to monitor detection
results on a real-time basis to meet the requirements for availability in different network
structures. Therefore, the SAMGR is used to implement the linkage between various
detection technologies and services. The SAMGR can collect the results of various
availability detections to form a result set. Services that are concerned with the availability
can determine whether to take protection and switching measures in accordance with the
state of the result set.
In this way, services only need to be associated with the result list, instead of needing to
know the result of the availability detections.
1-1
Time-Range
A time–range provides the wake-up/hypnosis service for other services. A service can
subscribe to the state of a time-range list as the standard to start the service at specified
time. When the state of the time–range list changes, the service is informed to change its
own state.
ACL
An ACL filters packets in accordance with the fields in the packets. The most common
fields are the quintuplet in a packet, including the source IP address, the destination IP
address, the protocol type, the source port number, and the destination port number.
There may be several rules in an ACL. Each rule describes a certain matching condition.
For a specified packet, an ACL determines whether the packet matches a condition
from the first rule. Once the packet matches a condition, the ACL will take the action
(permit/deny) defined in the rule. After an ACL is applied to a service, the permit/deny
action is mapped to some actions defined for the service, for example, policy routing that
takes effect on the forwarding plane.
An ACL is mostly applied to an interface that forwards packets, and used as the basis for
permitting or denying packets.
IP Prefix-List
In an IP prefix-list, the prefix of the specified routes can be permitted or denied. After the
prefix-list is used in a service, the matched prefixes are mapped to actions in the service
in accordance with the corresponding permit/deny action.
Route-map
The function of a route-map is to set a specified action for a specified feature.
l The match command is used to set a specified feature.
l The set command is used to set a specified action.
When the match command is used, an ACL template or a prefix-list template can be called.
The ACL template and the prefix-list template are advanced templates in which other
templates can be embedded in this document.
1-2
2.1 Overview
All network Service Providers (SPs) have to ensure a reasonable usage of network
resources and user profit. AAA is developed to solve the requirements, which provides
an effective platform to manage users.
l Authentication: Validates the identities of users before allowing them to use network
resources.
l Authorization: Authorizes users to use network resources by using a specified
method.
l Accounting: Charges and audits users through collecting and recording the usage of
network resources.
AAA function uses a client/server model.
l The client is a program operating on a router. The client is responsible for forming
and sending data to the specified server, receiving responding messages from the
server, configuring data in accordance with the response of the server, and notifying
the application to perform different operations.
l The server is an AAA server program operating on a remote PC. The server is
responsible for receiving connection requests from users, authenticating user identity,
and returning user configuration information.
Remote Authentication Dial In User Service (RADIUS) implements AAA. Currently, AAA
supports the RADIUS authentication, authorization and accounting. AAA also supports
Terminal Access Controller Access-Control System Plus (TACACS+) authentication,
authorization and accounting.
For example, a user wants to log in to a router through SSH. User identity needs to
be authenticated. The SSH program sends authentication information (user name,
and password) to the AAA server. The AAA server checks the received authentication
information by using the database, and determines whether the authentication can be
passed. Users can run commands with some privilege levels after the authentication is
passed.
2-1
2-2
Parameter Description
none No authentication.
local-radius Perform local authentication first. If the user does not exist, use RADIUS
authentication. If local authentication is refused, RADIUS authentication is not used.
radius-local Perform the RADIUS authentication first. If the RADIUS configuration is wrong or
times out, perform the local authentication. If radius authentication is refused,
do not perform the local authentication.
local-tacacs Perform the local authentication first. If the user does not exist, use TACACS
authentication. If local authentication is refused, do not perform the TACACS
authentication.
tacacs-local Perform the TACACS authentication first. If the TACACS configuration is wrong or
times out, perform local authentication. If the TACACS authentication is refused,
do not perform the local authentication.
2-3
Parameter Description
none No authorization.
Parameter Description
none No accounting.
Command Function
2-4
After the authentication modes are configured for each template, configure
server groups that corresponds to the authentication mode for the templates (it is
unnecessary to configure server groups for the LOCAL authentication and the NONE
authentication).
2. Configure a user management authentication template and a user management
authorization template. Bind the AAA templates to the user management templates.
When users log in, authentication and authorization will be performed in accordance
with the AAA configuration. If not used in user management, the AAA does not
function when users log in.
Configuration Flow
1. Determine the authentication, authorization, and accounting modes that
will be used. Before AAA templates are configured, create server groups
corresponding to the modes. (for example, if the TACACS+ authentication
mode is used, create a TACACS+ server group first). Otherwise, when the
authentication/authorization/accounting server is configured for the specified mode in
an AAA template, the system prompts that the server group does not exist.
2. The AAA templates are configured individually, so other services
can use these templates flexibly. Configure required templates
(authentication/authorization/accounting), and specify a sequence numbers for these
templates.
3. Configure the modes in the templates. If the modes are related to TACACS+ or
RADIUS, specify server groups for the modes.
4. When the AAA templates are configured and other service call the templates, the AAA
templates function.
2-5
Configuration Command
Run the following commands on the ZXR10 M6000:
/*Enable the TACACS+ service on the device. Configure the TACACS+ server group
that will be used by the authentication template and the authorization template.
(For details, refer to the corresponding chapter in this manual.)*/
ZXR10(config)#tacacs enable
ZXR10(config)#tacacs-server host 192.168.1.2 key zte
ZXR10(config)#tacplus group-server ztegroup
ZXR10(config-sg)#server 192.168.1.2
ZXR10(config-sg)#exit
/*radius configuration*/
ZXR10(config)#radius accounting-group 1
ZXR10(config-authgrp-1)#server 1 192.168.1.2 master key zte
ZXR10(config-authgrp-1)#algorithm round-robin
ZXR10(config-authgrp-1)#max-retries 3
ZXR10(config-authgrp-1)#timeout 30
ZXR10(config-authgrp-1)#deadtime 0
ZXR10(config-authgrp-1)#exit
ZXR10(config)#aaa-authentication-template 2001
ZXR10(config-aaa-authen-template)#aaa-authentication-type tacacs-local
ZXR10(config-aaa-authen-template)#authentication-tacacs-group ztegroup
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-authorization-template 2001
ZXR10(config-aaa-author-template)#aaa-authorization-type mix-tacacs
ZXR10(config-aaa-author-template)#authorization-tacacs-group ztegroup
ZXR10(config-aaa-author-template)#exit ZXR10(config)#aaa-accounting-template 1
ZXR10(config-aaa-acct-template)#aaa-accounting-type radius
ZXR10(config-aaa-acct-template)#accounting-radius-group first 1
ZXR10(config-aaa-acct-template)#exit
Configuration Verification
Run the show running-config aaa command to view the AAA configuration information,
which is displayed as follows:
2-6
authorization-tacacs-group ztegroup
!
aaa-accounting-template 1
aaa-accounting-type radius
accounting-radius-group first 1
!
! </AAA>
2-7
2-8
3-1
3-2
4.1 Overview
Time-Range Introduction
A time–range provides the wake-up/hypnosis service for other services. A user can
configure multiple time-ranges. Each time-range has its own name. In a time-range,
multiple periodic time segments and one absolute time segment can be defined.
A time-range takes effect in the following situations:
l Only an absolute time segment is configured, and the current system time is in the
absolute time segment.
l Only a periodic time segment is configured. No matter how many periodic time
segments are configured, the time-range is effective if the current system time
corresponds to any periodic time segment.
l Both absolute and periodic time segments are configured. The time-range is effective
only when the current system time corresponds to both absolute time segment and
any periodic time segment.
l After a time-range list is configured, no time segment is added. For an empty
time-range list, the state is always active.
An application can subscribe to some time-range from a time-range module. When the
state of the time-range changes, the time-range module will inform the application module
of the current state of the time-range, including active and inactive.
Time-Range Features
The time-range subsystem uses the Client/Server (C/S) structure.
l The main functions of time-range server are time-range configuration management,
time management, state broadcast, and data synchronization.
l The client is responsible for managing the registrations of application modules,
receiving the time-range state broadcast by the server, and informing the applications
that the time-range state is changed. To provide time-range state index, the client
also needs to maintain a table for saving all configured time-ranges and the states.
4-1
In time-range time management, the system time is used as the reference time for setting
a timer. The states of all time-ranges are checked periodically (once every 5 seconds).
The state of a time-range is scanned once every 5 seconds. So, during the configuration
of a time segment, the state of the time-range changes frequently, which is unfavourable
to stability. Therefore, it is necessary to use the operation area and working area mode.
A user can modify the data in the operation area when configuring the time-range. After
finishing the configuration, the user can exit the configuration mode and synchronize the
data from the operation area to the working area. During time segment calculation, only
the configuration in the working area is read.
An application module quotes a time-range name directly and obtains the current state
from the client.
1. The server informs the client of all time-range tables and states to the client. Later, it
inspects the time-range states and informs the client of the states periodically.
2. The client informs the application modules in turn after receiving the notifications. The
application modules perform the corresponding operations in accordance with their
actual requirements.
Parameter Description
start <time-date> The starting time of an absolute time segment. The format is hour:
minute: second month day year. The range is from 2001-01-01 00:00
to 2037-12-31 23:59. The second has to be a multiple of 15.
4-2
Parameter Description
end <time-date> The ending time of an absolute time segment. The format is hour:
minute: second month day year. The range is from 2001-01-01 00:00
to 2037-12-31 23:59. The second has to be a multiple of 15.
Parameter Description
Command Output
ZXR10#debug time-range [change-to {inactive | active}] Displays the system time, time-range name,
state before change, and state after change
when the sate of a time-range changes.
4-3
l Only an absolute time segment is configured, and the current system time is in
the absolute time segment.
l Only a periodic time segment is configured. No matter how many periodic time
segments are configured, the time-range is effective if the current system time
corresponds to any periodic time segment.
l Both absolute time segments and periodic time segments are configured. The
time-range is effective only when the current system time corresponds to both
absolute time segments and any periodic time segments.
l After a time-range list is configured, no time segment is added. For an empty
time-range, the state is always active.
Configuration Flow
In this example, configure a time-range named test. In this time-range, configure an
absolute time segment. The specified time segment is from 9:30 A.M. on 2011–01–14 to
9:30 A.M. on 2011–01–15. In this time-range, configure two periodic time segments. One
is from 8:00 A.M. to 8:30 A.M. every day, and the other is from 0:00 A.M. every Saturday
to 10:00 P.M. every Sunday.
