SJ-20130205142913-020-ZXR10 M6000 (V1.00.60) Carrier-Class Router Configuration Guide (Policy Template)

ZXR10 M6000
Carrier-Class Router
Configuration Guide (Policy Template)
Version: 1.00.60
ZTE CORPORATION
NO. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: +86-755-26771900
Fax: +86-755-26770801
URL: http://ensupport.zte.com.cn
E-mail: support@zte.com.cn
LEGAL INFORMATION
Copyright © 2013 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.
Revision History
Revision No. Revision Date Revision Reason
R2.2 2012-02-28 Fourth edition
R2.0 2012-07-20 Third edition
R1.1 2012-03-30 Second edition
R1.0 2011-12-10 First edition
Serial Number: SJ-20130205142913-020
Publishing Date: 2013-02-28 (R2.2)
SJ-20130205142913-020|2013-02-28 (R2.2) ZTE Proprietary and Confidential

Contents
About This Manual ......................................................................................... I
Chapter 1 Policy Template Overview........................................................ 1-1
Chapter 2 AAA Configuration.................................................................... 2-1
2.1 Overview ........................................................................................................... 2-1
2.2 Configuring AAA ................................................................................................ 2-2
2.3 Maintaining AAA ................................................................................................ 2-4
2.4 AAA Configuration Example................................................................................ 2-4
Chapter 3 SAMGR Configuration .............................................................. 3-1

Chapter 4 Time-Range Configuration....................................................... 4-1
4.1 Overview ........................................................................................................... 4-1
4.2 Configuring a Time-Range .................................................................................. 4-2
4.3 Maintaining a Time-Range .................................................................................. 4-3
4.4 Time-Range Configuration Examples................................................................... 4-3
4.4.1 Configuration Example 1: Configuring a Time-Range ................................. 4-3
4.4.2 Configuration Example 2: ACL Calling a Time-Range ................................. 4-6
4.4.3 Configuration Example 3: SQA Calling a Time-Range ................................ 4-8
Chapter 5 ACL Configuration .................................................................... 5-1

5.1 Overview ........................................................................................................... 5-1
5.2 Configuring an ACL ............................................................................................ 5-1
5.3 Maintaining ACL................................................................................................. 5-3
5.4 ACL Configuration Example ................................................................................ 5-4
Chapter 6 Prefix-List Configuration.......................................................... 6-1

6.1 Prefix-List Overview ........................................................................................... 6-1
6.2 Configuring a Prefix-List...................................................................................... 6-2
6.3 Maintaining a Prefix-List...................................................................................... 6-4
6.4 Prefix-List Configuration Examples ...................................................................... 6-4
6.4.1 Prefix-List Configuration Example.............................................................. 6-5
6.4.2 Prefix-List Called by IP Multicast ............................................................... 6-6
6.4.3 Prefix-List Called by OSPF ....................................................................... 6-8
6.4.4 Prefix-List Called by BGP........................................................................ 6-10
6.4.5 Prefix-List Called by a Route-Map ........................................................... 6-14
Chapter 7 ROUTE-MAP Policy Configuration .......................................... 7-1

7.1 Route-Map Overview.......................................................................................... 7-1
7.2 Routing Policy Configuration ............................................................................... 7-2
7.2.1 Routing Policy Overview ........................................................................... 7-2
7.2.2 Configuring Routing Policies ..................................................................... 7-4
7.2.3 Maintaining Routing Policy .......................................................................7-11
7.2.4 Routing Policy Configuration Instances .................................................... 7-12
7.3 Policy Routing Configuration ............................................................................. 7-31
7.3.1 Policy Routing Overview ......................................................................... 7-31
7.3.2 Configuring Policy Routing ...................................................................... 7-32
7.3.3 Policy Routing Maintenance.................................................................... 7-34
7.3.4 Policy Routing Configuration Examples.................................................... 7-34
Figures............................................................................................................. I
Glossary ........................................................................................................ III
II

About This Manual
Purpose
This manual describes the principle, configuration commands, maintenance commands,
and configuration examples about policy templates of the ZXR10 M6000.
Intended Audience
This manual is intended for:
l Network planning engineers
l Commissioning engineers
l On-duty personnel
What Is in This Manual

This manual contains the following chapters:
Chapter Summary
1, Policy Template Overview Describes functions related to the policy templates.
2, AAA Configuration Describes the principle, configuration commands, maintenance

commands, and configuration examples of the AAA.
3, SAMGR Configuration Describes the SAMGR principle. For the configuration of SAMGR,
refer to the ZXR10 M6000 Carrier-Class Router Configuration Guide
(Reliability).
4, Time-Range Configuration Describes the principle, configuration commands, maintenance

commands, and configuration examples of the time range.
5, ACL Configuration Describes the principle, configuration commands, maintenance

commands, and configuration examples of the ACL.
6, Prefix-List Configuration Describes the principle, configuration commands, maintenance

commands, and configuration examples of the prefix-list.
7, ROUTE-MAP Policy Describes the ROUTE-MAP, related routing policies and policy
Configuration routing principles, configuration commands, maintenance
commands, and configuration examples of the route-map policy.
Conventions
This manual uses the following typographical conventions:
Typeface Meaning
Italics Variables in commands. It may also refer to other related manuals and documents.

Typeface Meaning
Bold Menus, menu options, function names, input fields, option button names, check boxes,
drop-down lists, dialog box names, window names, parameters, and commands.
Constant Text that you type, program codes, filenames, directory names, and function names.
width
[] Optional parameters.
{} Mandatory parameters.
| Separates individual parameter in series of parameters.
Danger: indicates an imminently hazardous situation. Failure to comply can result in

death or serious injury, equipment damage, or site breakdown.
Warning: indicates a potentially hazardous situation. Failure to comply can result in

serious injury, equipment damage, or interruption of major services.
Caution: indicates a potentially hazardous situation. Failure to comply can result in

moderate injury, equipment damage, or interruption of minor services.
Note: provides additional information about a certain topic.
II

Chapter 1
Policy Template Overview
Policy Template Overview
This manual describes the following policy template functions:
l Authentication, Authorization and Accounting (AAA) template
l Service Availability Manager (SAMGR)
l Time-range
l Access Control List (ACL)
l Internet Protocol (IP) prefix-list
l Route-map
The policy templates function only after being called by other services. Policy templates
can provide some policies and control mechanisms for other services, such as controlling
the authentication and authorization modes, and controlling service time-range.
When not called, the policy templates do not affect any services. The policy templates
can be called only when other services are interested in the policies provided by the policy
templates.
Once called, policy templates will function to make the services more flexible.
AAA Template
An AAA template provides templates for authentication, authorization and accounting.
The meaning of an AAA template is:

Several modes are available for any "A". To use an AAA template, configure the modes
in the AAA template first, and then apply the AAA template to the services so that the
services and the expected modes are associated.
SAMGR
In practical applications, a router provides multiple detection technologies. At the same
time, there are also many protection switching applications that need to monitor detection
results on a real-time basis to meet the requirements for availability in different network
structures. Therefore, the SAMGR is used to implement the linkage between various
detection technologies and services. The SAMGR can collect the results of various
availability detections to form a result set. Services that are concerned with the availability
can determine whether to take protection and switching measures in accordance with the
state of the result set.
In this way, services only need to be associated with the result list, instead of needing to
know the result of the availability detections.
1-1

ZXR10 M6000 Configuration Guide (Policy Template)
Time-Range
A time–range provides the wake-up/hypnosis service for other services. A service can
subscribe to the state of a time-range list as the standard to start the service at specified
time. When the state of the time–range list changes, the service is informed to change its
own state.
ACL
An ACL filters packets in accordance with the fields in the packets. The most common
fields are the quintuplet in a packet, including the source IP address, the destination IP
address, the protocol type, the source port number, and the destination port number.
There may be several rules in an ACL. Each rule describes a certain matching condition.
For a specified packet, an ACL determines whether the packet matches a condition
from the first rule. Once the packet matches a condition, the ACL will take the action
(permit/deny) defined in the rule. After an ACL is applied to a service, the permit/deny
action is mapped to some actions defined for the service, for example, policy routing that
takes effect on the forwarding plane.
An ACL is mostly applied to an interface that forwards packets, and used as the basis for
permitting or denying packets.
IP Prefix-List
In an IP prefix-list, the prefix of the specified routes can be permitted or denied. After the
prefix-list is used in a service, the matched prefixes are mapped to actions in the service
in accordance with the corresponding permit/deny action.
Route-map
The function of a route-map is to set a specified action for a specified feature.
l The match command is used to set a specified feature.
l The set command is used to set a specified action.
When the match command is used, an ACL template or a prefix-list template can be called.
The ACL template and the prefix-list template are advanced templates in which other
templates can be embedded in this document.
1-2

Chapter 2
AAA Configuration
Table of Contents
Overview ....................................................................................................................2-1
Configuring AAA.........................................................................................................2-2
Maintaining AAA.........................................................................................................2-4
AAA Configuration Example .......................................................................................2-4
2.1 Overview
All network Service Providers (SPs) have to ensure a reasonable usage of network
resources and user profit. AAA is developed to solve the requirements, which provides
an effective platform to manage users.
l Authentication: Validates the identities of users before allowing them to use network
resources.
l Authorization: Authorizes users to use network resources by using a specified
method.
l Accounting: Charges and audits users through collecting and recording the usage of
network resources.
AAA function uses a client/server model.
l The client is a program operating on a router. The client is responsible for forming
and sending data to the specified server, receiving responding messages from the
server, configuring data in accordance with the response of the server, and notifying
the application to perform different operations.
l The server is an AAA server program operating on a remote PC. The server is
responsible for receiving connection requests from users, authenticating user identity,
and returning user configuration information.
Remote Authentication Dial In User Service (RADIUS) implements AAA. Currently, AAA
supports the RADIUS authentication, authorization and accounting. AAA also supports
Terminal Access Controller Access-Control System Plus (TACACS+) authentication,
authorization and accounting.
For example, a user wants to log in to a router through SSH. User identity needs to
be authenticated. The SSH program sends authentication information (user name,
and password) to the AAA server. The AAA server checks the received authentication
information by using the database, and determines whether the authentication can be
passed. Users can run commands with some privilege levels after the authentication is
passed.
2-1

2.2 Configuring AAA

To configure AAA on the ZXR10 M6000, perform the following steps:
Step Command Function
1 ZXR10(config)#aaa-authentication-template <number> Selects an authentication template and

enters authentication configuration mode.
The range of the authen-template-number
is 1-2128.
2 ZXR10(config-aaa-authen-template)#aaa-authentication Configures the authentication mode for the

-type {none|local|radius|local-radius|radius-local|radius-none authentication template in authentication
|local-tacacs|tacacs|tacacs-local|tacac-none} configuration mode.
3 ZXR10(config-aaa-authen-template)#authentication-ra Configures a RADIUS authentication group

dius-group <group-number> in authentication configuration mode after
the RADIUS group is configured. The range
of the group number is 1 - 2000.
4 ZXR10(config-aaa-authen-template)#authentication-t Configures a Terminal Access Controller

acacs-group <tacacs-name> Access-Control System (TACACS)
authentication group in authentication
configuration mode after the TACACS group
is configured, range: 1-31 characters.
5 ZXR10(config-aaa-authen-template)#description Configures description information in

<description > authentication configuration mode. The
description consists of 1-31 characters.
6 ZXR10(config)#aaa-authorization-template <number> Selects an authorization template and enters

authorization configuration mode. The range
of the authen-template-number is 1-2128.
7 ZXR10(config-aaa-author-template)#aaa-authorization-t Configures the authorization mode

ype {none|mix-radius|mix-tacacs|tacacs|radius} for the authorization template in
authorization configuration mode. The
tacacs authorization and MIX-TACACS
authorization are in command authorization
mode.
8 ZXR10(config-aaa-author-template)#authorization-taca Configures a TACACS authorization group

cs-group <tacacs-name> in authorization configuration mode after the
RADIUS group is configured, range: 1-31
characters.
9 ZXR10(config-aaa-author-template)#description Configures description information in