In accordance with the third rule in which a time-range takes effect, the time intersections
of the absolute time segment and the periodic time segments are the effective time of a
time-range. When the system is in this effective range, the time-range takes effect.
In accordance with the configurations, the result of the time-range is described below.
From 8:00 A.M. to 8:30 A.M. on 2011–01–15 (Friday), and from 0:00 A.M. every Saturday
to 10:00 P.M. every Sunday, the state of the time-range is active. The first time intersection
is included in the second time intersection, which does not prevent the time-range from
taking effect.
The configuration procedure is described below.
1. Enable the time-range function and configure a time-range.
2. Determine the time point to trigger services and configure the time segments in the
time-range list.
3. Confirm the system time of the rack and make sure that the reference time of the
time-range is correct.
Configuration Command
1. Run the following commands to enable the time-range function and configure a
time-range.
R2(config)#time-range enable
R2(config)#time-range test
R2(config-tr)#exit
2. Run the following commands to configure time segments.
Configure an absolute time segment. Configure the start time and end time in
accordance with demand. This means that the time-range is effective in a specified
time on a specified date. (You can also configure the start time only, which means
4-4
that the time-range is always effective from the start time. You can also configure the
end time only, which means that the time-range is not effective from the end time.)
l Run the following commands to configure an absolute time segment. The effective
time is from 9:30 A.M. on 2011–01–14 to 9:30 A.M. on 2011–01–15. in accordance
with the first rule in which situation a time-range takes effect, the time-range is
effective in this absolute time segment.
l If there are other time segments in this time-range, so long as the absolute
time segment has an time intersection with any periodic time segment in the
time-range, the time range is effective during the time intersection.
R2(config-tr)#absolute start 9:30:00 1-14-2011 end 9:30:00 1-15-2011
Configure periodic time segments. In a periodic time segment, the specified data is
not configured. Instead, some say of a week is configured, or daily, weekdays and
weedend can be configured.
Configure another periodic time segment. The start time is Saturday, and the end time
is the unique day after Saturday in a week, that is, Sunday.
R2(config-tr)#periodic daily 8:00:00 to 8:30:00
/*Configure a periodic time segment. The effective time segment is from
8:00 A.M. to 8:30 A.M. every day.*/
Configuration Verification
1. Run the show running-config time-range command to view the configuration result of
the time-range, which is displayed as follows:
R2(config)#show running-config time-range
!<TR>
time-range enable
time-range test
absolute start 09:30:00 01-14-2011 end 09:30:00 01-15-2011
periodic daily 08:00:00 to 08:30:00
periodic saturday 00:00:00 to sunday 22:00:00
4-5
$
! </TR>
R2(config)#
/*The displayed information is the same as that configured. There is one absolute
time segment and two periodic time segments.*/
2. Run the show time-range test command to view the time-range. When the system time
is not in the time segments, the state of the time-range is inactive.
R2(config)#show time-range test
Current time is 09:38:20 01-14-2011 Friday
time-range test <inactive>
absolute start 09:30:00 01-14-2011 end 09:30:00 01-15-2011
periodic daily 08:00:00 to 08:30:00
periodic saturday 00:00:00 to sunday 22:00:00
R2(config)#
3. Run the show time-range test command to view the time-range. When the system time
is in the time segments, the state of the time-range is active.
R2(config)#show time-range test
Current time is 03:59:33 01-15-2011 Saturday
time-range test <active>
absolute start 09:30:00 01-14-2011 end 09:30:00 01-15-2011
periodic daily 08:00:00 to 08:30:00
periodic saturday 00:00:00 to sunday 22:00:00
R2(config)#
It is assumed that PC1 sends TELNET requests to R1 through R2. However, R1 only
hopes to receive the login requests of PC1 in a certain time segment. So, a time-range
can be created and bound to an ACL. In the ingress of gei-0/1/0/3, bind this ACL. In this
way, TELNET packets from PC1 can be filtered in the specified time segment (the ACL
can also be bound in the outbound direction on gei-0/1/0/2), see Figure 4-1.
4-6
It is only necessary to configure one time-range and bind it to an ACL. In the ACL, configure
the following rules: For the packets that match the IP address of PC1, whose protocol type
is Transfer Control Protocol (TCP) and whose port type is TELNET, deny these packets
in the specified time segment. Then, bind this ACL to the ingress of gei-0/1/0/3 or the
outbound direction on gei-0/1/0/2.
After the configuration, only in the specified time segment of the time-range will the ACL
take effect. In this time segment, PC1 cannot log in to R1. After the active time segment
of the time-range, PC1 can log in to R1.
Configuration Flow
1. Create a time-range. Users can define a name for the time-range when creating it.
The name consists of at most 31 characters.
2. Enter time-range configuration mode and add a time segment.
3. Bind the time-range to the corresponding ACL as required. The ACL will take effect in
the time segment.
Configuration Command
The configuration of R2 is described below.
1. Run the following commands to create a time-range.
R2(config)#time-range enable
/*Enable the time-range function. If the time-range function is not enable, the
time-range cannot be created.*/
R2(config)#time-range test
R2(config-tr)#
/*Create a time-range named test.*/
2. Run the following command to add a time segment to the time-range.
/*Configure an absolute time range. The time-range can be set to take effect
from a certain time, or be effective before a certain time, or be effective in a
certain time segment.*/
R1(config-tr)#absolute start 08:00:00 1-1-2010 end 17:00:00 12-31-2010
/*Start from 08:00:00 on 2010-1-1 and end till 17:00:00 on 2010-12-31.*/
3. Run the following commands to bind the time-range to an ACL.
R2(config)#ipv4-access-list test
R2(config-ipv4-acl)#rule 1 deny tcp 10.20.30.20 0.0.0.0 eq telnet
30.20.10.1 0.0.0.0 time-range test
R2(config-ipv4-acl)# rule 2 permit any
R2(config-ipv4-acl)#exit
4-7
Configuration Verification
Run the show time-range command to view the time-range information, including the
current system, the time-range name, the time segments, and the time-range state (active
or inactive), which is displayed as follows:
R1(config)#show time-range
Current time is 08:36:03 08-14-2009 Friday
time-range test <inactive>
absolute start 08:00:00 01-01-2010 end 17:00:00 12-31-2010
Run the show time-range test command to view the information of a specified time-range,
which is displayed as follows:
R1(config)#show time-range test
Current time is 08:37:28 08-14-2009 Friday
time-range test <inactive>
absolute start 08:00:00 01-01-2010 end 17:00:00 12-31-2010
Configuration Flow
Configure an SQA example whose type is ICMP. The SQA detection time is controlled by
a time-range.
1. Configure a time-range and set an absolute starting time as required.
4-8
2. Configure an SQA example, and set the SQA detection type to ICMP in accordance
with the network scenario.
3. Configure that the SQA detection start time is controlled by the specified time-range.
Configuration Command
1. Run the following commands to configure a time-range and configure a time segment
as required.
R2(config)#show clock
10:20:47 UTC Thu Jan 13 2011
R2(config)#time-range enable
R2(config)#time-range 1
R2(config-tr)#absolute start 10:30:00 1-13-2011
R2(config-tr)#exit
2. Run the following commands to configure an SQA example, and set the SQA detection
type to ICMP in accordance with the network scene.
R2(config)#sqa-test 1
R2(config-sqa)#type-icmp vrf mng 169.1.109.130
3. Run the following commands to configure that the SQA detection start time is controlled
by the specified time-range.
R2(config-sqa)#sqa-begin timerange 1 once
R2(config-sqa)#exit
/*SQA detection by using a time-range can only be triggered once. No matter
how many effective time segments there are in the time-range, only the first
effective time segment triggers the detection, that is, the meaning of "once"
in this command. The following effective time segments of the time-range will
not trigger SQA detection.Configure the start time of SQA detection. If the
specific time-range is null, this equals to "now" and SQA detection will ve
started immediately.*/
Configuration Verification
1. Run the show sqa command to view the configuration result, which is displayed as
follows:
R2(config)#show sqa-test 1
test type: ICMP
vrf:mng
destination IP:169.1.109.130
repeat:1
tos:0
ttl:255
size:36
interval time:100
send trap:disabletimerange name:1
2. When the time-range is not effective, run the show sqa-result command to check the
output information, which is displayed as follows:
4-9
R2(config)#show clock
10:22:41 UTC Thu Jan 13 2011
R2(config)#show sqa-result icmp
R2(config)#
3. When the time-range is effective, run the show sqa-result command to check the output
information, which is displayed as follows:
R2#show sqa-result icmp
icmp test[1] result
SendPackets:1 ResponsePackets:0
Completion:success Destination ip address:169.1.109.130
Min/Max/Avg/Sum/Last RTT:0/0/0/0/0ms
Min/Max/Avg/Sum Positive Jitter:0/0/0/0ms
Min/Max/Avg/Sum Negative Jitter:0/0/0/0ms
Min/Max/Avg/Sum Jitter:0/0/0/0ms
Packet loss rate:100%
Last Probe Time:2011-1-13 10:30:4
/*Detection was performed at 10:30:04 A.M. on 2011-01-13. ZXR10 sendt an ICMP
echo request to the host whose address is 169.1.109.130, and there was no
response. Thismight be because the IP address was unreachable dur to the
network environment, or ICMP service was not enabled on the host whose address
is 169.1.109.130, or the firewall on this host was set not to respond ICMP
echo requests.*/
4-10
5.1 Overview
An ACL is a flow classification tool. It can implement port-ACL, Unicast Reverse Path
Forwarding (URPF), and PBR functions.
An ACL filters packets in accordance with the fields in the packets. The most common
fields are the quintuplet in a packet, including the source IP address, the destination IP
address, the protocol type, the source port number, and the destination port number.
There may be several rules in an ACL. Each rule describes a certain matching condition.
For a specified packet, an ACL determines whether the packet matches a condition
from the first rule. Once the packet matches a condition, the ACL will take the action
(permit/deny) defined in the rule. After an ACL is applied to a service, the permit/deny
action is mapped to some actions defined for the service, for example, policy routing that
takes effect on the forwarding plane.
5-1
ttype>}|range <0-65535>-<0-65535>}]{<destination><destination-wi
ldcard>|any}[{<operator>{<0-65535>|<destination-porttype>}|range
<0-65535>-<0-65535>}][{[established],[syn<syn>]}][{tos<tos-va
lue>|precedence <precedence-value>|dscp <dscp-value>}][{ttl
<ttl-operator><ttl-value>|range <1-255>-<1-255>}][time-range
<time-range-name>][log]
Parameter Description
<rule-id> It is a unique identifier for the rule in the ACL. This ID determines the
sequence of the rule in the ACL. The range is 1-2147483644.
If the rule ID is not specified, the rule will be placed at the end of the
list by default, and the rule-ID is distributed in accordance with the
default base and increment (the default base is 10, and the default
increment is 10).
5-2
Parameter Description
<protocol-type> IP protocol type. It may be one of the following keywords: igmp, gre,
ospf, pim, and vrrp.
<operator> eq | ge | le | range Operation type for the port. It can be one keyword among eq, ge, le
and range. For the range keyword , it is necessary to specify two port
operation numbers to fix a port range, and the start value of the range
should not be greater than the end value.
<operator> eq | ge | le | neq| range Operation type for the TTL. It can be one keyword among eq, ge, le,
neq, and range. For the range keyword , it is necessary to specify
two port operation numbers to fix a TTL range, and the start value of
the range should not be greater than the end value.
dscp <value> Differentiated Services Code Point (DSCP) field. Range: 0-63.
established The keyword for establishing a TCP connection, only available for
the TCP.
<ttl-operator> Configures a TTL operation type. It may be one among: eq, ge, le,
and neq.
5-3
Command Function
ZXR10#show ipv4-access-lists brief [name <acl-name>][|{begin|exclude|i Displays the brief information of the
nclude}] ACL.
ZXR10#show ipv4-access-lists usage <interface-name>{ingress|egress} Displays the number of times that the
port-acl [|{begin|exclude|include}] ACL rule is used (only applicable for
rules that have been configured with
log).
Parameter Description
ingress Displays the result in accordance with the ingress of the interface.
egress Displays the result in accordance with the egress of the interface.
usage Statistics information, the number of times that the ACL rule is used
(only applicable for rules that have been configured with log).
5-4
In this case, it is required to create only one ACL and add a rule to the ACL. The rule is
that packets in which the IP addresses is that of the PC2, the protocol type is TCP, and
the port type is TELNET are denied. All other packets are permitted. After that, the ACL
is bounded to the ingress of gei-0/1/0/1 or the egress of gei-0/1/0/2.
After that, the TELNET request coming from PC2 cannot arrive at R1 even if PC2 gets
R1’s TELNET user name and password. The TELNET request packet is discarded after it
arrives at R2. The other communications between R1 and PC2 are not affected.
Configuration Flow
1. Create an ipv4–access-list. You can name the list. The list name consists of at most
31 characters.
2. Enter IPv4 ACL configuration mode after the list is created. Rules are added to this
list in IPv4 ACL configuration mode. Each rule can designate a type of packets, and
define the type of packets (denied or permitted).
3. In accordance with the requirements for traffic filtering, bind the customized ACL
ipv4–access-list to the egress or ingress of the interface where traffic needs to be
filtered.
Configuration Command
Run the following commands on R2:
R2(config)#ipv4-access-list test
R2(config-ipv4-acl)#rule 10 deny tcp 10.20.30.20 0.0.0.0 eq telnet
30.20.10.1 0.0.0.0
R2(config-ipv4-acl)#rule 20 permit any
R2(config-ipv4-acl)#exit
R2(config)#ipv4-access-group interface gei-0/1/0/1 ingress test
Configuration Verification
Use the following two methods to check the ACL configuration, which is displayed as
follows:
5-5
Method 1: Run the show ipv4-access-lists brief to view the configured ACL, which is
displayed as follows:
R2(config)#show ipv4-access-lists brief
/*This only shows the name of each ACL and the number of rules in each ACL.*/
No. ACL RuleSum
------------------------------------------------
1 test 2
Run the following command to check the ACL binding information, which is displayed as
follows:
R2(config)#show ipv4-access-groups
Interface name|vlan Direction ACL name
---------------------------------------------------------
gei-0/1/0/1 Ingress test
Method 2: Run the show ipv4-access-lists name test to view the configured ACL, which is
displayed as follows:
R2(config)#show ipv4-access-lists name test
/*View an ACL. Brief or detail information can be viewed after the name is specified.
By default, detail information is displayed.*/
ipv4-access-list test
2/2 (showed/total)
10 deny tcp 10.20.30.20 0.0.0.0 eq telnet 30.20.10.1 0.0.0.0
20 permit any
Method 3: Run the show ipv4-access-lists to view the configured ACL, which is displayed
as follows:
R2(config)#show ipv4-access-lists
/*View all ACLs configured on the device. The mode is to view detail information.*/
ipv4-access-list test
2/2 (showed/total)
10 deny tcp 10.20.30.20 0.0.0.0 eq telnet 30.20.10.1 0.0.0.0
20 permit any
5-6
l Rule
A rule consists of a sequence number, a result (permit/deny), and the rule information
(that is, a network segment specified by an address and a mask range).
The name of a filter list can be configured through the related command. In a filter list,
several rules can be configured.
l The rules are ordered. When matching a prefix-list, a packet starts matching the rules
in accordance with the sequence. Once it matches a rule, the matching procedure
ends and the result (permit/deny) of this rule is returned.
l If two rules in a filter list have an intersection, the flows in the intersection only match
the rule that is configured first.
6-1
Command Function
Parameter Description
ge <value> After the matching range of the IP address prefix is specified, the
matching address prefix length needs to be greater than or equal to
this value. Range: 0-32.
le <value> After the matching range of the IP address prefix is specified, the
matching address prefix length needs to be less than or equal to this
value. Range: 0-32.
6-2
6-3
Parameter Description
Parameter Description
Command Function
Command Function
6-4
Configuration Flow
Configure the prefix-list rules one by one.
Configuration Command
Run the following commands in turn to configure the prefix-list rules.
R2(config)#ip prefix-list test permit 192.168.120.1 24
R2(config)#ip prefix-list test permit 192.168.110.1 32
R2(config)#ip prefix-list test permit 192.168.100.0 24 le 32
R2(config)#exit
Configuration Verification
Run the show running-config prefix-list command to check the configuration result of the
prefix-list, which is displayed as follows:
R2(config)#show running-config prefix-list
! <PFL>
ip prefix-list test seq 5 permit 192.168.120.0 24
!
ip prefix-list test seq 10 permit 192.168.110.1 32
!
ip prefix-list test seq 15 permit 192.168.100.0 24 le 32
! </PFL>
R2(config)#
6-5
Configuration Flow
1. Configure related interfaces.
2. Enter IP multicast configuration mode.
3. Enter PIM-SM configuration mode.
4. Set the loopback5 interface to a BSR on R2 and configure a candidate RP whose
group range is 225.0.0.0/24.
5. Configure a static RP whose address is 199.1.1.1 and group range is 225.0.0.0/24,
and configure static-rp override.
6. Enter interface configuration mode and enable PIM-SM.
7. Configure a unicast route to the RP on R1, and configure a unicast route to the IP
multicast source on R2. (In this example, the static route is used as the unicast route.
You can also successfully ping the route through the IGP.)
Configuration Command
Run the following commands on R1:
R1(config)#interface gei-0/2/0/3
R1(config-if)#no shutdown
R1(config-if)#ip address 199.1.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#interface gei-0/2/0/7
R1(config-if)#no shutdown
6-6
R2(config)#ip multicast-routing
R2(config-mcast)#router pimsm
R2(config-pimsm)#bsr-candidate loopback5
R2(config-pimsm)#rp-candidate loopback5 group-list zte
R2(config-pimsm)#static-rp 199.1.1.1 group-list zte
R2(config-pimsm)#static-rp override
R2(config-pimsm)#interface gei-0/3/0/8
R2(config-pimsm-if)#pimsm
R2(config-pimsm-if)#exit
R2(config-pimsm)#interface gei-0/3/0/7
R2(config-pimsm-if)#pimsm
R2(config-pimsm-if)#dr-priority 20
R2(config-pimsm-if)#exit
R2(config-pimsm)#exit
R2(config-mcast)#exit
R2(config)#ip route 33.1.1.0 255.255.255.0 199.1.1.1
6-7
Configuration Verification
Run the show ip pimsm rp mapping command on R1 to check the RP information, which
is displayed as follows:
R1(config)#show ip pimsm rp mapping
Group(s): 225.0.0.0/24(SM)
RP: 5.5.5.35, v2, Priority:192
BSR: 5.5.5.35, via bootstrap
Uptime: 00:06:47, expires: 00:01:43
Group(s): 0.0.0.0/0(NOUSED)
Run the show ip pimsm rp mapping command on R2 to check the RP information, which
is displayed as follows:
R2(config)#show ip pimsm rp mapping
Static RP is overriding in group-set!
Group(s): 225.0.0.0/24(SM)
RP: 199.1.1.1, Static, Priority:192
RP: 5.5.5.35, v2, Priority:192
BSR: 5.5.5.35, via bootstrap
Uptime: 00:07:51, expires: 00:02:25
Group(s): 0.0.0.0/0(NOUSED)
R2(config)#
R2(config)#show ip pimsm rp hash 225.0.0.1
Static RP is overriding in group-set!
RP address: 199.1.1.1
6-8
2. Pay attention when filtering routes by running the in command. Considering the
relevance of OSPF routes, the following is suggested.
l It is better not to filter routes corresponding to Type 2 LSAs. Otherwise, the net-
work topology will not be complete.
l When a Type 3 route is allowed to be imported, make sure that the corresponding
Area Border Router (ABR) route exists. If the route does not exist, set “permit” for
the corresponding route in the template configuration.
l When a Type 5 route is allowed to be imported, make sure that the “forwarding
address route” exists. If the route does not exist, set “permit” for the corresponding
route in the template configuration.
3. When the called prefix-list does not exist, the calling effect is just equal to “permit any”.
4. At the end of a prefix-list that is not null, there is a default rule deny all. That is to say,
the prefixes that are not configured to be permitted will be denied. Therefore, to deny
some routes, configure the permit all command to permit prefixes of other routes.