<description > authorization configuration mode. The
description consists of 1-31 characters.
2-2

Chapter 2 AAA Configuration
10 ZXR10(config)#aaa-accounting-template <number> Selects an accounting template and enters

accounting configuration mode. The range of
the acct-template-number is 1-2128.
11 ZXR10(config-aaa-acct-template)#aaa-accounting-type Configures the accounting mode for

{none | radius | tacacs} an accounting template in accounting
configuration mode.
12 ZXR10(config-aaa-acct-template)#accounting-radius-gr Configures a RADIUS accounting group

oup first <group-number>[second <group-number>] in accounting configuration mode after the
RADIUS group is configured.
13 ZXR10(config-aaa-acct-template)#description Configures description information in

<description > accounting configuration mode.
14 ZXR10(config-aaa-acct-template)#accounting-tacacs- Configures the TACACS charging group

group <tacacs-name> in accounting configuration mode after the
TACACS group is configured, range: 1-31
characters.
Parameter descriptions in Step 2 are as follows:
Parameter Description
none No authentication.
local Local authentication.
radius RADIUS remote authentication.
local-radius Perform local authentication first. If the user does not exist, use RADIUS
authentication. If local authentication is refused, RADIUS authentication is not used.
radius-local Perform the RADIUS authentication first. If the RADIUS configuration is wrong or
times out, perform the local authentication. If radius authentication is refused,
do not perform the local authentication.
radius-none Perform the RADIUS authentication first. If RADIUS configuration is wrong or

times out, perform none authentication.
local-tacacs Perform the local authentication first. If the user does not exist, use TACACS
authentication. If local authentication is refused, do not perform the TACACS
authentication.
tacacs TACACS remote authentication.
tacacs-local Perform the TACACS authentication first. If the TACACS configuration is wrong or
times out, perform local authentication. If the TACACS authentication is refused,
do not perform the local authentication.
tacacs-none Perform the TACACS authentication first. If TACACS configuration is wrong or

times out, perform none authentication.
2-3

none No authorization.
mix-radius RADIUS hybrid authorization.
mix-tacacs TACACS hybrid authorization.
tacacs TACACS authorization. It is a user authorization mode when the

command authorization is configured
radius RADIUS authorization, no command authorization. It is the same as

that of the mix-radius parameter.
none No accounting.
radius RADIUS accounting.
tacacs TACACS accounting.
2.3 Maintaining AAA

To maintain AAA on the ZXR10 M6000, run the following commands.
Command Function
ZXR10#show running-config aaa [all] Displays configurations related to AAA.
ZXR10#show aaa-authentication-template [<number>] Displays configurations related to the

authentication template.
ZXR10#show aaa-accounting-template [<number>] Displays configurations related to the accounting

template.
ZXR10#show aaa-authorization-template [<number>] Displays configurations related to the

authorization template.
2.4 AAA Configuration Example

Configuration Description
On the ZXR10 device, an authentication template, an authorization template, and an
accounting template can be configured respectively. In an authentication template,
there are multiple authentication modes, including TACACS+, RADIUS, LOCAL, NONE,
and their combinations. In an authorization template, there are multiple authorization
2-4

modes, including mix-radius, mix-tacacs, none, TACACS and RADIUS. In an accounting

template, there are three accounting modes, including TACACS, RADIUS, and none.
Figure 2-1 shows that the authentication mode and authorization mode are TACACS+, and
the accounting mode is RADIUS.
Figure 2-1 AAA Configuration Example Topology
1. Configure an authentication template, an authorization template, and an accounting

template respectively.
In the authentication template, there are multiple authentication modes, including
TACACS+, RADIUS, LOCAL, NONE, and their combinations. For the radius-local
authentication mode, the RADIUS authentication is preferred. When the RADIUS
authentication gives no response, perform the LOCAL authentication.
After the authentication modes are configured for each template, configure
server groups that corresponds to the authentication mode for the templates (it is
unnecessary to configure server groups for the LOCAL authentication and the NONE
authentication).
2. Configure a user management authentication template and a user management
authorization template. Bind the AAA templates to the user management templates.
When users log in, authentication and authorization will be performed in accordance
with the AAA configuration. If not used in user management, the AAA does not
function when users log in.
Configuration Flow
1. Determine the authentication, authorization, and accounting modes that
will be used. Before AAA templates are configured, create server groups
corresponding to the modes. (for example, if the TACACS+ authentication
mode is used, create a TACACS+ server group first). Otherwise, when the
authentication/authorization/accounting server is configured for the specified mode in
an AAA template, the system prompts that the server group does not exist.
2. The AAA templates are configured individually, so other services
can use these templates flexibly. Configure required templates
(authentication/authorization/accounting), and specify a sequence numbers for these
templates.
3. Configure the modes in the templates. If the modes are related to TACACS+ or
RADIUS, specify server groups for the modes.
4. When the AAA templates are configured and other service call the templates, the AAA
templates function.
2-5

Configuration Command
Run the following commands on the ZXR10 M6000:
/*Enable the TACACS+ service on the device. Configure the TACACS+ server group
that will be used by the authentication template and the authorization template.
(For details, refer to the corresponding chapter in this manual.)*/
ZXR10(config)#tacacs enable
ZXR10(config)#tacacs-server host 192.168.1.2 key zte
ZXR10(config)#tacplus group-server ztegroup
ZXR10(config-sg)#server 192.168.1.2
ZXR10(config-sg)#exit
/*radius configuration*/
ZXR10(config)#radius accounting-group 1
ZXR10(config-authgrp-1)#server 1 192.168.1.2 master key zte
ZXR10(config-authgrp-1)#algorithm round-robin
ZXR10(config-authgrp-1)#max-retries 3
ZXR10(config-authgrp-1)#timeout 30
ZXR10(config-authgrp-1)#deadtime 0
ZXR10(config-authgrp-1)#exit
ZXR10(config)#aaa-authentication-template 2001
ZXR10(config-aaa-authen-template)#aaa-authentication-type tacacs-local
ZXR10(config-aaa-authen-template)#authentication-tacacs-group ztegroup
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-authorization-template 2001
ZXR10(config-aaa-author-template)#aaa-authorization-type mix-tacacs
ZXR10(config-aaa-author-template)#authorization-tacacs-group ztegroup
ZXR10(config-aaa-author-template)#exit ZXR10(config)#aaa-accounting-template 1
ZXR10(config-aaa-acct-template)#aaa-accounting-type radius
ZXR10(config-aaa-acct-template)#accounting-radius-group first 1
ZXR10(config-aaa-acct-template)#exit
Configuration Verification
Run the show running-config aaa command to view the AAA configuration information,
which is displayed as follows:
ZXR10(config)#show running-config aaa

! <AAA>
aaa-authentication-template 2001
aaa-authentication-type tacacs-local
authentication-tacacs-group ztegroup
!
aaa-authorization-template 2001
aaa-authorization-type mix-tacacs
2-6

authorization-tacacs-group ztegroup
!
aaa-accounting-template 1
aaa-accounting-type radius
accounting-radius-group first 1
!
! </AAA>
2-7

This page intentionally left blank.
2-8

Chapter 3
SAMGR Configuration
For SAMGR principle and configuration, refer to the ZXR10 M6000 Configuration Guide
(Reliability).
3-1

3-2

Chapter 4
Time-Range Configuration
Table of Contents
Overview ....................................................................................................................4-1
Configuring a Time-Range..........................................................................................4-2
Maintaining a Time-Range..........................................................................................4-3
Time-Range Configuration Examples .........................................................................4-3
4.1 Overview
Time-Range Introduction
A time–range provides the wake-up/hypnosis service for other services. A user can
configure multiple time-ranges. Each time-range has its own name. In a time-range,
multiple periodic time segments and one absolute time segment can be defined.
A time-range takes effect in the following situations:
l Only an absolute time segment is configured, and the current system time is in the
absolute time segment.
l Only a periodic time segment is configured. No matter how many periodic time
segments are configured, the time-range is effective if the current system time
corresponds to any periodic time segment.
l Both absolute and periodic time segments are configured. The time-range is effective
only when the current system time corresponds to both absolute time segment and
any periodic time segment.
l After a time-range list is configured, no time segment is added. For an empty
time-range list, the state is always active.
An application can subscribe to some time-range from a time-range module. When the
state of the time-range changes, the time-range module will inform the application module
of the current state of the time-range, including active and inactive.
Time-Range Features
The time-range subsystem uses the Client/Server (C/S) structure.
l The main functions of time-range server are time-range configuration management,
time management, state broadcast, and data synchronization.
l The client is responsible for managing the registrations of application modules,
receiving the time-range state broadcast by the server, and informing the applications
that the time-range state is changed. To provide time-range state index, the client
also needs to maintain a table for saving all configured time-ranges and the states.
4-1

In time-range time management, the system time is used as the reference time for setting
a timer. The states of all time-ranges are checked periodically (once every 5 seconds).
The state of a time-range is scanned once every 5 seconds. So, during the configuration
of a time segment, the state of the time-range changes frequently, which is unfavourable
to stability. Therefore, it is necessary to use the operation area and working area mode.
A user can modify the data in the operation area when configuring the time-range. After
finishing the configuration, the user can exit the configuration mode and synchronize the
data from the operation area to the working area. During time segment calculation, only
the configuration in the working area is read.
An application module quotes a time-range name directly and obtains the current state
from the client.
1. The server informs the client of all time-range tables and states to the client. Later, it
inspects the time-range states and informs the client of the states periodically.
2. The client informs the application modules in turn after receiving the notifications. The
application modules perform the corresponding operations in accordance with their
actual requirements.
4.2 Configuring a Time-Range

To configure a time-range on the ZXR10 M6000, perform the following steps:
1 ZXR10(config)#time-range enable Enables the time-range function and

initializes the related data.
2 ZXR10(config)#time-range <time-range-name> Creates and names a time-range,

and enters time-range configuration
mode.
3 ZXR10(config-tr)#absolute {end <hh:mm:ss><mm-dd-yyyy>[start Configures an absolute time segment

<hh:mm:ss><mm-dd-yyyy>]|start <hh:mm:ss><mm-dd-yyyy>[end rule for the current time-range.
<hh:mm:ss><mm-dd-yyyy >]}
4 ZXR10(config-tr)#periodic [days-of-week]<hh:mm:ss> to Configures a periodic time segment

[days-of-week]<hh:mm:ss> for the current time-range. A
time-range can have many periodic
time segments.
start <time-date> The starting time of an absolute time segment. The format is hour:
minute: second month day year. The range is from 2001-01-01 00:00
to 2037-12-31 23:59. The second has to be a multiple of 15.
4-2

Chapter 4 Time-Range Configuration
end <time-date> The ending time of an absolute time segment. The format is hour:
minute: second month day year. The range is from 2001-01-01 00:00
to 2037-12-31 23:59. The second has to be a multiple of 15.
<hh:mm:ss> Hour: minute: second. The second has to be a multiple of 15.
<days-of-week> Specified one or more days in a week. It can be Monday, Tuesday,

Wednesday, Thursday, Friday, Saturday, Sunday, daily, weekend
(Saturday and Sunday) or weekdays (Monday to Friday).
4.3 Maintaining a Time-Range