Configuration Flow
1. Configure a prefix-list template to deny the OSPF routes whose prefixes are
23.2.2.0/24 and permit other routes.
2. In the OSPFv2 distribute-list, call the prefix-list.
Configuration Command
1. Run the following commands to configure a prefix-list to filter the routes whose prefixes
are 23.2.2.0/24 in the following routing table.
ZXR10(config-ospfv2)#show ip forwarding route ospf
IPv4 Routing Table:
status codes: *valid, >best
Dest Gw Interface Owner Pri Metric
*>1.1.1.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>11.1.1.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>12.1.1.0/24 23.1.1.22 gei-0/1/0/3 ospf 110 20
*>16.1.1.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>23.2.2.0/24 23.1.1.22 gei-0/1/0/3 ospf 110 20
*>26.1.3.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>100.1.1.0/24 23.1.1.22 gei-0/1/0/3 ospf 110 20
6-9
ZXR10(config-ospfv2)#exit
Configuration Verification
Run the show ip forwarding route ospf command to view the filtered routing table to check
whether the routes are filtered successfully, which is displayed as follows:
ZXR10(config-ospfv2)#show ip forwarding route ospf
IPv4 Routing Table:
status codes: *valid, >best
Dest Gw Interface Owner Pri Metric
*>1.1.1.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>11.1.1.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>12.1.1.0/24 23.1.1.22 gei-0/1/0/3 ospf 110 20
*>16.1.1.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>26.1.3.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>100.1.1.0/24 23.1.1.22 gei-0/1/0/3 ospf 110 20
Configuration Flow
1. Establish the BGP neighbors between Router A and Router B.
2. Import two routes to BGP on Router A.
3. Configure a prefix-list on Router A to permit route M and deny route N.
4. Use the prefix-list to filter the routes advertised to Router B in BGP on Router A.
5. The configuration result is: When Router A advertises BGP routes to Router B, route
M is advertised and route N is not advertised. In the routing table on Router B, there
is route M and there is not route N.
6-10
Configuration Command
1. Run the following commands to establish the BGP neighbors between Router A and
Router B (omitted).
2. Run the following commands to import routes to Router A.
a. In this example, run the network command to advertise the routes on Router A.
Before advertising routers, run the following command to view routers on Router
A, which is displayed as follows:
RouterA(config)#show ip forwarding route
IPv4 Routing Table:
status codes: *valid, >best
Dest Gw Interface Owner Pri Metric
*> 1.1.1.1/32 100.1.3.1 gei-0/0/0/2 static 1 0
*> 10.12.0.0/24 10.12.0.1 gei-0/0/0/10 direct 0 0
*> 10.12.0.1/32 10.12.0.1 gei-0/0/0/10 address 0 0
*> 100.1.3.0/24 100.1.3.2 gei-0/0/0/2 direct 0 0
*> 100.1.3.2/32 100.1.3.2 gei-0/0/0/2 address 0 0
*> 100.1.31.0/24 100.1.31.1 smartgroup30.10 direct 0 0
*> 100.1.31.1/32 100.1.31.1 smartgroup30.10 address 0 0
*> 100.10.1.0/24 100.10.1.1 gei-0/0/1/4 direct 0 0
*> 100.10.1.1/32 100.10.1.1 gei-0/0/1/4 address 0 0
*> 100.10.2.0/24 100.10.2.1 gei-0/0/1/4.1 direct 0 0
*> 100.10.2.1/32 100.10.2.1 gei-0/0/1/4.1 address 0 0
*> 100.10.2.2/32 100.10.2.2 gei-0/0/1/4.1 static 1 0
*> 100.20.1.0/24 100.20.1.1 gei-0/0/0/7 direct 0 0
*> 100.20.1.1/32 100.20.1.1 gei-0/0/0/7 address 0 0
*> 192.1.1.0/24 192.1.1.1 gei-0/0/0/9 direct 0 0
*> 192.1.1.1/32 192.1.1.1 gei-0/0/0/9 address 0 0
b. Run the following commands to advertise the routes to the destination 1.1.1.1/32,
10.12.0.0/24, and 192.1.1.0/24 on RouteA..
RouterA(config)#router bgp 1
RouterA(config-bgp)#network 1.1.1.1 255.255.255.255
RouterA(config-bgp)#network 192.1.1.0 255.255.255.0
RouterA(config-bgp)#network 10.12.0.0 255.255.255.0
RouterA(config-bgp)#exit
6-11
! </BGP>
d. Run the following commands to view the route advertisement result on Router A.
RouterA(config)#show ip bgp route
Status codes: *-valid, >-best, i-internal, s-stale
Origin codes: i-IGP, e-EGP, ?-incomplete
Dest NextHop Metric LocPrf RtPrf Path
*> 1.1.1.1/32 1.1.1.1 0 0 i
*> 10.12.0.0/24 10.12.0.1 0 0 i
*> 192.1.1.0/24 192.1.1.1 0 0 i
e. Run the following commands to view the BGP route learning on Router B.
RouterB(config)#show ip forwarding route bgp
IPv4 Routing Table:
status codes: *valid, >best
Dest Gw Interface Owner Pri Metric
*> 1.1.1.1/32 100.10.1.1 gei-0/5/1/7 bgp 20 0
*> 10.12.0.0/24 100.10.1.1 gei-0/5/1/7 bgp 20 0
*> 192.1.1.0/24 100.10.1.1 gei-0/5/1/7 bgp 20 0
3. Run the following commands to configure a prefix-list on Router A and permit some
routes imported in Step 2.
RouterA(config)#ip prefix-list zte permit 192.1.1.0 24
RouterA(config)#show running-config prefix-list
! <PFL>
ip prefix-list zte seq 5 permit 192.1.1.0 24
! </PFL>
4. Run the following commands to use the prefix-list to filter routes advertised to Router
B in BGP on Router A.
a. Use the prefix-list zte to advertise routes to Router B.
RouterA(config)#router bgp 1
RouterA(config-bgp)#neighbor 100.10.1.2 prefix-list zte out
RouterA(config-bgp)#exit
6-12
Configuration Verification
Run the following commands to view the prefix-list configuration and BGP configuration
on Router A, which are displayed as follows:
RouterA#show running-config prefix-list
! <PFL>
ip prefix-list zte seq 5 permit 192.1.1.0 24
! </PFL>
Run the following command to view the BGP configuration on Router B, which is displayed
as follows:
Run the following command to view the BGP route advertisement result on Router A, which
is displayed as follows:
Run the following commands to view the BGP route learning on Router B, which is
displayed as follows:
6-13
On Router B, run the show ip forwarding route bgp command to check the BGP routes in
the forwarding table. The information shows that there is only one route (192.1.1.0/24)
that is learnt from Router A and permitted by the prefix-list.
RouterB#show ip forwarding route bgp
IPv4 Routing Table:
status codes: *valid, >best
Dest Gw Interface Owner Pri Metric
*> 192.1.1.0/24 100.10.1.1 gei-0/5/1/7bgp 20 0
Configuration Flow
1. Configure a prefix-list.
2. Match the prefix-list in a route-map.
Configuration Command
1. Run the following command to create an IP prefix-list.
ZXR10(config)#ip prefix-list zte permit 192.168.100.0 24
2. Run the following commands to configure a route-map and call the prefix-list.
ZXR10(config)#route-map zte1
ZXR10(config-route-map)#match ip address prefix-list zte
ZXR10(config-route-map)#exit
6-14
Configuration Verification
Run the show ip prefix-list <prefix-list-name> command to check whether the prefix-list is
configured correctly, which is displayed as follows:
ZXR10(config)#show ip prefix-list zte
ip prefix-list zte :
seq 5 permit 192.168.100.0 24
Run the show route-map <route-map-name> command to check whether the route-map is
configured correctly, which is displayed as follows:
ZXR10(config)#show route-map zte1
[route-map zte1] IP type: IPv4
route-map zte1 permit 10
match ip address prefix-list zte
6-15
6-16
As a policy template, the Route-Map is unavailable unless applied to the interface as policy
routing or applied to the routing protocol as routing policy.
Route-Map Features
A Route-Map consists of one or more sequences, and the attributes of each sequence
can be flexibly set to permit or deny. The internal configuration of each sequence can be
divided into match item and set item.
l As a filter, the match item makes the Route-Map effective only to objects of specified
types.
l As a modifier, the set item performs specified operation on eligible objects to achieve
policy target.
After being called, the Route-Map will match the match item in accordance with the
sequence IDs in descending order, and perform the specified set operation of the
sequence where it matches the match item.
For the sequence of the Permit attribute, the Route-Map performs operation on the objects
which comply with the match condition in accordance with the policy, and search for the
next sequence if no one can be matched. For the sequence of the Deny attribute, the
7-1
Route-Map does not perform any operation on the matched objects, and searches for the
next sequence if no object is matched.
The routing policy and policy routing differ in:
l When the Route-Map is applied to an interface, it is called policy routing. The policy
routing provides packet transferring policy. The matched objects are packets. The
match item filters the objects based on the featured fields of the packets, and specifies
the set operation on these objects. The set operation is divided into routing item which
is used to change transferring path and packet modification item which is used to
modify the features for filtered packets.
l When the Route-Map is applied to protocols, it is called routing policy. The routing
policy provides routing release policy. The match item filters out routes based on
their features, and provides policies for these filtered routes. Note that the called
Route-Map configuration command has contained an operation, such as distribute
and leak commands. The distribute and leak operations in these commands are
called default operations. When performing the set operation on the objects matched
successfully, these default operations will also be performed.
When applied to the routing policy, the Route-Map filters the notification or sets the routing
attributes of the matched routes. The M6000 device supports the following routes which
use routing policy:
l RIP
l OSPF
l ISIS
l BGP
l VRF
7-2
A router can run the ISIS protocol and other routing protocols simultaneously, such as
RIP and OSPF protocols. Each routing protocol generates different routes. The ISIS
protocol can obtain routes of other protocols after redistribution.
The route policy can be configured during redistribution. This route policy is used to
filter or set the routing during redistribution. For example, if match ip metric is set
to 10 in the Route-Map module configuration, the ISIS redistribution module will filter
the route whose metric value is 10. If the set ip metric 20 command is configured in
the Route-Map, the ISIS will set metric on these routes after importing other protocol
routes.