To maintain a Time-Range on the ZXR10 M6000, run the following commands:
Command Output
ZXR10#show time-range <time-range-name> Displays the state information of a time-range.
ZXR10#show time-range Displays the state information of all time-ranges.
ZXR10#debug time-range [change-to {inactive | active}] Displays the system time, time-range name,
state before change, and state after change
when the sate of a time-range changes.
4.4 Time-Range Configuration Examples

4.4.1 Configuration Example 1: Configuring a Time-Range
1. On a device, 2048 time-ranges can be configured at most. In a time-range, 12 time
segments can be configured at most.
2. There are two types of time segments, absolute time segments, and periodic time
segments. An absolute time segment consists of a specified time and a specified
date. A periodic time segment consists of a specified time and some day of a week.
The circulation period of periodic time segment a week.
3. The absolute time segments and the periodic time segments can be configured for the
time-range list as required. Note that in a time-range , there is only one absolute time
segment, and there may be several periodic time segments.
4. A time-range takes effect in the following situations,
4-3

l Only an absolute time segment is configured, and the current system time is in
the absolute time segment.
l Only a periodic time segment is configured. No matter how many periodic time
segments are configured, the time-range is effective if the current system time
corresponds to any periodic time segment.
l Both absolute time segments and periodic time segments are configured. The
time-range is effective only when the current system time corresponds to both
absolute time segments and any periodic time segments.
l After a time-range list is configured, no time segment is added. For an empty
time-range, the state is always active.
Configuration Flow
In this example, configure a time-range named test. In this time-range, configure an
absolute time segment. The specified time segment is from 9:30 A.M. on 2011–01–14 to
9:30 A.M. on 2011–01–15. In this time-range, configure two periodic time segments. One
is from 8:00 A.M. to 8:30 A.M. every day, and the other is from 0:00 A.M. every Saturday
to 10:00 P.M. every Sunday.
In accordance with the third rule in which a time-range takes effect, the time intersections
of the absolute time segment and the periodic time segments are the effective time of a
time-range. When the system is in this effective range, the time-range takes effect.
In accordance with the configurations, the result of the time-range is described below.
From 8:00 A.M. to 8:30 A.M. on 2011–01–15 (Friday), and from 0:00 A.M. every Saturday
to 10:00 P.M. every Sunday, the state of the time-range is active. The first time intersection
is included in the second time intersection, which does not prevent the time-range from
taking effect.
The configuration procedure is described below.
1. Enable the time-range function and configure a time-range.
2. Determine the time point to trigger services and configure the time segments in the
time-range list.
3. Confirm the system time of the rack and make sure that the reference time of the
time-range is correct.
1. Run the following commands to enable the time-range function and configure a
time-range.
R2(config)#time-range enable
R2(config)#time-range test
R2(config-tr)#exit
2. Run the following commands to configure time segments.
Configure an absolute time segment. Configure the start time and end time in
accordance with demand. This means that the time-range is effective in a specified
time on a specified date. (You can also configure the start time only, which means
4-4

that the time-range is always effective from the start time. You can also configure the
end time only, which means that the time-range is not effective from the end time.)
l Run the following commands to configure an absolute time segment. The effective
time is from 9:30 A.M. on 2011–01–14 to 9:30 A.M. on 2011–01–15. in accordance
with the first rule in which situation a time-range takes effect, the time-range is
effective in this absolute time segment.
l If there are other time segments in this time-range, so long as the absolute
time segment has an time intersection with any periodic time segment in the
time-range, the time range is effective during the time intersection.
R2(config-tr)#absolute start 9:30:00 1-14-2011 end 9:30:00 1-15-2011
Configure periodic time segments. In a periodic time segment, the specified data is
not configured. Instead, some say of a week is configured, or daily, weekdays and
weedend can be configured.
Configure another periodic time segment. The start time is Saturday, and the end time
is the unique day after Saturday in a week, that is, Sunday.
R2(config-tr)#periodic daily 8:00:00 to 8:30:00
/*Configure a periodic time segment. The effective time segment is from
8:00 A.M. to 8:30 A.M. every day.*/
R2(config-tr)#periodic saturday 00:00:00 to sunday 22:00:00

/*Configure a periodic time segment. The effective time segment is from
saturday 0:00 to sunday 22:00.*/
R2(config-tr)#exit
/*After the configurations are completed, exit from time-range configuration mode
and continue other configurations.*/
3. Run the following command to confirm whether the system time is correct.
R2(config)#show clock
09:37:09 UTC Fri Jan 14 2011
R2(config)#
/*The system time is the reference time of the time-range. When the system time
is in the effective range of the time-range, the time-range takes effect.
So, make sure that the system time is correct.*/
1. Run the show running-config time-range command to view the configuration result of
the time-range, which is displayed as follows:
R2(config)#show running-config time-range
！<TR>
time-range enable
time-range test
absolute start 09:30:00 01-14-2011 end 09:30:00 01-15-2011
periodic daily 08:00:00 to 08:30:00
periodic saturday 00:00:00 to sunday 22:00:00
4-5

$
! </TR>
R2(config)#
/*The displayed information is the same as that configured. There is one absolute
time segment and two periodic time segments.*/
2. Run the show time-range test command to view the time-range. When the system time
is not in the time segments, the state of the time-range is inactive.
R2(config)#show time-range test
Current time is 09:38:20 01-14-2011 Friday
time-range test <inactive>
R2(config)#
3. Run the show time-range test command to view the time-range. When the system time
is in the time segments, the state of the time-range is active.
Current time is 03:59:33 01-15-2011 Saturday
time-range test <active>
R2(config)#
4.4.2 Configuration Example 2: ACL Calling a Time-Range

Configuration Example
In a time-range, the active time segment for the time-range can be configured. The active
state of a time-range does not function to any user operation. Therefore, it is necessary to
bind a time-range to an ACL so that the ACL will become active and limit the time segment
when the ACL takes effect.
In actual applications, for example, in a company, the staff are not allowed to access the
Internet during working hours, and the staff are allowed to access the Internet after the
working hours. In this situation, a time segment can be configured. In the working hours,
any request sent from the company are denied, and requests in other hours are permitted.
It is assumed that PC1 sends TELNET requests to R1 through R2. However, R1 only
hopes to receive the login requests of PC1 in a certain time segment. So, a time-range
can be created and bound to an ACL. In the ingress of gei-0/1/0/3, bind this ACL. In this
way, TELNET packets from PC1 can be filtered in the specified time segment (the ACL
can also be bound in the outbound direction on gei-0/1/0/2), see Figure 4-1.
4-6

Figure 4-1 Time-Range Configuration Example
It is only necessary to configure one time-range and bind it to an ACL. In the ACL, configure
the following rules: For the packets that match the IP address of PC1, whose protocol type
is Transfer Control Protocol (TCP) and whose port type is TELNET, deny these packets
in the specified time segment. Then, bind this ACL to the ingress of gei-0/1/0/3 or the
outbound direction on gei-0/1/0/2.
After the configuration, only in the specified time segment of the time-range will the ACL
take effect. In this time segment, PC1 cannot log in to R1. After the active time segment
of the time-range, PC1 can log in to R1.
Configuration Flow
1. Create a time-range. Users can define a name for the time-range when creating it.
The name consists of at most 31 characters.
2. Enter time-range configuration mode and add a time segment.
3. Bind the time-range to the corresponding ACL as required. The ACL will take effect in
the time segment.
The configuration of R2 is described below.
1. Run the following commands to create a time-range.
/*Enable the time-range function. If the time-range function is not enable, the
time-range cannot be created.*/
R2(config)#time-range test
R2(config-tr)#
/*Create a time-range named test.*/
2. Run the following command to add a time segment to the time-range.
/*Configure an absolute time range. The time-range can be set to take effect
from a certain time, or be effective before a certain time, or be effective in a
certain time segment.*/
R1(config-tr)#absolute start 08:00:00 1-1-2010 end 17:00:00 12-31-2010
/*Start from 08:00:00 on 2010-1-1 and end till 17:00:00 on 2010-12-31.*/
3. Run the following commands to bind the time-range to an ACL.
R2(config)#ipv4-access-list test
R2(config-ipv4-acl)#rule 1 deny tcp 10.20.30.20 0.0.0.0 eq telnet
30.20.10.1 0.0.0.0 time－range test
R2(config-ipv4-acl)# rule 2 permit any
R2(config-ipv4-acl)#exit
4-7

R2(config)#ipv4-access-group gei-0/1/0/1 ingress test

/*The time-range is bound successfully. The ACL only takes effect when the
time-range is active.*/
Run the show time-range command to view the time-range information, including the
current system, the time-range name, the time segments, and the time-range state (active
or inactive), which is displayed as follows:
R1(config)#show time-range
Run the show time-range test command to view the information of a specified time-range,
which is displayed as follows:
4.4.3 Configuration Example 3: SQA Calling a Time-Range

In a user login control situation, perform RADIUS authentication for the users who log
in to the ZXR10 M6000. The ZXR10 M6000 operates as a client sending authentication
requests, and it communicates with the RADIUS server. To ensure that the RADIUS
authentication service operates properly, verify the connectivity between the ZXR10
M6000 and the RADIUS server. The connectivity can be verified by using the SQA with
the Internet Control Message Protocol (ICMP) type. The SQA detection time is controlled
by a time-range.
Figure 4-2 shows a network topology illustrating the above configuration description.
Figure 4-2 Configuration Example of SQA Invoking a Time-Range
Configuration Flow
Configure an SQA example whose type is ICMP. The SQA detection time is controlled by
a time-range.
1. Configure a time-range and set an absolute starting time as required.
4-8

2. Configure an SQA example, and set the SQA detection type to ICMP in accordance
with the network scenario.
3. Configure that the SQA detection start time is controlled by the specified time-range.
1. Run the following commands to configure a time-range and configure a time segment
as required.
10:20:47 UTC Thu Jan 13 2011
R2(config)#time-range 1
R2(config-tr)#absolute start 10:30:00 1-13-2011
R2(config-tr)#exit
2. Run the following commands to configure an SQA example, and set the SQA detection
type to ICMP in accordance with the network scene.
R2(config)#sqa-test 1
R2(config-sqa)#type-icmp vrf mng 169.1.109.130
3. Run the following commands to configure that the SQA detection start time is controlled
by the specified time-range.
R2(config-sqa)#sqa-begin timerange 1 once
R2(config-sqa)#exit
/*SQA detection by using a time-range can only be triggered once. No matter
how many effective time segments there are in the time-range, only the first
effective time segment triggers the detection, that is, the meaning of "once"
in this command. The following effective time segments of the time-range will
not trigger SQA detection.Configure the start time of SQA detection. If the
specific time-range is null, this equals to "now" and SQA detection will ve
started immediately.*/
1. Run the show sqa command to view the configuration result, which is displayed as
follows:
R2(config)#show sqa-test 1
test type: ICMP
vrf:mng
destination IP:169.1.109.130
repeat:1
tos:0
ttl:255
size:36
interval time:100
send trap:disabletimerange name:1
2. When the time-range is not effective, run the show sqa-result command to check the
output information, which is displayed as follows:
4-9

10:22:41 UTC Thu Jan 13 2011
R2(config)#show sqa-result icmp
R2(config)#
3. When the time-range is effective, run the show sqa-result command to check the output
information, which is displayed as follows:
R2#show sqa-result icmp
icmp test[1] result
SendPackets:1 ResponsePackets:0
Completion:success Destination ip address:169.1.109.130
Min/Max/Avg/Sum/Last RTT:0/0/0/0/0ms
Min/Max/Avg/Sum Positive Jitter:0/0/0/0ms
Min/Max/Avg/Sum Negative Jitter:0/0/0/0ms
Min/Max/Avg/Sum Jitter:0/0/0/0ms
Packet loss rate:100%
Last Probe Time:2011-1-13 10:30:4
/*Detection was performed at 10:30:04 A.M. on 2011-01-13. ZXR10 sendt an ICMP
echo request to the host whose address is 169.1.109.130, and there was no
response. Thismight be because the IP address was unreachable dur to the
network environment, or ICMP service was not enabled on the host whose address
is 169.1.109.130, or the firewall on this host was set not to respond ICMP
echo requests.*/
4-10

Chapter 5
ACL Configuration
Table of Contents
Overview ....................................................................................................................5-1
Configuring an ACL ....................................................................................................5-1
Maintaining ACL.........................................................................................................5-3
ACL Configuration Example .......................................................................................5-4
5.1 Overview
An ACL is a flow classification tool. It can implement port-ACL, Unicast Reverse Path
Forwarding (URPF), and PBR functions.
An ACL filters packets in accordance with the fields in the packets. The most common
fields are the quintuplet in a packet, including the source IP address, the destination IP
address, the protocol type, the source port number, and the destination port number.
There may be several rules in an ACL. Each rule describes a certain matching condition.
For a specified packet, an ACL determines whether the packet matches a condition
from the first rule. Once the packet matches a condition, the ACL will take the action
(permit/deny) defined in the rule. After an ACL is applied to a service, the permit/deny
action is mapped to some actions defined for the service, for example, policy routing that
takes effect on the forwarding plane.
5.2 Configuring an ACL

To configure an ACL on the ZXR10 M6000, perform the following steps:
1 ZXR10(config)#ipv4-access-list <name> Creates or configures an ACL.
2 ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit | Configures a standard source

deny}{<source>[<source-wildcard>]| any}[time-range address-based ACL rule.
<time-range-name>][log]
ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit|deny}{<0-255>|ip Configures an extended ACL rule.

|<protocol-type>}{<source><source-wildcard>|any}{<destination><d
estination-wildcard>|any}[{tos <tos-value>| precedence <precede
nce-value>|dscp <dscp-value>}][ttl{<ttl-operator><ttl-value>|range
<1-255>-<1-255>}][time-range <time-range-name>][log]
ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit|deny} tcp Configures a TCP-based ACL rule.

{<source><source-wildcard>|any}[{<operator>{<0-65535>|<source-por
5-1

ttype>}|range <0-65535>-<0-65535>}]{<destination><destination-wi
ldcard>|any}[{<operator>{<0-65535>|<destination-porttype>}|range
<0-65535>-<0-65535>}][{[established],[syn<syn>]}][{tos<tos-va
lue>|precedence <precedence-value>|dscp <dscp-value>}][{ttl
<ttl-operator><ttl-value>|range <1-255>-<1-255>}][time-range
ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit|deny} udp Configures a User Datagram

{<source><source-wildcard>|any}[{<operator>{<0-65535>|<source-por Protocol (UDP)-based ACL rule.
ttype>}|range <0-65535>-<0-65535>}]{<destination><destination-wi
ldcard>|any}[{<operator>{<0-65535>|<destination-porttype>}|range
<0-65535>-<0-65535>}][{tos <tos-value>|precedence <precedenc
e-value>|dscp <dscp-value>}][ttl {<ttl-operator><ttl-value>|range
<1-255>-<1-255>}][time-range <time-range-name>][log]
ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit|deny} Configures an ICMP-based ACL

icmp {<source><source-wildcard>| any}{<destination><destin rule.
ation-wildcard>|any}[{<0-15>|<icmp-type>}[<icmp-code>]][{tos
<tos-value>|precedence <precedence-value>|dscp <dscp-value>}][ttl
{<ttl-operator><ttl-value>|range <1-255>-<1-255>}]time-range
3 ZXR10(config-ipv4-acl)#move < target-rule-id>< target-New-rule Moves an ACL rule.

-id>
4 ZXR10(config-ipv4-acl)#no rule {<rule-id>| all } Deletes a specified ACL rule or all

ACL rules.
ZXR10(config)#resequence-access-list ipv4 <acl-name>[<base>[<in Re-sequences ACL rules.

crement>]]
5 ZXR10(config-if)#ipv4-access-group {ingress | egress}<acl-name>} Binds an ACL to the specified

direction of the current interface in
interface configuration mode.
ZXR10(config)#ipv4-access-group interface <interface-name>{ingress Binds an ACL to the specified

| egress}<acl-name> direction of one or more interfaces in
global configuration mode.
<rule-id> It is a unique identifier for the rule in the ACL. This ID determines the
sequence of the rule in the ACL. The range is 1-2147483644.
If the rule ID is not specified, the rule will be placed at the end of the
list by default, and the rule-ID is distributed in accordance with the
default base and increment (the default base is 10, and the default
increment is 10).
5-2

Chapter 5 ACL Configuration
permit Keyword. It indicates that this rule is a permitted.
deny Keyword. It indicates that this rule is a denied.
<0–255> Type of the matching protocol, indicating the IP protocol number.

Range: 0–255.
ip Any type of network protocols.
<protocol-type> IP protocol type. It may be one of the following keywords: igmp, gre,
ospf, pim, and vrrp.
<source-address> Source IPv4 address in dotted decimal notation.
<source-wildcard> Wildcard of the source IPv4 address in dotted decimal notation.
<destination-address> Destination IPv4 address in dotted decimal notation.
<destination-wildcard> The wildcard of destination IPv4 address in dotted decimal notation.
<operator> eq | ge | le | range Operation type for the port. It can be one keyword among eq, ge, le
and range. For the range keyword , it is necessary to specify two port
operation numbers to fix a port range, and the start value of the range
should not be greater than the end value.
<operator> eq | ge | le | neq| range Operation type for the TTL. It can be one keyword among eq, ge, le,
neq, and range. For the range keyword , it is necessary to specify
two port operation numbers to fix a TTL range, and the start value of
the range should not be greater than the end value.
<source-port> Source port number. Range: 0-65535.
<destination-port> Destination port number. Range: 0-65535.
precedence <value> Precedence. Range: 0-7.
tos <value> Type Of Service (ToS) field. Range: 0-15.
dscp <value> Differentiated Services Code Point (DSCP) field. Range: 0-63.
time-range <time-range-name> Sets a time-range when an ACL is effective.
established The keyword for establishing a TCP connection, only available for
the TCP.
<ttl-operator> Configures a TTL operation type. It may be one among: eq, ge, le,
and neq.
<ttl-value> Configures TTL. Range: 1–255.
log Statistics count.
5.3 Maintaining ACL

To maintain an ACL on the ZXR10 M6000, run the following commands:
5-3

Command Function
ZXR10#show ipv4-access-lists [|{begin|exclude|include}] Displays the information of the ACL.
ZXR10#show ipv4-access-lists brief [name <acl-name>][|{begin|exclude|i Displays the brief information of the
nclude}] ACL.
ZXR10#show ipv4-access-lists usage <interface-name>{ingress|egress} Displays the number of times that the
port-acl [|{begin|exclude|include}] ACL rule is used (only applicable for
rules that have been configured with
log).
ZXR10#show ipv4-access-lists name <acl-name>[{from <rule-id>}{to Displays the information of a specified

<rule-id>}][usage <interface-name>{ingress|egress} port-acl][|{begin|exclu ACL.
de|include}]
ZXR10#show ipv4-access-lists config [|{begin|exclude|include}] Displays the ACL resource usage on

the whole device.
ZXR10#show ipv4-access-groups [{[by-access-list <acl-name>],[by-direction Displays the binding information.

{ingress | egress}],[by-interface <interface-name>}]
Parameter descriptions are as follows:
ingress Displays the result in accordance with the ingress of the interface.
egress Displays the result in accordance with the egress of the interface.
usage Statistics information, the number of times that the ACL rule is used
(only applicable for rules that have been configured with log).
config System configuration.
begin Displays the information from the beginning matching characters.
include Displays the information that includes matching characters.
exclude Displays the information that excludes matching characters.
port-acl Port ACL.
5.4 ACL Configuration Example

It is assumed that both PC1 and PC2 send TELNET requests to R1 through R2, but R1
only receives the TELNET request coming from PC1 but not PC2. To meet the requirement
of R1, bind an ACL to the ingress of gei-0/1/0/1 to filter the TELNET packets coming from
PC2 (The ACL also can be bound to the egress of gei-0/1/0/2), see Figure 5-1.
5-4

Chapter 5 ACL Configuration
Figure 5-1 ACL Configuration Example Topology
In this case, it is required to create only one ACL and add a rule to the ACL. The rule is
that packets in which the IP addresses is that of the PC2, the protocol type is TCP, and
the port type is TELNET are denied. All other packets are permitted. After that, the ACL
is bounded to the ingress of gei-0/1/0/1 or the egress of gei-0/1/0/2.
After that, the TELNET request coming from PC2 cannot arrive at R1 even if PC2 gets
R1’s TELNET user name and password. The TELNET request packet is discarded after it
arrives at R2. The other communications between R1 and PC2 are not affected.
Configuration Flow
1. Create an ipv4–access-list. You can name the list. The list name consists of at most
31 characters.
2. Enter IPv4 ACL configuration mode after the list is created. Rules are added to this
list in IPv4 ACL configuration mode. Each rule can designate a type of packets, and
define the type of packets (denied or permitted).
3. In accordance with the requirements for traffic filtering, bind the customized ACL
ipv4–access-list to the egress or ingress of the interface where traffic needs to be
filtered.
Run the following commands on R2:
R2(config)#ipv4-access-list test
R2(config-ipv4-acl)#rule 10 deny tcp 10.20.30.20 0.0.0.0 eq telnet
30.20.10.1 0.0.0.0
R2(config-ipv4-acl)#rule 20 permit any
R2(config)#ipv4-access-group interface gei-0/1/0/1 ingress test
Use the following two methods to check the ACL configuration, which is displayed as
follows:
5-5

Method 1: Run the show ipv4-access-lists brief to view the configured ACL, which is
displayed as follows:
R2(config)#show ipv4-access-lists brief
/*This only shows the name of each ACL and the number of rules in each ACL.*/
No. ACL RuleSum
------------------------------------------------
1 test 2
Run the following command to check the ACL binding information, which is displayed as
follows:
R2(config)#show ipv4-access-groups
Interface name|vlan Direction ACL name
---------------------------------------------------------
gei-0/1/0/1 Ingress test
Method 2: Run the show ipv4-access-lists name test to view the configured ACL, which is
R2(config)#show ipv4-access-lists name test
/*View an ACL. Brief or detail information can be viewed after the name is specified.
By default, detail information is displayed.*/
ipv4-access-list test
2/2 (showed/total)
10 deny tcp 10.20.30.20 0.0.0.0 eq telnet 30.20.10.1 0.0.0.0
20 permit any
R2(config)#show ipv4-access-lists brief name test

No. ACL RuleSum
------------------------------------------------------
1 test 2
Method 3: Run the show ipv4-access-lists to view the configured ACL, which is displayed
as follows:
R2(config)#show ipv4-access-lists
/*View all ACLs configured on the device. The mode is to view detail information.*/
ipv4-access-list test
2/2 (showed/total)
10 deny tcp 10.20.30.20 0.0.0.0 eq telnet 30.20.10.1 0.0.0.0
20 permit any
5-6

Chapter 6
Prefix-List Configuration
Table of Contents
Prefix-List Overview ...................................................................................................6-1
Configuring a Prefix-List .............................................................................................6-2
Maintaining a Prefix-List .............................................................................................6-4
Prefix-List Configuration Examples.............................................................................6-4
6.1 Prefix-List Overview