The L1 router selects the nearest L1/L2 router as the egress, but this nearest route
is not the optimized route. In this case, the concept of suboptimum route and
7-3
routing penetration is introduced. To avoid the suboptimum route, you can import
route information of the backbone area to the common level-1 area to ensure that
the common area also has route information of the entire IS-IS route domain. For
example, the match ip metric value is set to 10 on the Route-Map module, the ISIS
redistribution module will filter the route whose metric value is 10.
7-4
ZXR10(config-route-map)#match ip tag *(<tag-value>) Matches the tag value of the routes. The
OSPF route carries this attribute. You can
configure several values as required.
7-5
ZXR10(config-route-map)#set origin {igp|egp |incomplete } Sets the route source attribute. The
setting is exclusive to the BGP protocol.
ZXR10(config-route-map)#set next-hop <ip-address>[…<ip Sets the next hop router in the routing
-address>] policy.
ZXR10(config-route-map)#set ip metric-type {internal Sets the metric type for the route selection
|external |type-1 |type-2 } protocol.
Parameter Description
permit | deny There are one or more sequences in a Route-Map. The sequence
attribute can be set to permit or deny flexibly. Permit means to
perform routing policy after matching, and deny means to perform no
operations regardless of the match result.
7-6
Parameter Description
<access-list-name> Sets the match type to ipv4-access-list, and matches the route to
the ACL.
prefix-list <prefix-list-name> Sets the match type to prefix-list, and matches the route to the prefix
list.
ip metric *(<metric-value>) Sets the match type to ip metric. You can match several routes as
required. Range: 0-4294967295.
ip tag *(<tag-value>) Sets the match type to ip metric. You can match several routes as
required. Range: 0-4294967295.
as-path *(<as-path-list-number>) Sets the match type to as-path. You can match several routes as
required. Range: 1-199.
community-list *(<community-list-number>) Sets the match type to community-list. You can match several routes
as required. Range: 1-499.
extcommunity-list *(<community-list-number Sets the match type to extcommunity-list. You can match several
>) routes as required. Range: 1-500.
route-type {external [type-1|type-2]|internal Sets the match type to route-type, and selects the routing type as
|level-1|level-2|local} required. You can configure several match items of this type rather
than configure several routes.
Parameter Description
<half-life> Changes the half period for routing damping sectors. Range: 1-45.
<reuse> Changes the reuse value for the routing damping sectors. Range:
1-20000.
<suppress> Changes the routing suppress value for the routing damping sectors.
Range: 1-20000.
<max-suppress-time> Changes the maximum routing suppress value for the routing
damping sectors. The penalty value will not increase once the routing
suppress time expires. Range: 1-255.
7-7
Parameter Description
[process-id] You should set instance IDs when redistributing the OSPF or the
ISIS routes.
OSPF range: 1-65535
ISIS range: 0-65535
The ISIS value is 0 by default.
<protocol> The source routing protocols for routing redistribution. The keywords
can be : ospf-ext, ospf-int, static, bgp-ext, bgp-int, connected,
isis-1, isis-2, isis-1-2, nat, natpt, ps-busi-addr, ps-user-addr,
subscriber-aggregation, subscriber-host, user-special.
metric <metric-value>> Specifies the route metric when this route is redistributed from OSPF
route to RIP route. Range: 1-16.
route-map <route-map> The name for the redistributed routing mapping. Length: 1-31
characters. The RIP implements the route policy by using the
Routing-Map routing policy in the redistribution command.
Parameter Description
<protocol> Sets the routing source, such as connect, static, rip, isis <process-id>,
ospf <process-id>, bgp, nat, pat, ps-busi-addr, ps-user-addr, sl-nat64-ipv4,
subscriber-aggregation, subscriber-host and user-special. The routing source is
mandatory. You must specify corresponding instance ID if you want to redistribute
ISIS or OSPF route.
<metric-type> Sets the metric value (interface or external) carried by the redistributed route.
7-8
Parameter Description
Parameter Description
<protocol> Protocol type. For OSPF or IS-IS, the instance number is required.
<metric-type> Sets whether the redistributed route carries external metric or internal
metric.
7-9
Parameter Description
<protocol> The protocol type. The instance ID is required for OSPF and ISIS.
2 ZXR10(config-bgp)#bgp dampening [ route-map < Enables the BGP routing dampening, or modifies
route-map-name >] the BGP routing dampening sectors.
2 ZXR10(config-bgp)#address-family ipv4 vrf <vrf-name> Enters IPv4 vrf address cluster configuration
mode.
Parameter Description
7-10
Parameter Description
2 ZXR10(config-bgp)#neighbor {< ipv4-address>|<peer-group- Filters the route sent by the neighbor peer
name>} route-map <route-map-name>{ in | out} group or received by the neighbor peer
group, or sets the routing priority.
Parameter Description
7-11
Command Function
ZXR10(config)#show running-config rip Displays the RIP protocol configuration, and checks
whether the routing policies are used by various routing
protocols.
ZXR10(config)#show running-config isis Displays the ISIS protocol configuration, and checks
whether the routing policies are used by various routing
protocols.
ZXR10(config)#show running-config ospf Displays the OSPF protocol configuration, and checks
whether the routing policies are used by various routing
protocols.
ZXR10(config)#show running-config bgp Displays the BGP protocol configuration, and checks
whether the routing policies are used by various routing
protocols.
ZXR10(config)#show running-config vrf Displays the VRF route configuration, and checks whether
the routing policies are used by various routing protocols.
ZXR10(config)#show ip vrf detail [<vrf-name>] Displays detailed VRF configuration. You can specify a
VRF example and query its configuration.
Configuration Description
The Routing Information Protocol (RIP) is operating on R1 and R2. R1 and R2 can notify
their RIP routes to each other, or redistribute other routes. The following uses a static route
distribution as an example, see Figure 7-1.
Configuration Flow
1. Configure IPv4 addresses for the interfaces.
2. Enable the RIP for a direct-connected interface.
3. Redistribute other routes and configure the redistribution command.
4. Add the route-map name(s) to the redistribution command.
7-12
Configuration Command
Run the following commands on R1:
R1(config)#router rip
R1(config-rip)#redistribute static route-map www
R1(config-rip)#network 192.168.1.0 0.0.0.255
R1(config-rip)#exit
R1(config)#ip route 3.3.3.0 255.255.255.0 loopback1 4
/*Not the optimun route, and will not be reallocated*/
R1(config)#ip route 3.3.3.0 255.255.255.0 30.0.0.6 3
R1(config)#ip route 5.5.5.0 255.255.255.0 loopback2
R1(config)#route-map www permit 10
R1(config-route-map)#set ip metric 10
R1(config-route-map)#exit
Configuration Verification
Run the show command to check configuration information of RIP, route-map and static
route on the R1 and R2, IPv4 route information and RIP route table.
Route information on R1 is displayed as follows:
R1(config)#show running-config rip
! <RIP>
router rip
redistribute static route-map www
network 192.168.1.0 0.0.0.255
! </RIP>
7-13
7-14
Configuration Description
The neighbor relationship between R1 and R2 is established in the level-1-2 area
successfully, and the status is up, see Figure 7-2.
R1 is configured with 2 static routes. The static route redistributed in ISIS level-1 should
carry the route-map parameter.
Configuration Flow
1. Configure the neighbor relationship between R1 and R2 in the level-1-2 area.
2. Configure the route-map testisis on R1.
3. Configure several static routes on R1.
4. Redistribute a static route with the route-map parameter on R1.
Configuration Command
1. Run the following commands to configure the neighbor relationship between R1 and
R2 in the level-1-2 area.
Run the following commands to configure the ISIS on R1:
R1(config)#router isis 44
R1(config-isis)#system-id 5555.5555.5555
R1(config-isis)#area 44
R1(config-isis)#is-type level-1-2
R1(config-isis)#metric-style narrow
R1(config-isis)#interface gei-0/1/0/3
R1(config-isis-if)#ip router isis
R1(config-isis-if)#exit
R1(config-isis)#exit
7-15
R2(config-isis-if)exit
R2(config-isis)#exit
2. Run the following commands to configure route-map testisis on R1.
R1(config)#route-map testisis permit 10
R1(config-route-map)#set level level-1
R1(config-route-map)#set ip metric 10
R1(config-route-map)#set ip metric-type external
R1(config-route-map)#exit
3. Run the following commands to configure three valid static routes on R1.
R1(config)#ip route 1.2.3.4 255.255.255.255 192.168.1.103
R1(config)#ip route 20.0.0.0 255.255.255.0 192.168.5.203
R1(config)#ip route 168.178.19.0 255.255.255.0 177.77.16.2
4. Run the following commands to redistribute a static route with the route-map parameter
on R1.
R1(config)#router isis 44
R1(config-isis)#redistribute static route-map testisis
R1(config-isis)#exit
Configuration Verification
Check the ISIS configuration result, which is displayed as follows:
R1(config)#show running-config isis
! <ISIS>
router isis 44
area 44
system-id 5555.5555.5555
is-type level-1-2
metric-style narrow
redistribute static route-map testisis
interface gei-0/1/0/3
ip router isis
$
! </ISIS>
R2(config)#show running-config isis
! <ISIS>
router isis 44
area 44
system-id 2222.2222.2222
is-type level-1-2
metric-style narrow
interface gei-0/1/0/1
ip router isis
$
! </ISIS>
7-16
Verify that the result is as expected. Check routes in the level-1 area on R1.
narrow mode metric-type external, metric=10+64=74,
The routes will be redistributed to the level-2 area by default. After the route-map is
configured, the routes can only be distributed to the level-1 area.
R1(config)#show isis database level-1 detail process-id 44
Process ID:44
IS-IS Level-1 Link State Database:
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
R1.00-00* 0x6 0xd6dc 1142 0/0/0
NLPID: 0xcc
Area Address: 00
Ip Address: 55.1.1.1
Hostname: R1
Metric: 10 IS neighbor R1.02
Metric: 10 IP-Internal 55.1.1.0 255.255.255.0
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
R1.00-01* 0x8 0x9223 934 0/0/0
Metric: 74 IP-External 1.2.3.4 255.255.255.255
Metric: 74 IP-External 20.0.0.0 255.255.255.0
Metric: 74 IP-External 168.178.19.0 255.255.255.0
Hostname: R1
Check three pieces of ISIS route information from R1 on R2, which is displayed as follows:
7-17
Configuration Description
Interfaces of both R1 and R2 are in the OSPF area 1. The OSPF neighbor relationship is
established between R1 and R2 successfully through R1/R2 interfaces, and the status is
full. After three static routes are configured on R1, R1 redistributes the static routes that
carry the route-map parameter in the OSPF area, see Figure 7-3.