After the prefix-list is used in a service, the matched prefixes are mapped to actions in the
service in accordance with the corresponding permit/deny action. In this way, the actions
taken by this prefix can be controlled, which provides necessary security guarantee for the
network.
The following services can invoke a prefix-list.
l IP multicast
l Open Shortest Path First (OSPF)
l Intermediate System-to-Intermediate System (IS-IS)
l Border Gateway Protocol (BGP)
A prefix-list is a list that filters packets in accordance with route prefixes. A prefix-list
consists of a filter list and rules in the filter list.
l Filter list
A filter list is described by a name. In the system, several filter lists can be configured.
l Rule
A rule consists of a sequence number, a result (permit/deny), and the rule information
(that is, a network segment specified by an address and a mask range).
The name of a filter list can be configured through the related command. In a filter list,
several rules can be configured.
l The rules are ordered. When matching a prefix-list, a packet starts matching the rules
in accordance with the sequence. Once it matches a rule, the matching procedure
ends and the result (permit/deny) of this rule is returned.
l If two rules in a filter list have an intersection, the flows in the intersection only match
the rule that is configured first.
6-1

6.2 Configuring a Prefix-List

Configuring a Prefix-List
To configure a prefix-list on the ZXR10 M6000, run the following command:
Command Function
ZXR10(config)#ip prefix-list <prefix-list-name>{[seq <seq-number>]{deny Configures a prefix-list.

| permit}<network-num><len>[ge <value>][le <value>]| description
<LINE>}
Parameter descriptions are as follows:
<prefix-list-name> The prefix-list name consisting of at most 31 characters.
seq <seq-number> The sequence number of a prefix-list. Range: 1-4294967294
<network-num> An IP address in V4 format.
<len> The mask length. Range: 0-32
permit If an IP address to be filtered is in the prefix range of this list,

the address passes the filter and does not continue the following
matching. If the IP address is not in the prefix range of this list, the
IP address continues the following matching.
deny If an IP address to be filtered is in the prefix range of this list, the

address does not pass the filter and does not continue the following
matching. If the IP address is not in the prefix range of this list, the
IP address continues the following matching.
ge <value> After the matching range of the IP address prefix is specified, the
matching address prefix length needs to be greater than or equal to
this value. Range: 0-32.
le <value> After the matching range of the IP address prefix is specified, the
matching address prefix length needs to be less than or equal to this
value. Range: 0-32.
description <LINE> Description of a prefix-list. Range: 79 characters at most.
Configuring a Prefix-List Called by IP Multicast

To configure a prefix-list called by the IP multicast service to advertise a candidate
Rendezvous Point (RP) on ZXR10 M6000, perform the following steps:
1 ZXR10(config)#ip multicast-routing Enters IP multicast configuration mode.
2 ZXR10(config-mcast)#router pimsm Enables Protocol Independent Multicast -

Sparse Mode (PIM-SM).
6-2

Chapter 6 Prefix-List Configuration
3 ZXR10(config-pimsm)#rp-candidate <interface-name>[group Sets the router as a candidate RP.

-list <prefix-list-name>][priority <priority>] The priority range of a candidate RP is
0-255.
To configure a prefix-list called by the IP multicast service to advertise a static RP on the

ZXR10 M6000, perform the following steps:
1 ZXR10(config)#ip multicast-routing Enters IP multicast configuration mode.
2 ZXR10(config-mcast)#router pimsm Enables PIM-SM.
3 ZXR10(config-pimsm)#static-rp <ip-address>[group-list Configures a static RP address.

<prefix-list-name>][priority <priority>] The priority of a static RP is 0-255, and the
default value is 192.
Configuring a Prefix-List Called by OSPF

To configure a prefix-list called by the OSPF service to control routes on the ZXR10 M6000,
perform the following steps:
1 ZXR10(config-ospfv2)#distribute-list prefix Controls the routes whose prefixes match

<prefix-list-name> in the prefix-list (the routes whose prefixes do
not match the prefix-list will be denied).
The in command in the distribute-list
command is used for filtering OSPF routes.
2 ZXR10(config-ospfv2)#distribute-list prefix Controls the routes whose prefixes match

<prefix-list-name> out the prefix-list (the routes whose prefixes do
not match the prefix-list will be denied).
The out keyword in the distribute-list
command is used for controlling external
routes that are imported to an OSPF
area after Type 5 and Type 7 Link State
Advertisements (LSAs) are generated.
This is a supplement to the redistribute
command.
3 ZXR10(config-ospfv2)#distribute-list prefix Controls the OSPF routes whose prefixes

<prefix-list-name> gateway <prefix-list-name> in and gateways match the prefix-lists
respectively in the ingress.
Parameter description is as follows:
6-3

in | out In: The prefix-list is used for filtering routes.

Out: The Prefix-lists are supplements to redistribution.
Configuring a Prefix-List Called by BGP

To configure a prefix-list called by the BGP service on the ZXR10 M6000, perform the
following steps:
1 ZXR10(config)#router bgp <as-number> Configures a BGP example.
2 ZXR10(config-bgp)#neighbor {<ipv4-address>|<peer Applies a prefix-list to BGP in the ingress/egress.

-group-name>} prefix-list <prefix-list name>{in | out}
<ipv4-address> The IPv4 address of a neighbor in the dotted decimal notation.
<peer-group-name> Peer-group name.
in | out Applying the prefix-list for input routes or output routes.
Configuring a Prefix-List Called by a Route-Map

To configure a prefix-list called by a route-map on the ZXR10 M6000, run the following
command:
Command Function
ZXR10(config-route-map)#match ip address prefix-list Configures a prefix-list in a route-map. The name

<prefix-list-name> of the prefix-list consists of at most 31 characters.
6.3 Maintaining a Prefix-List

To maintain a prefix-list on the ZXR10 M6000, run the following command:
Command Function
ZXR10#show ip prefix-list [{<detail>|<summary>}][<prefix-list-nam Displays the information related to the IP

e>] address filter lists.
6.4 Prefix-List Configuration Examples

This section describes the following information:
l Prefix-list configuration example
6-4

l Prefix-list called by services (IP multicast, OSPF and BGP)

l Prefix-list called by a route-map
6.4.1 Prefix-List Configuration Example

l In this example, configure a prefix-list named test. The prefix-list permits the route
prefixes 192.168.120.0/24 and 192.168.110.1/32, and permits the route prefixes that
are in the 192.168.100.0 network segment and whose mask length is in the range of
24-32.
l The configuration effect is: When a service calls this prefix-list, the route prefixes
that match 192.168.120.0/24 and 192.168.110.1/32 can pass, and the prefixes whose
mask lengths are between 24 bits and 32 bits and whose 24 high-order bits match
192.168.100.0 can pass. Other route prefixes are denied.
l Use the default sequence. The default sequence ID starts from 5 and increments by
5.
Configuration Flow
Configure the prefix-list rules one by one.
Run the following commands in turn to configure the prefix-list rules.
R2(config)#ip prefix-list test permit 192.168.120.1 24
R2(config)#ip prefix-list test permit 192.168.110.1 32
R2(config)#ip prefix-list test permit 192.168.100.0 24 le 32
R2(config)#exit
Run the show running-config prefix-list command to check the configuration result of the
prefix-list, which is displayed as follows:
R2(config)#show running-config prefix-list
! <PFL>
ip prefix-list test seq 5 permit 192.168.120.0 24
!
ip prefix-list test seq 10 permit 192.168.110.1 32
!
ip prefix-list test seq 15 permit 192.168.100.0 24 le 32
! </PFL>
R2(config)#
6-5

6.4.2 Prefix-List Called by IP Multicast

Internet Group Management Protocol (IGMP) group is added to R2 , and IP multicast
source is added to R1. It is required to configure a Bootstrap Router (BSR), and a group-list
named zte for a candidate RP and a static RP. “zte” is the name of a prefix-list. The group
range is 225.0.0.0/24, see Figure 6-1.
Figure 6-1 Prefix-List Called by IP Multicast
Configuration Flow
1. Configure related interfaces.
2. Enter IP multicast configuration mode.
3. Enter PIM-SM configuration mode.
4. Set the loopback5 interface to a BSR on R2 and configure a candidate RP whose
group range is 225.0.0.0/24.
5. Configure a static RP whose address is 199.1.1.1 and group range is 225.0.0.0/24,
and configure static-rp override.
6. Enter interface configuration mode and enable PIM-SM.
7. Configure a unicast route to the RP on R1, and configure a unicast route to the IP
multicast source on R2. (In this example, the static route is used as the unicast route.
You can also successfully ping the route through the IGP.)
R1(config)#interface gei-0/2/0/3
R1(config-if)#no shutdown
R1(config-if)#ip address 199.1.1.1 255.255.255.0
R1(config-if)#exit
6-6


R1(config-if)#exit
R1(config)#ip multicast-routing
R1(config-mcast)#router pimsm
R1(config-pimsm)#interface gei-0/2/0/3
R1(config-pimsm-if)#pimsm
R1(config-pimsm-if)#exit
R1(config-pimsm-if)#dr-priority 20
R1(config-pimsm)#exit
R1(config-mcast)#exit
R1(config)#ip route 5.5.5.35 255.255.255.255 199.1.1.2

R2(config)#ip prefix-list zte permit 225.0.0.0 24
R2(config-if)#exit
R2(config-if)#exit
R2(config)#interface loopback5
R2(config-if)#exit
R2(config)#ip multicast-routing
R2(config-mcast)#router pimsm
R2(config-pimsm)#bsr-candidate loopback5
R2(config-pimsm)#rp-candidate loopback5 group-list zte
R2(config-pimsm)#static-rp 199.1.1.1 group-list zte
R2(config-pimsm)#static-rp override
R2(config-pimsm-if)#dr-priority 20
R2(config-pimsm)#exit
R2(config-mcast)#exit
R2(config)#ip route 33.1.1.0 255.255.255.0 199.1.1.1
6-7

Run the show ip pimsm rp mapping command on R1 to check the RP information, which
is displayed as follows:
R1(config)#show ip pimsm rp mapping
Group(s): 225.0.0.0/24(SM)
RP: 5.5.5.35, v2, Priority:192
BSR: 5.5.5.35, via bootstrap
Uptime: 00:06:47, expires: 00:01:43
Group(s): 0.0.0.0/0(NOUSED)
R1(config)#show ip pimsm rp hash 225.0.0.1

RP address: 5.5.5.35
R1(config)#
Run the show ip pimsm rp mapping command on R2 to check the RP information, which
R2(config)#show ip pimsm rp mapping
Static RP is overriding in group-set!
Group(s): 225.0.0.0/24(SM)
RP: 199.1.1.1, Static, Priority:192
RP: 5.5.5.35, v2, Priority:192
BSR: 5.5.5.35, via bootstrap
Uptime: 00:07:51, expires: 00:02:25
Group(s): 0.0.0.0/0(NOUSED)
R2(config)#
R2(config)#show ip pimsm rp hash 225.0.0.1
Static RP is overriding in group-set!
RP address: 199.1.1.1
6.4.3 Prefix-List Called by OSPF

1. In ospfv2 configuration mode, configure distribute-list with a prefix to filter ospfv2
routes whose next hops match the prefix-list.
l Run the distribute-list prefix-list <prefix-list-name> in command to filter OSPF
routes.
l Run the distribute-list prefix-list <prefix-list-name> out command to control the
external routes that are imported to an OSPF area after Type 5 and Type 7 LSAs
are generated. This is a supplement to the redistribute command.
l If the distribute-list command is not run, routes are not filtered and the external
LSAs imported are not controlled.
6-8

2. Pay attention when filtering routes by running the in command. Considering the
relevance of OSPF routes, the following is suggested.
l It is better not to filter routes corresponding to Type 2 LSAs. Otherwise, the net-
work topology will not be complete.
l When a Type 3 route is allowed to be imported, make sure that the corresponding
Area Border Router (ABR) route exists. If the route does not exist, set “permit” for
the corresponding route in the template configuration.
l When a Type 5 route is allowed to be imported, make sure that the “forwarding
address route” exists. If the route does not exist, set “permit” for the corresponding
route in the template configuration.
3. When the called prefix-list does not exist, the calling effect is just equal to “permit any”.
4. At the end of a prefix-list that is not null, there is a default rule deny all. That is to say,
the prefixes that are not configured to be permitted will be denied. Therefore, to deny
some routes, configure the permit all command to permit prefixes of other routes.
Configuration Flow
1. Configure a prefix-list template to deny the OSPF routes whose prefixes are
23.2.2.0/24 and permit other routes.
2. In the OSPFv2 distribute-list, call the prefix-list.
1. Run the following commands to configure a prefix-list to filter the routes whose prefixes
are 23.2.2.0/24 in the following routing table.
ZXR10(config-ospfv2)#show ip forwarding route ospf
IPv4 Routing Table:
status codes: *valid, >best
Dest Gw Interface Owner Pri Metric
*>1.1.1.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>11.1.1.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>12.1.1.0/24 23.1.1.22 gei-0/1/0/3 ospf 110 20
*>16.1.1.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>23.2.2.0/24 23.1.1.22 gei-0/1/0/3 ospf 110 20
*>26.1.3.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>100.1.1.0/24 23.1.1.22 gei-0/1/0/3 ospf 110 20
ZXR10(config)#ip prefix-list zte deny 23.2.2.0 24

ZXR10(config)#ip prefix-list zte permit 0.0.0.0 0 le 32
/*This command accomplishes "permit any".*/
2. In the route advertisement filter, run the following commands to use the distribute-list
to call the prefix-list.
ZXR10(config)#router ospf 1
ZXR10(config-ospfv2)#distribute-list prefix zte in
/*If it is applied to the outbound distribution direction, it is necessary to
configure the redistribute command first.*/
6-9

ZXR10(config-ospfv2)#exit
Run the show ip forwarding route ospf command to view the filtered routing table to check
whether the routes are filtered successfully, which is displayed as follows:
ZXR10(config-ospfv2)#show ip forwarding route ospf
IPv4 Routing Table:
*>1.1.1.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>11.1.1.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>12.1.1.0/24 23.1.1.22 gei-0/1/0/3 ospf 110 20
*>16.1.1.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>26.1.3.0/24 26.1.1.22 gei-0/1/0/1 ospf 110 101
*>100.1.1.0/24 23.1.1.22 gei-0/1/0/3 ospf 110 20
6.4.4 Prefix-List Called by BGP

The networks 192.1.1.0/24 and 10.12.0.0/24 are connected to Router A. The BGP neighbor
relationship is established between Router A and Router B. Router B hopes to learn the
route from the 20.0.0.0/8 network only, see Figure 6-2.
The route learning can be controlled by configuring a prefix-list, that is, permitting Router
A to advertise the route of the 192.1.1.0/24 network to Router B and not to advertise the
route of the 10.12.0.0/24 network.
Figure 6-2 Prefix-List Called by BGP
Configuration Flow
1. Establish the BGP neighbors between Router A and Router B.
2. Import two routes to BGP on Router A.
3. Configure a prefix-list on Router A to permit route M and deny route N.
4. Use the prefix-list to filter the routes advertised to Router B in BGP on Router A.
5. The configuration result is: When Router A advertises BGP routes to Router B, route
M is advertised and route N is not advertised. In the routing table on Router B, there
is route M and there is not route N.
6-10

1. Run the following commands to establish the BGP neighbors between Router A and
Router B (omitted).
2. Run the following commands to import routes to Router A.
a. In this example, run the network command to advertise the routes on Router A.
Before advertising routers, run the following command to view routers on Router
A, which is displayed as follows:
RouterA(config)#show ip forwarding route
IPv4 Routing Table:
*> 1.1.1.1/32 100.1.3.1 gei-0/0/0/2 static 1 0
*> 10.12.0.0/24 10.12.0.1 gei-0/0/0/10 direct 0 0
*> 10.12.0.1/32 10.12.0.1 gei-0/0/0/10 address 0 0
*> 100.1.3.0/24 100.1.3.2 gei-0/0/0/2 direct 0 0
*> 100.1.3.2/32 100.1.3.2 gei-0/0/0/2 address 0 0
*> 100.1.31.0/24 100.1.31.1 smartgroup30.10 direct 0 0
*> 100.1.31.1/32 100.1.31.1 smartgroup30.10 address 0 0
*> 100.10.1.0/24 100.10.1.1 gei-0/0/1/4 direct 0 0
*> 100.10.1.1/32 100.10.1.1 gei-0/0/1/4 address 0 0
*> 100.10.2.0/24 100.10.2.1 gei-0/0/1/4.1 direct 0 0
*> 100.10.2.1/32 100.10.2.1 gei-0/0/1/4.1 address 0 0
*> 100.10.2.2/32 100.10.2.2 gei-0/0/1/4.1 static 1 0
*> 100.20.1.0/24 100.20.1.1 gei-0/0/0/7 direct 0 0
*> 100.20.1.1/32 100.20.1.1 gei-0/0/0/7 address 0 0
*> 192.1.1.0/24 192.1.1.1 gei-0/0/0/9 direct 0 0
*> 192.1.1.1/32 192.1.1.1 gei-0/0/0/9 address 0 0
b. Run the following commands to advertise the routes to the destination 1.1.1.1/32,
10.12.0.0/24, and 192.1.1.0/24 on RouteA..
RouterA(config)#router bgp 1
RouterA(config-bgp)#network 1.1.1.1 255.255.255.255
RouterA(config-bgp)#exit
c. Run the following commands to view the configuration result on Router A.

RouterA(config)#show running-config bgp
! <BGP>
router bgp 1
network 1.1.1.1 255.255.255.255
network 192.1.1.0 255.255.255.0
network 10.12.0.0 255.255.255.0
neighbor 100.10.1.2 remote-as 2
neighbor 100.10.1.2 activate
6-11

! </BGP>
d. Run the following commands to view the route advertisement result on Router A.
RouterA(config)#show ip bgp route
Status codes: *-valid, >-best, i-internal, s-stale
Origin codes: i-IGP, e-EGP, ?-incomplete
Dest NextHop Metric LocPrf RtPrf Path
*> 1.1.1.1/32 1.1.1.1 0 0 i
*> 10.12.0.0/24 10.12.0.1 0 0 i
*> 192.1.1.0/24 192.1.1.1 0 0 i
e. Run the following commands to view the BGP route learning on Router B.
RouterB(config)#show ip forwarding route bgp
IPv4 Routing Table:
*> 1.1.1.1/32 100.10.1.1 gei-0/5/1/7 bgp 20 0
*> 10.12.0.0/24 100.10.1.1 gei-0/5/1/7 bgp 20 0
*> 192.1.1.0/24 100.10.1.1 gei-0/5/1/7 bgp 20 0
3. Run the following commands to configure a prefix-list on Router A and permit some
routes imported in Step 2.
RouterA(config)#ip prefix-list zte permit 192.1.1.0 24
RouterA(config)#show running-config prefix-list
! <PFL>
ip prefix-list zte seq 5 permit 192.1.1.0 24
! </PFL>
4. Run the following commands to use the prefix-list to filter routes advertised to Router
B in BGP on Router A.
a. Use the prefix-list zte to advertise routes to Router B.
RouterA(config)#router bgp 1
RouterA(config-bgp)#neighbor 100.10.1.2 prefix-list zte out
RouterA(config-bgp)#exit
b. Run the following commands to view the configuration result on Router A.

RouterA(config)#show running-config bgp
! <BGP>
router bgp 1
network 1.1.1.1 255.255.255.255
network 192.1.1.0 255.255.255.0
network 10.12.0.0 255.255.255.0
neighbor 100.10.1.2 prefix-list zte out
! </BGP>
5. Run the following commands to check the routes learnt on Router B.

RouterB(config)#show ip forwarding route bgp
6-12

IPv4 Routing Table:

*> 192.1.1.0/24 100.10.1.1 gei-0/5/1/7 bgp 20 0
Run the following commands to view the prefix-list configuration and BGP configuration
on Router A, which are displayed as follows:
RouterA#show running-config prefix-list
! <PFL>
ip prefix-list zte seq 5 permit 192.1.1.0 24
! </PFL>
ZXR10#show running-config bgp

! <BGP>
router bgp 1
network 1.1.1.1 255.255.255.255
network 192.1.1.0 255.255.255.0
network 10.12.0.0 255.255.255.0
neighbor 100.10.1.2 prefix-list zte out
! </BGP>
Run the following command to view the BGP configuration on Router B, which is displayed
as follows:
RouterB#show running-config bgp

! <BGP>
router bgp 2
! </BGP>
Run the following command to view the BGP route advertisement result on Router A, which
RouterA#show ip bgp route

*> 1.1.1.1/32 1.1.1.1 0 0 i
*> 10.12.0.0/24 10.12.0.1 0 0 i
*> 192.1.1.0/24 192.1.1.1 0 0 i
Run the following commands to view the BGP route learning on Router B, which is
6-13

RouterB#show ip bgp summary

Neighbor Ver As MsgRcvd MsgSend Up/Down State/Pfx Rcd
100.10.1.1 4 1 125 120 01:00:13 1
RouterB#show ip bgp route

*> 192.1.1.0/24 100.10.1.1 20 1 i
On Router B, run the show ip forwarding route bgp command to check the BGP routes in
the forwarding table. The information shows that there is only one route (192.1.1.0/24)
that is learnt from Router A and permitted by the prefix-list.
RouterB#show ip forwarding route bgp
IPv4 Routing Table:
*> 192.1.1.0/24 100.10.1.1 gei-0/5/1/7bgp 20 0
6.4.5 Prefix-List Called by a Route-Map

Similar to a prefix-list, a route-map is also a type of template. In some applications,
the prefix-lists are not called directly. Instead, the prefix-lists are called through the
route-maps, and then the route-maps are called by the services.
For example, in IS-IS redistribution, a prefix-list is not associated directly. Prefix-list

matching of address prefixes are performed through a route-map. (This type of IS-IS call
will be described in Chapter 7.)
Configuration Flow
1. Configure a prefix-list.
2. Match the prefix-list in a route-map.
1. Run the following command to create an IP prefix-list.
ZXR10(config)#ip prefix-list zte permit 192.168.100.0 24
2. Run the following commands to configure a route-map and call the prefix-list.
ZXR10(config)#route-map zte1
ZXR10(config-route-map)#match ip address prefix-list zte
ZXR10(config-route-map)#exit
6-14

Run the show ip prefix-list <prefix-list-name> command to check whether the prefix-list is
configured correctly, which is displayed as follows:
ZXR10(config)#show ip prefix-list zte
ip prefix-list zte :
seq 5 permit 192.168.100.0 24
Run the show route-map <route-map-name> command to check whether the route-map is
configured correctly, which is displayed as follows:
ZXR10(config)#show route-map zte1
[route-map zte1] IP type: IPv4
route-map zte1 permit 10
match ip address prefix-list zte
6-15

6-16

Chapter 7
ROUTE-MAP Policy
Configuration
Table of Contents
Route-Map Overview..................................................................................................7-1
Routing Policy Configuration ......................................................................................7-2
Policy Routing Configuration ....................................................................................7-31
7.1 Route-Map Overview