Configuration Flow
1. Establish the relationships between R1 and R2 in the OSPF area 1.
2. Configure the route-map on R1.
3. Configure several static routes on R1.
4. Redistribute the static routes that carry the route-map parameter in the OSPF area on
R1.
Configuration Command
1. Run the following commands to set the same network segment address for R1 and
R2 to build the OSPF neighbor.
R1(config)#interface gei-0/1/0/3
R1(config-if)#no shutdown
R1(config-if)#ip add 55.1.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#router ospf 2
R1(config-ospfv2)#network 55.1.1.0 0.0.0.255 area 0.0.0.1
R1(config-ospfv2)#exit
R2(config)#interface gei-0/1/0/1
R2(config-if)#no shutdown
R2(config-if)#ip add 55.1.1.2 255.255.255.0
R2(config-if)#exit
R2(config)#router ospf 2
R2(config-ospfv2)#network 55.1.1.0 0.0.0.255 area 0.0.0.1
R2(config-ospfv2)#exit
2. Run the following commands to configure the route-map on R1.
R1(config)#route-map ff
7-18
R1(config-route-map)#match ip metric 0
R1(config-route-map)#set ip metric 50
R1(config-route-map)#set ip metric-type type-1
R1(config-route-map)#set ip tag 100
R1(config-route-map)#exit
3. Run the following commands to configure several static routes on R1.
R1(config)#ip route 1.2.3.4 255.255.255.255 192.168.1.103
R1(config)#ip route 20.0.0.0 255.255.255.0 192.168.5.203
R1(config)#ip route 168.178.19.0 255.255.255.0 177.77.16.2
4. Run the following commands to redistributes the static route that carries the route-map
parameter in the OSPF area on R1.
R1(config)#router ospf 2
R1(config-ospfv2)#redistribute static route-map ff
R1(config-ospfv2)#exit
Configuration Verification
Check the configuration result on R1 and the static and OSPF routes on R1, which is
displayed as follows:
R1(config)#show route-map ff
[route-map ff] IP type: IPv4
route-map ff permit 10
match ip metric 0
set ip metric 50
set ip metric-type type-1
set ip tag 100
7-19
Check the attributes of the OSPF route on R2, which is displayed as follows:
R2(config-ospfv2)#show ip forwarding route ospf
IPv4 Routing Table:
status codes: *valid, >best
Dest Gw Interface Owner Pri Metric
*> 1.2.3.4/32 55.1.1.1 gei-0/3/0/5 ospf 110 51
*> 20.0.0.0/24 55.1.1.1 gei-0/3/0/5 ospf 110 51
*> 168.178.19.0/24 55.1.1.1 gei-0/3/0/5 ospf 110 51
Configuration Description
The EBGP neighbor relationship is established between R1 and R2, and the IBGP
neighbor relationship is established between R2 and R3. R1 advertises the route to R2,
see Figure 7-4.
The route-map test 1 configured on R2 takes effect on the ingress of R2. The route-map
test2 configured on R2 takes effect on the egress of R2.
Configuration Flow
1. Establish the EBGP neighbor relationship between R1 and R2, and the IBGP neighbor
relationship between R2 and R3.
2. R1 advertises BGP routes to R2, and R2 and R3 can learn these routes.
7-20
Note:
l The route-map can be used for both ingress and egress. For the ingress, the set
operation takes effect on community, local preference, and next_hop. For the egress,
the set operation takes effect for all objects.
l The specified options for the BGP protocol in route-map include: community-list,
dampening, local-preference, origin, and as-path for the set operation, as-path, and
community-list for the Match operation.
Configuration Flow
1. Run the following commands to set the IP addresses for the direct interfaces of three
routes to the same value, and establish the EBGP neighbor relationship.
Run the following commands on R1:
R1(config)#interface xgei-0/3/0/2
R1(config-if)#no shutdown
R1(config-if)#ip address 131.4.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#router bgp 1011
R1(config-bgp)#neighbor 131.4.1.2 remote-as 200
R1(config-bgp)#exit
7-21
7-22
Configuration Verification
1. In step 2, after route advertisement, R2 and R3 can learn five routes.
R2(config)#show ip bgp route
Status codes: *-valid, >-best, i-internal, s-stale
Origin codes: i-IGP, e-EGP, ?-incomplete
7-23
Configuration Description
For the VRF routing policy configuration example of a network, see Figure 7-5.
1. The basic L3VPN network is established. PE1 and PE2 are in the same AS. The
MPIBGP neighbor is established, see Figure 7-5.
2. VRF test1 is on PE1. The route 199.199.199.1/32 of the address generated by local
loopback address and the direct route 198.198.198.0/24 interconnected to CE1 are
advertised.
3. VRF test1 is on PE2. The route 123.123.123.1/32 of the address generated by local
Loopback address and the direct route 182.192.182.0/24 interconnected to CE2 are
advertised.
4. The VRF test1 route tables on two PEs contain local and remote routes, such as
199.199.199.1/32,198.198.198.0/24 and 123.123.123.1/32,182.192.182.0/24.
5. The route-map routing policy is used on the vrf test1 of PE.
Perform the following policies on the incoming 123.123.123.1/32,182.192.182.0/24
routes: You can import 182.182.182.0/24 route from the VPN neighbor.
7-24
Configuration Flow
1. Configure the basic L3VPN network environment for CE1-PE1-PE2-CE2.
2. Learn all routes in the configuration description of the private network route table on
two PEs.
3. Configure route-map on PE1, and define characteristics of the route where the routing
policy will be performed, that is to define a group of matching rules. You can set these
principles based on different properties in route information, such as target address,
router address of routing information.
4. Apply the route-map to the VRF example on PE1, import/export routes, and
receive/import route release.
Configuration Command
1. Run the following commands to configure the basic L3VPN network on PE1 and PE2.
Run the following commands on PE1:
PE1(config)#ip vrf test1
PE1(config-vrf)#rd 10:10
PE1(config-vrf)#route-target both 10:10
PE1(config-vrf)#address-family ipv4
PE1(config-vrf-af)#exit
PE1(config-vrf)#exit
PE1(config)#interface loopback30
PE1(config-if)#ip vrf forwarding test1
PE1(config-if)#ip address 199.199.199.1 255.255.255.255
PE1(config-if)#exit
PE1(config)#interface gei-0/3/0/2
PE1(config-if)#no shutdown
PE1(config-if)#exit
PE1(config)#interface gei-0/3/0/2.10
PE1(config-subif)#ip vrf forwarding test1
PE1(config-subif)#ip address 198.198.198.1 255.255.255.0
PE1(config-subif)#exit
PE1(config)#vlan
PE1(config-vlan)#interface gei-0/3/0/2.10
PE1(config-subvlan-if)#encapsulation-dot1q 10
PE1(config-subvlan-if)#exit
PE1(config-vlan)#exit
PE1(config)#interface loopback1
PE1(config-if)#ip address 1.2.3.80 255.255.255.255
PE1(config-if)#exit
PE1(config)#router bgp 200
PE1(config-bgp)#neighbor 1.2.3.82 remote-as 200
7-25
7-26
PE2(config-bgp-af)#exit
PE2(config-bgp)#exit
2. Run the following commands to check VRF routes on PE1 and PE2.
The displayed results on PE1 are as follows:
PE1(config)#show ip forwarding route vrf test1
IPv4 Routing Table:
status codes: *valid, >best
Dest Gw Interface Owner Pri Metric
*> 123.123.123.1/32 1.2.3.82 posgroup2 bgp 200 0
*> 182.182.182.0/24 1.2.3.82 posgroup2 bgp 200 0
*> 182.182.182.1/32 1.2.3.82 posgroup2 bgp 200 0
*> 198.198.198.0/24 198.198.198.1 gei-0/3/0/2.10 direct 0 0
*> 198.198.198.1/32 198.198.198.1 gei-0/3/0/2.10 address 0 0
*> 199.199.199.1/32 199.199.199.1 loopback30 address 0 0
Configure the route-map test 2 to limit the route advertisement on the ingress.
PE1(config)#ip prefix-list test2 seq 5 permit 182.182.182.0 24 ge 32
PE1(config)#route-map test2
PE1(config-route-map)#match ip address prefix-list test2
PE1(config-route-map)#exit
7-27
Configuration Verification
If the configuration is successful, run the show running-config command to check the
results, which are displayed as follows:
PE1#show running-config bgp
! <BGP>
router bgp 200
neighbor 1.2.3.82 remote-as 200
neighbor 1.2.3.82 activate
neighbor 1.2.3.82 update-source loopback1
address-family ipv4 vrf test1
redistribute address
redistribute connected
$
address-family vpnv4
neighbor 1.2.3.82 activate
$
$
! </BGP>
PE1#show running-config vrf | begin test1
7-28
ip vrf test1
rd 10:10
route-target import 10:10
route-target export 10:10
address-family ipv4
import map test2
export map test1
$
!
! </VRF>
PE1#show route-map test1
[route-map test1] IP type: IPv4
route-map test1 permit 10
match ip address prefix-list test1
PE1#show route-map test2
[route-map test2] IP type: IPv4
route-map test2 permit 10
match ip address prefix-list test2
PE1#show ip prefix-list test1
ip prefix-list test1 :
seq 5 permit 199.199.199.1 32
PE1#show ip prefix-list test2
ip prefix-list test2 :
seq 5 permit 182.182.182.0 24 ge 32
Before the VRF route policy is used, the vrf test1 route table on PE1 is:
After some routes are imported, the vrf test1 route table is changed to:
7-29
The route policy test2 used for the import direction filters two routes advertised by the peer
PE2.
*> 123.123.123.1/32 1.2.3.82 posgroup2 bgp 200 0
*> 182.182.182.1/32 1.2.3.82 posgroup2 bgp 200 0
The route-map test 2 specifies that the route that matches ip prefix-list test2 seq 5 permit
182.182.182.0 24 ge 32 can be learned.
*> 182.182.182.1/32 1.2.3.82 posgroup2 bgp 200 0
Before the route policy test1 is exported on PE1 , the vrf test1 route table on PE2 is:
PE2(config)#show ip forwarding route vrf test1
IPv4 Routing Table:
status codes: *valid, >best
Dest Gw Interface Owner Pri Metric
*> 123.123.123.1/32 123.123.123.1 loopback10 address 0 0
*> 182.182.182.0/24 182.182.182.1 gei-0/1/0/2.10 direct 0 0
*> 182.182.182.1/32 182.182.182.1 gei-0/1/0/2.10 address 0 0
*> 198.198.198.0/24 1.2.3.80 posgroup2 bgp 200 0
*> 198.198.198.1/32 1.2.3.80 posgroup2 bgp 200 0
*> 199.199.199.1/32 1.2.3.80 posgroup2 bgp 200 0
After the route policy test1 is exported on PE1, the vrf test1 route table on PE2 is:
PE2(config)#show ip forwarding route vrf test1
IPv4 Routing Table:
status codes: *valid, >best
Dest Gw Interface Owner Pri Metric
*> 123.123.123.1/32 123.123.123.1 loopback10 address 0 0
*> 182.182.182.0/24 182.182.182.1 gei-0/1/0/2.10 direct 0 0
*> 182.182.182.1/32 182.182.182.1 gei-0/1/0/2.10 address 0 0
*> 199.199.199.1/32 1.2.3.80 posgroup2 bgp 200 0
As seen from above, only one route is learned from remote 1.2.3.80.
*> 199.199.199.1/32 1.2.3.80 posgroup2 bgp 200 0
This above command is used to match ip prefix-list test1 seq 5 permit 199.199.199.1
32 defined in the route-map test1.
Two unmatched items will be filtered out, including:
7-30
When a packet fails to meet the match conditions of a sequence, it will continue to match
the next sequence.
1. At first, the router uses the received packet to match the ACL configured in the first
sequence. If the matching fails, the router continues to use the packet to match to the
ACL configured in the next sequence. The rest can be done in the same manner. If
the matching is successful, the router can obtain the attribute of the sequence.
7-31
2. When the attribute of the sequence is deny, the packet will be forwarded in normal
route. If the attribute is permit, the router will forward the packet in accordance with
the set item of the sequence.
3. The router determines whether a valid set ip path interface item exists. If the valid set
ip path interface item exists, the packet will be sent to the specified next hop.
4. The router determines whether a valid set ip next-hop item exists. For multiple set ip ne
xt-hop items, the router selects the first valid next-hop in accordance with configuration
sequence. If the valid set ip next-hop item exists, the router forwards the packet to the
specified next-hop.
5. If the set ip next-hop item is not set or there is no valid set ip next-hop item, the router
needs to check whether a valid egress interface exists (The egress exists, and it is
in UP state). When multiple set interface items exist, the router selects the first valid
egress interface in accordance with the configuration sequence. If the egress interface
exists, the router forwards the packet from the egress interface directly. Otherwise, it
forwards the packet in normal route.
6. When a packet is forwarded in a normal route, if the router finds the corresponding
route in the forwarding table, it forwards the packet in accordance with the route.
Otherwise, if the system does not set a default route, the router will discard the packet.
If the next hop of the policy routing is the indirect-connected IP address, the policy routing
still can be valid as long as the next hop can be found by searching in the local routing
table. The next hop address of policy routing is set to 200.1.1.2 on R1, see Figure 7-6.
The ip next hop of policy routing can be set to the IP address of ISP2 on R1, and it will
take effect immediately once there is a route from R1 to ISP2. If R1 has a route pointing
to ISP2 and the next-hop of the route is R2, the traffic coming from ISP1 which meets the
matching rules of the policy routing will be sent to R2 after the policy routing is bound to
gei-2/2 on R1. If the traffic does not meet the matching rules of the policy routing, it will be
discarded.
7-32
ZXR10(config)#ip policy interface < interface-name> route-map Configures fast forwarding based on
< route-map-name> policy routing.
Parameter Description
To configure a VRF policy route on the ZXR10 M6000, perform the following steps:
7-33
3 ZXR10(config-route-map)#set vrf <vrf-name> ip next-hop Sets the next-hop address of the specified
<ip-address>[track <sqa-name>] VRF.
Command Function
ZXR10#show route map < route map-name> Displays the route-map information.
Configuration Description
The router (ZXR10) accesses users of two subnets through different interfaces. Two
ISP egresses are available. Users select different egresses in accordance with their IP
addresses. Users belonging to the subnet 10.10.0.0/24 uses the ISP1 egress and users
belonging to the subnet 11.11.0.0/24 uses the ISP2 egress, see Figure 7-7.
7-34
Configuration Flow
1. Configure IP addresses for interfaces.
2. Create ACL to define the traffic to be controlled.
3. Create a route-map, associate it to an ACL, and define actions.
4. Associate route-map to the corresponding interfaces.
Configuration Command
Run the following commands on the ZXR10:
ZXR10(config)#interface gei-0/1/1/1
ZXR10(config-if)#no shutdown
ZXR10(config-if)#description To User1
ZXR10(config-if)#ip address 10.10.0.254 255.255.255.0
ZXR10(config-if)#exit
ZXR10(config)#show running-config-interface gei-0/1/1/1
!<INTERFACE>
interface gei-0/1/1/1
no shutdown
description To User1
ip address 10.10.0.254 255.255.255.0
!
!</INTERFACE>
ZXR10(config)#ip policy interface gei-0/1/1/1 route-map source-ip
/*Bind route-map source-ip to an interface*/
ZXR10(config)#show running-config pbr
!<PBR>
ip policy interface gei-0/1/1/1 route-map source-ip
!</PBR>
ZXR10(config)#interface gei-0/1/1/2
ZXR10(config-if)#no shutdown
ZXR10(config-if)#description To User2
ZXR10(config-if)#ip address 11.11.0.254 255.255.255.0
ZXR10(config-if)#exit
ZXR10(config)#show running-config-interface gei-0/1/1/2
!<INTERFACE>
interface gei-0/1/1/2
no shutdown
description To User2
ip address 11.11.0.254 255.255.255.0
!
!</INTERFACE>
7-35
!<PBR>
ip policy interface gei-0/1/1/2 route-map source-ip
!</PBR>
ZXR10(config)#interface gei-0/2/1/1
ZXR10(config-if)#no shutdown
ZXR10(config-if)#description To ISP1
ZXR10(config-if)#ip address 100.1.1.2 255.255.255.252
ZXR10(config-if)#exit
ZXR10(config)#ipv4-access-list 10
ZXR10(config-ipv4-acl)#rule 1 permit 10.10.0.0 0.0.0.255
ZXR10(config-ipv4-acl)#exit
ZXR10(config)#show ipv4-access-lists name 10
ipv4-access-list 10
1/1 (showed/total)
rule 1 permit 10.10.0.0 0.0.0.255
ZXR10(config)#ipv4-access-list 20
ZXR10(config-ipv4-acl)#rule 1 permit 11.11.0.0 0.0.0.255
ZXR10(config-ipv4-acl)#exit
ZXR10(config)#show ipv4-access-lists name 20
ipv4-access-list 20
7-36
1/1 (showed/total)
rule 1 permit 11.11.0.0 0.0.0.255
ZXR10(config-route-map)#match ip address 10
ZXR10(config-route-map)#set ip next-hop 100.1.1.1
ZXR10(config-route-map)#exit
ZXR10(config)#route-map source-ip permit 20
/*Forward packets matching ACL 20 to 200.1.1.1*/
ZXR10(config-route-map)#match ip address 20
ZXR10(config-route-map)#set ip next-hop 200.1.1.1
ZXR10(config-route-map)#exit
Configuration Verification
Check the configuration of the route-map, which is displayed as follows:
ZXR10(config)#show route-map source-ip
[route-map source-ip] IP type: IPv4
route-map source-ip permit 10
match ip address 10
set ip next-hop 100.1.1.1
route-map source-ip permit 20
match ip address 20
set ip next-hop 200.1.1.1
Configuration Description
When users of different subnetworks are accessed through the same interface of a router,
the configuration of a policy routing needs to be modified, see Figure 7-8.
7-37
Configuration Flow
1. Configure IP addresses for interfaces.
2. Create an ACL and define the traffic to be controlled.
3. Create a route-map, associate it to an ACL, and define actions.
4. Associate the route-map to the corresponding interfaces.
Configuration Command
Run the following commands on the ZXR10:
ZXR10(config)#interface gei-0/1/1/1
ZXR10(config-if)#no shutdown
ZXR10(config-if)#description To User
ZXR10(config-if)#ip address 192.168.1.1 255.255.255.252
ZXR10(config-if)#exit
ZXR10(config)#show running-config-interface gei-0/1/1/1
!<INTERFACE>
interface gei-0/1/1/1
no shutdown
description To User
ip address 192.168.1.1 255.255.255.252
!
!</INTERFACE>
ZXR10(config)#interface gei-0/2/1/1
ZXR10(config-if)#no shutdown
ZXR10(config-if)#description To ISP1
ZXR10(config-if)#ip address 100.1.1.2 255.255.255.252
ZXR10(config-if)#exit
ZXR10(config)#sho running-config-interface gei-0/2/1/1
!<INTERFACE>
interface gei-0/2/1/1
no shutdown
description To ISP1
7-38
7-39
In this example, the two ISP egresses back up each other. There are two conditions.
1. When both ISP1 and ISP2 egresses run properly, user service of 10.10.0.0/24 uses
the ISP1 egress and user services of 11.11.0.0./24 uses the ISP2 egress.
2. When one egress has fault, the user service uses a backup egress. Therefore, the
service will not be interrupted as long as the two egresses do not have fault at the
same time.
Configuration Verification
Check the configuration of the route-map, which is displayed as follows:
ZXR10(config)#show route-map source-ip
[route-map source-ip] IP type: IPv4
route-map source-ip permit 10
match ip address 10
set ip next-hop 100.1.1.1 200.1.1.1
route-map source-ip permit 20
match ip address 20
set ip next-hop 200.1.1.1 100.1.1.1
Configuration Description
Users of different subnetworks are accessed through the same interface of the router.
When users of vpn1 access the network of vpn2, the remote VRF policy routing is used,
see Figure 7-9.