Route-Map Introduction
The Route-Map is a powerful filter and modifier. As a policy template, the Route-Map is
widely used in policy routing and routing policy.
l When the Route-Map is applied to an interface and specifies the routes for the
specified incoming traffic of the interface, it is called policy routing.
l When the Route-Map is applied to route protocols, and interrupts generation, release
and selection of the routes to optimize route tables, it is called routing policy.
As a policy template, the Route-Map is unavailable unless applied to the interface as policy
routing or applied to the routing protocol as routing policy.
Route-Map Features
A Route-Map consists of one or more sequences, and the attributes of each sequence
can be flexibly set to permit or deny. The internal configuration of each sequence can be
divided into match item and set item.
l As a filter, the match item makes the Route-Map effective only to objects of specified
types.
l As a modifier, the set item performs specified operation on eligible objects to achieve
policy target.
After being called, the Route-Map will match the match item in accordance with the
sequence IDs in descending order, and perform the specified set operation of the
sequence where it matches the match item.
For the sequence of the Permit attribute, the Route-Map performs operation on the objects
which comply with the match condition in accordance with the policy, and search for the
next sequence if no one can be matched. For the sequence of the Deny attribute, the
7-1

Route-Map does not perform any operation on the matched objects, and searches for the
next sequence if no object is matched.
The routing policy and policy routing differ in:
l When the Route-Map is applied to an interface, it is called policy routing. The policy
routing provides packet transferring policy. The matched objects are packets. The
match item filters the objects based on the featured fields of the packets, and specifies
the set operation on these objects. The set operation is divided into routing item which
is used to change transferring path and packet modification item which is used to
modify the features for filtered packets.
l When the Route-Map is applied to protocols, it is called routing policy. The routing
policy provides routing release policy. The match item filters out routes based on
their features, and provides policies for these filtered routes. Note that the called
Route-Map configuration command has contained an operation, such as distribute
and leak commands. The distribute and leak operations in these commands are
called default operations. When performing the set operation on the objects matched
successfully, these default operations will also be performed.
7.2 Routing Policy Configuration

7.2.1 Routing Policy Overview
Routing Policy Introduction
A routing policy refers to the policy of routing release and routing receipt.
The selection routing policy is a type of routing policy. Although they have the same
network architecture, different routing protocols generate different route tables because
of different implementation mechanisms, different cost calculation principles, and different
priority definitions.
The common routing policy refers to the policy that affects routing generation, routing
release, and routing selection by modifying some parameters or setting some control
methods based on some principles.
When applied to the routing policy, the Route-Map filters the notification or sets the routing
attributes of the matched routes. The M6000 device supports the following routes which
use routing policy:
l RIP
l OSPF
l ISIS
l BGP
l VRF
7-2

Chapter 7 ROUTE-MAP Policy Configuration
RIP Routing Policy

The RIP is a routing protocol based on the distance vector algorithm. The RIP redistribution
imports the routes generated by other protocols into the RIP routing domain, and then
notifies its neighbors about the import. This redistribution method is also available when
the router needs to import the routes of other protocols. The routing policy name in the
redistribution can be specified.
There are two types of route-map: permit and deny.
l Permit: If the match item is found, the router will redistribute the route, and perform
operations set in the configuration command. If the match item is not found, the router
does not redistribute the route and perform operations set.
l deny: If the match item is found, the router only performs operations set in the
configuration command instead of route redistribution. If the match item is not found,
the router will neither perform route redistribution nor perform operations set in the
configuration command.
After configuring the redistribution function for RIP, you should check the routes to be
redistributed and check whether this route is available and has a priority. If so, follow the
route-map routing policy principles set in the redistribution command, and match related
rules. If the route satisfies the policy rules, import it into local RIP routing table and
make related adjustment. If the route does not satisfy the policy rules, import the route
information. For example, if the imported routing metric set in the policy rule is 10, the
route metric in the local RIP routing table will be set to 10 and advertised to its neighbor.
After receiving route information, the neighbor will add it to local RIP routing table.
ISIS Routing Policy

l ISIS Redistribution
A router can run the ISIS protocol and other routing protocols simultaneously, such as
RIP and OSPF protocols. Each routing protocol generates different routes. The ISIS
protocol can obtain routes of other protocols after redistribution.
The route policy can be configured during redistribution. This route policy is used to
filter or set the routing during redistribution. For example, if match ip metric is set
to 10 in the Route-Map module configuration, the ISIS redistribution module will filter
the route whose metric value is 10. If the set ip metric 20 command is configured in
the Route-Map, the ISIS will set metric on these routes after importing other protocol
routes.
l ISIS Routing Leakage

If connecting to other areas, the L1/L2 router will set ATT bit in L1 LSP to inform the
L1 router in the local area about an egress. The L1 router in the local area selects
an L2 router where ATT bit is set to be the default egress, and then a default route is
generated.
The L1 router selects the nearest L1/L2 router as the egress, but this nearest route
is not the optimized route. In this case, the concept of suboptimum route and
7-3

routing penetration is introduced. To avoid the suboptimum route, you can import
route information of the backbone area to the common level-1 area to ensure that
the common area also has route information of the entire IS-IS route domain. For
example, the match ip metric value is set to 10 on the Route-Map module, the ISIS
redistribution module will filter the route whose metric value is 10.
OSPF Routing Policy

A router can run the OSPF protocol and other routing protocols simultaneously, such as
RIP, BGP, and IS-IS protocols. Each routing protocol generates different routes. The OSPF
protocol can obtain routes of other protocols after redistribution.
A routing policy can be configured to filter or set the routes during redistribution. For
example, if the match ip tag 1 command is configured in the Route-Map, routes with tag
value of 1 are filtered. If the set ip tag 4 command is also configured in the Route-Map, the
OSPF protocol imports routes of other protocols and sets tags of these routes.
BGP Routing Policy

A router can run the BGP protocol and other routing protocols simultaneously, such as
RIP, OSPF, and ISIS protocols. Each routing protocol generates different routes. The
BGP protocol can obtain other protocol routes after redistribution.
The route policy is configured during redistribution. The route policy is used to filter or
set the routing during redistribution. For example, if match ip metric is set to 10 in the
Route-Map module configuration, the BGP redistribution module will filter the route whose
metric value is 10. If set ip metric 20 is set on this Route-Map module, the BGP will set
metric on this route after importing other protocol routes.
VRF Routing Policy

The VRF routing policy can be implemented by the following steps:
1. Define the features for routing where the routing policy will be carried out, which means
to define a group of match principles. You can set the principles based on varied
attributes in routing information, such as destination address, and the router address
which releases routing information.
2. Apply the match principles to the routing policy, such as route release, route receipt,
and route distribution.
7.2.2 Configuring Routing Policies

Configuring a Basic Routing Policy
To configure a basic routing policy on the ZXR10 M6000, perform the following steps:
7-4

1 ZXR10(config)#route-map <route-map-name>[permit|deny][<s Creates a route-map for the routing policy

equence-number>] and enters routing mapping configuration
mode.
2 ZXR10(config-route-map)#match ip address Configures the match item in routing

*(<access-list-name>) mapping configuration mode, and the
destination network segment / destination
address for the IPv4 routing item, and
selects ACL for matching.
ZXR10(config-route-map)#match ip address prefix-list Configures the match item in routing

*(<prefix-list-name>) mapping configuration mode, and the
destination network segment / destination
address for the IPv4 routing item, and
selects prefix-list for matching.
ZXR10(config-route-map)#match ip metric *(<metric-value>) Matches the metric value of routes. You

can match several values.
ZXR10(config-route-map)#match ip tag *(<tag-value>) Matches the tag value of the routes. The
OSPF route carries this attribute. You can
configure several values as required.
ZXR10(config-route-map)#match as-path *(<as-path-list-nu Matches the as-path attributes of the GP

mber>) protocol route. You can configure several
values as required.
ZXR10(config-route-map)#match community-list Matches the community attributes of the

*(<community-list-number>) BGP protocol route. You can configure
several values as required.
ZXR10(config-route-map)#match extcommunity-list Matches the extcommunity attributes of

*(<community-list-number>) the BGP/VPN protocol route. You can
configure several values as required.
ZXR10(config-route-map)#match route-type {external [type-1 Matches the route type.

| type-2]|internal|level-1|level-2|local}
3 ZXR10(config-route-map)#set as-path prepend *(<as Configures the route attributes of the

number>) routing policy. Sets the configuration type
to as-path which is the particular attribute
of the BGP protocol. You can configure
several values as required.
ZXR10(config-route-map)#set community {none | Sets the group attribute. The setting is

additive*{no-advertise | no-export | no-export-subconfed | exclusive to the BGP protocol.
internet |<0-65535>:<0-65535>|<1-4294967295>})}
7-5

ZXR10(config-route-map)#set extcommunity rt-trans Sets the extended group attribute. The

{{remove | additive *{<0-65535>:<0-4294967295>|<1-65535>.<0- setting is exclusive to the BGP protocol.
65535>:<0-65535>| A.B.C.D:<0-65535>}}|{<0-65535>:<0-429496
7295>|<1-65535>.<0-65535>:<0-65535>| A.B.C.D:<0-65535>})}
ZXR10(config-route-map)#set extcommulity soo-trans Sets the extended group attribute. The

{<0-65535>:<0-4294967295>|<1-65535>.<0-65535>:<0-65535>| setting is exclusive to the BGP protocol.
A.B.C.D:<0-65535>| remove}
ZXR10(config-route-map)#set dampening <half-life><reuse Sets the dampening attribute of the route.

><suppress><max-suppress-time> The setting is exclusive to the BGP
protocol.
ZXR10(config-route-map)#set local-preference <value> Sets the local-preference attribute of the

route. The setting is exclusive to the BGP
protocol.
ZXR10(config-route-map)#set origin {igp|egp |incomplete } Sets the route source attribute. The
setting is exclusive to the BGP protocol.
ZXR10(config-route-map)#set level <level-value> Sets the ISIS routing attribute. It is used

by the ISIS protocol.
ZXR10(config-route-map)#set next-hop <ip-address>[…<ip Sets the next hop router in the routing
-address>] policy.
ZXR10(config-route-map)#set ip metric [+|-]<metric-value> Sets the metric value of the route.
ZXR10(config-route-map)#set ip metric-type {internal Sets the metric type for the route selection
|external |type-1 |type-2 } protocol.
ZXR10(config-route-map)#set ip tag <tag-value> Sets the attributes of the OSPF route.
<route-map-name> The name of the route mapping. Length: 1-31 characters.
permit | deny There are one or more sequences in a Route-Map. The sequence
attribute can be set to permit or deny flexibly. Permit means to
perform routing policy after matching, and deny means to perform no
operations regardless of the match result.
<sequence-number> The sequence ID of the Route-Map. Each Route-Map supports one

or more sequences. All routes are matched in accordance with the
sequence ID in an ascending order. Once the route is matched,
determine whether to perform the routing policy in accordance with
its sequence attribute.
7-6

<access-list-name> Sets the match type to ipv4-access-list, and matches the route to
the ACL.
prefix-list <prefix-list-name> Sets the match type to prefix-list, and matches the route to the prefix
list.
ip metric *(<metric-value>) Sets the match type to ip metric. You can match several routes as
required. Range: 0-4294967295.
ip tag *(<tag-value>) Sets the match type to ip metric. You can match several routes as
as-path *(<as-path-list-number>) Sets the match type to as-path. You can match several routes as
community-list *(<community-list-number>) Sets the match type to community-list. You can match several routes
as required. Range: 1-499.
extcommunity-list *(<community-list-number Sets the match type to extcommunity-list. You can match several
>) routes as required. Range: 1-500.
route-type {external [type-1|type-2]|internal Sets the match type to route-type, and selects the routing type as
|level-1|level-2|local} required. You can configure several match items of this type rather
than configure several routes.
<half-life> Changes the half period for routing damping sectors. Range: 1-45.
<reuse> Changes the reuse value for the routing damping sectors. Range:
1-20000.
<suppress> Changes the routing suppress value for the routing damping sectors.
Range: 1-20000.
<max-suppress-time> Changes the maximum routing suppress value for the routing
damping sectors. The penalty value will not increase once the routing
suppress time expires. Range: 1-255.
Configuring the RIP Invoking Routing Policy