7-40
Configuration Command:
Run the following commands on PE1:
/*Configure an interface*/
PE1(config)#interface loopback1
PE1(config-if)#ip address 1.2.3.30 255.255.255.255
PE1(config-if)#exit
PE1(config)#show running-config-interface loopback1
!<INTERFACE>
interface loopback1
ip address 1.2.3.30 255.255.255.255
!
!</INTERFACE>
PE1(config)#ip vrf vpn1
PE1(config-vrf)#rd 1:1
PE1(config-vrf)#route-target both 1:1
PE1(config-vrf)#address-family ipv4
PE1(config-vrf-af)#exit
PE1(config-vrf)#exit
PE1(config)#ip vrf vpn2
PE1(config-vrf)#rd 1:2
PE1(config-vrf)#route-target both 1:2
PE1(config-vrf)#address-family ipv4
PE1(config-vrf-af)#exit
PE1(config-vrf)#exit
PE1(config)#interface gei-0/6/0/1
ZXR10(config-if)#no shutdown
PE1(config-if)#description to vpn1
PE1(config-if)#ip vrf forwarding vpn1
PE1(config-if)#ip address 30.1.1.1 255.255.255.0
PE1(config-if)#exit
PE1(config)#show running-config-interface gei-0/6/0/1
!<INTERFACE>
7-41
interface gei-0/6/0/1
no shutdown
description to vpn1
ip vrf forwarding vpn1
ip address 30.1.1.1 255.255.255.0
!
!</INTERFACE>
PE1(config)#interface gei-0/1/0/1
ZXR10(config-if)#no shutdown
PE1(config-if)#description to vpn2
PE1(config-if)#ip vrf forwarding vpn2
PE1(config-if)#ip address 40.1.1.1 255.255.255.0
PE1(config-if)#exit
PE1(config)#show running-config-interface gei-0/1/0/1
!<INTERFACE>
interface gei-0/1/0/1
no shutdown
description to vpn2
ip vrf forwarding vpn2
ip address 40.1.1.1 255.255.255.0
!
!</INTERFACE>
PE1(config)#interface gei-0/6/0/2
ZXR10(config-if)#no shutdown
PE1(config-if)#ip address 20.1.1.1 255.255.255.0
PE1(config-if)#exit
PE1(config)#show running-config-interface gei-0/6/0/2
!<INTERFACE>
interface gei-0/6/0/2
no shutdown
ip address 20.1.1.1 255.255.255.0
!
!</INTERFACE>
PE1(config)#show ip vrf brief
* Being deleted
Name Default RD Protocol Interfaces
vpn1 1:1 ipv4 gei-0/6/0/1
vpn2 1:2 ipv4 gei-0/1/0/1
mng < not set > mng1
/*Configure OSPF*/
PE1(config)#router ospf 1 vrf vpn1
PE1(config-ospfv2)#network 30.1.1.0 0.0.0.255 area 0.0.0.0
PE1(config-ospfv2)#exit
PE1(config)#router ospf 2 vrf vpn2
PE1(config-ospfv2)#network 40.1.1.0 0.0.0.255 area 0.0.0.0
7-42
PE1(config-ospfv2)#exit
PE1(config)#router ospf 3
PE1(config-ospfv2)#network 1.2.3.30 0.0.0.0 area 0.0.0.0
PE1(config-ospfv2)#network 20.1.1.0 0.0.0.255 area 0.0.0.0
PE1(config-ospfv2)#exit
PE1(config)#show running-config ospf
!<OSPF>
router ospf 1 vrf vpn1
network 30.1.1.0 0.0.0.255 area 0.0.0.0
!
router ospf 2 vrf vpn2
network 40.1.1.0 0.0.0.255 area 0.0.0.0
!
router ospf 3
network 1.2.3.30 0.0.0.0 area 0.0.0.0
network 20.1.1.0 0.0.0.255 area 0.0.0.0
!
!</OSPF>
PE1(config)#show ip ospf neighbor
7-43
PE1(config-bgp-af)#exit
PE1(config-bgp)#address-family ipv4 vrf vpn2
PE1(config-bgp-af)#redistribute ospf-int
PE1(config-bgp-af)#redistribute ospf-ext
PE1(config-bgp-af)#exit
PE1(config)#show running-config bgp
!<BGP>
router bgp 1
neighbor 1.2.3.29 remote-as 2
neighbor 1.2.3.29 activate
neighbor 1.2.3.29 ebgp-multihop ttl 8
neighbor 1.2.3.29 update-source loopback1
address-family ipv4 vrf vpn1
redistribute ospf-int
redistribute ospf-ext
redistribute connected
$
address-family ipv4 vrf vpn2
redistribute ospf-int
redistribute ospf-ext
$
address-family vpnv4
neighbor 1.2.3.29 activate
$
!</BGP>
PE1(config)#show bgp vpnv4 unicast summary
Neighbor Ver As MsgRcvd MsgSend Up/Down(s) State/PfxRcd
1.2.3.29 4 2 180 187 01:32:00 0
/*Configure LDP*/
PE1(config)#mpls ldp instance 1
PE1(config-ldp)#interface gei-0/6/0/2
PE1(config-ldp-if)#exit
PE1(config-ldp)#router-id loopback1 force
PE1(config-ldp)#exit
PE1(config)#show running-config ldp
!<MPLS>
mpls ldp instance 1
router-id loopback1 force
interface gei-0/6/0/2
$
!</MPLS>
PE1(config)#show mpls ldp neighbor detail instance 1
Peer LDP Ident: 1.2.3.29:0; Local LDP Ident 1.2.3.30:0
TCP connection: 1.2.3.29.646 - 1.2.3.30.1028
state: Oper; Msgs sent/rcvd: 113/135; Downstream
7-44
Up Time: 01:25:38
LDP discovery sources:
gei-0/6/0/2; Src IP addr: 20.1.1.2
Addresses bound to peer LDP Ident:
1.2.3.29 20.1.1.2 130.131.132.29
7-45
PE2(config-if)#exit
PE2(config)#show running-config-interface gei-0/1/0/5
!<INTERFACE>
interface gei-0/1/0/5
no shutdown
description to vpn1
ip vrf forwarding vpn1
ip address 10.1.1.1 255.255.255.0
!
!</INTERFACE>
PE2(config)#show ip vrf brief
* Being deleted
Name Default RD Protocol Interfaces
vpn1 1:1 ipv4 gei-0/1/0/5
vpn2 1:2
mng < not set > mng1
/*Configure OSPF*/
PE2(config)#router ospf 16
PE2(config-ospfv2)#network 1.2.3.29 0.0.0.0 area 0.0.0.0
PE2(config-ospfv2)#network 20.1.1.0 0.0.0.255 area 0.0.0.0
PE2(config-ospfv2)#exit
PE2(config)#show running-config ospf
!<OSPF>
router ospf 16
network 1.2.3.29 0.0.0.0 area 0.0.0.0
network 20.1.1.0 0.0.0.255 area 0.0.0.0
!</OSPF>
PE2(config)#show ip ospf neighbor
/*Configure BGP*/
PE2(config)#router bgp 2
PE2(config-bgp)#neighbor 1.2.3.30 remote-as 1
PE2(config-bgp)#neighbor 1.2.3.30 ebgp-multihop ttl 8
PE2(config-bgp)#neighbor 1.2.3.30 update-source loopback1
PE2(config-bgp)#address-family vpnv4
PE2(config-bgp-af)#neighbor 1.2.3.30 activate
PE2(config-bgp-af)#exit
PE2(config-bgp)#address-family ipv4 vrf vpn1
PE2(config-bgp-af)#redistribute ospf-int
PE2(config-bgp-af)#redistribute ospf-ext
PE2(config-bgp-af)#exit
7-46
/*Configure LDP*/
PE2(config)#mpls ldp instance 1
PE2(config-ldp)#interface gei-0/1/0/4
PE2(config-ldp-if)#exit
PE2(config-ldp)#router-id loopback1 force
PE2(config-ldp)#exit
PE2(config)#show running-config ldp
!<MPLS>
mpls ldp instance 1
router-id loopback1 force
interface gei-0/1/0/4
$
!</MPLS>
PE2(config)#show mpls ldp neighbor detail instance 1
Peer LDP Ident: 1.2.3.30:0; Local LDP Ident 1.2.3.29:0
TCP connection: 1.2.3.30.1028 - 1.2.3.29.646
state: Oper; Msgs sent/rcvd: 188/151; Downstream
Up Time: 01:58:43
LDP discovery sources:
gei-0/1/0/4; Src IP addr: 20.1.1.1
Addresses bound to peer LDP Ident:
1.2.3.30 158.1.1.1 158.158.158.158 123.12.23.2
17.1.1.1 50.1.1.1 12.1.1.2 20.1.1.1
70.1.1.1
7-47
Configuration Verification
After the neighbor relationship is established between PE1 and PE2, check the routes of
VPN1, which is displayed as follows:
PE1(config)#show ip protocol routing vrf vpn1
Routes of vpn:
status codes: *valid, >best, s-stale
7-48
In this example, if a part of users in VPN1 on PE1 want to access the VPN2 network,
configure the match item for the route-map, configure the users according to the ACL rule,
and configure the set item for the route-map. Note that a private network route must exist
on PE1.
For example, users of network segment 10.1.1.2 want to access network segment
14.14.14.0/24, but users belong to vpn1 and network segment 14.14.14.0 belongs to
vpn2. In this case, run the show ip protocol routing vrf vpn2 command to check the route
of network segment 14.14.14.0, implement this operation by the remote VRF policy route,
and set the set item by running the vrf vpn2 command.
7-49
7-50
II
ICMP
- Internet Control Message Protocol
IGMP
- Internet Group Management Protocol
IGP
- Interior Gateway Protocol
IP
- Internet Protocol
IS-IS
- Intermediate System-to-Intermediate System
LSA
- Link State Advertisement
OSPF
- Open Shortest Path First
PIM-SM
- Protocol Independent Multicast - Sparse Mode
RADIUS
- Remote Authentication Dial In User Service
III
RP
- Rendezvous Point
SP
- Service Provider
TACACS+
- Terminal Access Controller Access-Control System Plus
TCP
- Transmission Control Protocol
ToS
- Type of Service
UDP
- User Datagram Protocol
URPF
- Unicast Reverse Path Forwarding
VRF
- Virtual Route Forwarding
IV