To redistribute the routes to the RIP route domain from other route domains, perform the
following steps:
1 ZXR10(config)#router rip Enters RIP configuration mode.
2 ZXR10(config-rip)#redistribute <protocol>[process-id][metric Redistributes the routes to the RIP

<metric-value>][route-map <route-map-name>] domain from other routing protocols.
7-7

[process-id] You should set instance IDs when redistributing the OSPF or the
ISIS routes.
OSPF range: 1-65535
ISIS range: 0-65535
The ISIS value is 0 by default.
<protocol> The source routing protocols for routing redistribution. The keywords
can be : ospf-ext, ospf-int, static, bgp-ext, bgp-int, connected,
isis-1, isis-2, isis-1-2, nat, natpt, ps-busi-addr, ps-user-addr,
subscriber-aggregation, subscriber-host, user-special.
metric <metric-value>> Specifies the route metric when this route is redistributed from OSPF
route to RIP route. Range: 1-16.
route-map <route-map> The name for the redistributed routing mapping. Length: 1-31
characters. The RIP implements the route policy by using the
Routing-Map routing policy in the redistribution command.
Configuring the ISIS Invoking Routing Policy

l ISIS Redistribution Configuration
To configure the ISIS redistribution on the ZXR10 M6000, perform the following steps:
1 ZXR10(config)#router isis [process-id][vrf <vrf-name>] Enters ISIS route configuration

mode.
2 ZXR10(config-isis)#redistribute <protocol>[ level-1 ][ Configures the redistribution in ISIS

level-1-2 ][ level-2 ][metric-type <metric-type>][metric route mode.
<metric-value>][route-map <route-map-name>]
<protocol> Sets the routing source, such as connect, static, rip, isis <process-id>,
ospf <process-id>, bgp, nat, pat, ps-busi-addr, ps-user-addr, sl-nat64-ipv4,
subscriber-aggregation, subscriber-host and user-special. The routing source is
mandatory. You must specify corresponding instance ID if you want to redistribute
ISIS or OSPF route.
level-1 Routers are redistributed to the level-1 area.
level-1-2 Routers are redistributed to the level-1 and level-2 areas.
level-2 Routers are redistributed to the level-2 area.
<metric-type> Sets the metric value (interface or external) carried by the redistributed route.
7-8

<metric-value> The metric value. Range: 0-4261412864.
route-map <route-map-name> A redistributed route-map.
l ISIS Routing Leakage Configuration

To configure the ISIS route leakage on the ZXR10 M6000, perform the following steps:
1 ZXR10(config)#router isis [process-id][vrf <vrf-name>] Enters ISIS route configuration

mode.
2 ZXR10(config-isis)#router-leak level-2 into level-1 route-map Configures the redistribution leakage

<route-map-name> in ISIS route mode.
Configuring the OSPF Invoking Routing Policy

To configure the OSPF routing policy on the ZXR10 M6000, perform the following steps:
1 ZXR10(config)#router ospf [process-id][vrf <vrf-name>] Enters OSPF route configuration

mode.
2 ZXR10(config-ospfv2)#redistribute <protocol>[metric-type <metri Configures the redistribution to route

c-type>][metric <metric-value>][route-map <route-map-name>][tag < other protocol types to OSPF.
tag-value>]
<protocol> Protocol type. For OSPF or IS-IS, the instance number is required.
<metric-type> Sets whether the redistributed route carries external metric or internal
metric.
<metric-value> Metric value. Range: 0–4261412864.
route-map <route-map-name> Refers to a route-map.
<tag-value> Tag value. Range: 0–4294967295.
Configuring the BGP Invoking Routing Policy

l Route Redistribution Configuration
To configure the route redistribution on the ZXR10 M6000, perform the following steps:
1 ZXR10(config)#router bgp {<1~65535>|<1~65535>.<0~65535>} Enters BGP route configuration

mode.
7-9

2 ZXR10(config-bgp)#redistribute <protocol>[route-map Configures the redistribution to route

<route-map-name>[metric <metric-value>]] other protocol types to the BGP.
<protocol> The protocol type. The instance ID is required for OSPF and ISIS.
<route-map-name> The route mapping name. Length: 1-31 characters.
l Dampening Configuration of BGP Route

To configure the dampening of the BGP routes on the ZXR10 M6000, perform the
following steps:
1 ZXR10(config)#router bgp {<1~65535>|<1~65535>. Enters BGP route configuration mode.

<0~65535>}
2 ZXR10(config-bgp)#bgp dampening [ route-map < Enables the BGP routing dampening, or modifies
route-map-name >] the BGP routing dampening sectors.
l Route Aggregation Configuration

Configure the route aggregation by the following commands:
1 ZXR10(config)#router bgp {<1~65535>|<1~65535>.<0 Enters BGP route configuration mode.

~65535>}
2 ZXR10(config-bgp)#address-family ipv4 vrf <vrf-name> Enters IPv4 vrf address cluster configuration
mode.
3 ZXR10(config-bgp-af)#aggregate-address < Creates an aggregation policy in the VRF route

ip-address>< net-mask>[ attribute-map| suppress-map]< table.
route-map-name>
<ip-address> The IP address of an aggregation network to be generated in dotted

decimal notation.
<net-mask> The aggregation mask of an aggregation network to be generated in

dotted decimal notation.
attribute-map The attribute map.
suppress-map The suppress map.
7-10

<route-map-name> The name of the attribute-map or suppress map. Length: 1-31

characters.
l Route-Map Configuration for Route Information

To configure the route-map for receiving route information from or sending route
information to the peer group, perform the following steps:
1 ZXR10(config)#router bgp {<1~65535>|<1~65535>.<0~6553 Enters BGP route configuration mode.

5>}
2 ZXR10(config-bgp)#neighbor {< ipv4-address>|<peer-group- Filters the route sent by the neighbor peer
name>} route-map <route-map-name>{ in | out} group or received by the neighbor peer
group, or sets the routing priority.
Parameter description in Step 2 is as follows:
in | out Used for importing or exporting.
Configuring the VRF Invoking Routing Policy

To configure the route-map for receiving route information from or sending route
information to the peer group, perform the following steps:
1 ZXR10(config)#ip vrf <vrf-name> Creates VRF.
2 ZXR10(config-vrf)#rd <route-distinguisher> Configures RD.
3 ZXR10(config-vrf)#route-target [import | export | both Creates the route-target extended

]<extended-community > group attributes associated with
VRF.
4 ZXR10(config-vrf)#address-family ipv4 Activates the IPv4 VRF address

family.
5 ZXR10(config-vrf-af)#import map <route-map-name> Configures the imported route

mapping associated with VRF.
ZXR10(config-vrf-af)#export map <route-map-name> Configures the exported route

mapping associated with VRF.
7.2.3 Maintaining Routing Policy

To maintain the routing policy on the ZXR10 M6000, run the following commands:
7-11

Command Function
ZXR10(config)#show running-config rip Displays the RIP protocol configuration, and checks
whether the routing policies are used by various routing
protocols.
ZXR10(config)#show running-config isis Displays the ISIS protocol configuration, and checks
protocols.
ZXR10(config)#show running-config ospf Displays the OSPF protocol configuration, and checks
protocols.
ZXR10(config)#show running-config bgp Displays the BGP protocol configuration, and checks
protocols.
ZXR10(config)#show running-config vrf Displays the VRF route configuration, and checks whether
the routing policies are used by various routing protocols.
ZXR10(config)#show ip vrf detail [<vrf-name>] Displays detailed VRF configuration. You can specify a
VRF example and query its configuration.
ZXR10(config)#show route-map [<route-map-name>] Displays detailed route-map template configuration.
7.2.4 Routing Policy Configuration Instances

7.2.4.1 Configuration Example of an RIP Redistribution Routing Policy
The Routing Information Protocol (RIP) is operating on R1 and R2. R1 and R2 can notify
their RIP routes to each other, or redistribute other routes. The following uses a static route
distribution as an example, see Figure 7-1.
Figure 7-1 Configuration Example of the RIP Redistribution Routing Policy
Configuration Flow
1. Configure IPv4 addresses for the interfaces.
2. Enable the RIP for a direct-connected interface.
3. Redistribute other routes and configure the redistribution command.
4. Add the route-map name(s) to the redistribution command.
7-12

5. Configuring the route-map policy.

6. Check the configuration result, and verify that two devices can learn route information
from the peer end respectively.
R1(config)#router rip
R1(config-rip)#redistribute static route-map www
R1(config-rip)#network 192.168.1.0 0.0.0.255
R1(config-rip)#exit
R1(config)#ip route 3.3.3.0 255.255.255.0 loopback1 4
/*Not the optimun route, and will not be reallocated*/
R1(config)#ip route 3.3.3.0 255.255.255.0 30.0.0.6 3
R1(config)#ip route 5.5.5.0 255.255.255.0 loopback2
R1(config)#route-map www permit 10
R1(config-route-map)#set ip metric 10
R1(config-route-map)#exit

R2(config)#router rip
R2(config-rip)#network 192.168.1.0 0.0.0.255
R2(config-rip)#exit
Run the show command to check configuration information of RIP, route-map and static
route on the R1 and R2, IPv4 route information and RIP route table.
Route information on R1 is displayed as follows:
R1(config)#show running-config rip
! <RIP>
router rip
redistribute static route-map www
network 192.168.1.0 0.0.0.255
! </RIP>
R1(config)#show running-config static

! <ROUTE_STATIC>
ip route 3.3.3.0 255.255.255.0 loopback1 4
ip route 3.3.3.0 255.255.255.0 30.0.0.6 3
ip route 5.5.5.0 255.255.255.0 loopback2
! </ROUTE_STATIC>
R1(config)#show running-config route-map

! <ROUTEMAP>
7-13

route-map www permit 10

set ip metric 10
! </ROUTEMAP>
R1(config)#show ip rip database

Routes of rip:
h : is possibly down,in holddown time
f : out holddown time before flush
Dest Metric RtPrf InstanceID Time From

*> 3.0.0.0/8 10 254 0 00:00:24 0.0.0.0
*> 3.3.3.0/24 10 3 0 00:00:00 0.0.0.0
*> 5.0.0.0/8 10 254 0 00:00:24 0.0.0.0
*> 5.5.5.0/24 10 1 0 00:00:00 0.0.0.0
*> 192.168.1.0/24 0 0 0 00:00:00 0.0.0.0
Route information on R2 is displayed as follows:
R2(config)#show running-config rip

! <RIP>
router rip
network 192.168.1.0 0.0.0.255
! </RIP>
R2(config)#show ip rip database

Routes of rip:
h : is possibly down,in holddown time
f : out holddown time before flush
Dest Metric RtPrf InstanceID Time From

*> 3.0.0.0/8 11 120 0 00:00:10 192.168.1.1
*> 5.0.0.0/8 11 120 0 00:00:10 192.168.1.1
*> 192.168.1.0/24 0 0 0 00:00:00 0.0.0.0
R2(config)#show ip protocol routing

Protocol routes:
status codes: *valid, >best, i-internal, s-stale
Dest NextHop RoutePrf RouteMetric Protocol

*> 3.0.0.0/8 192.168.1.1 120 11 rip
*> 5.0.0.0/8 192.168.1.1 120 11 rip
*> 192.168.1.0/24 192.168.1.2 0 0 connected
*> 192.168.1.2/32 192.168.1.2 0 0 connected
7-14

7.2.4.2 Configuration Example of an ISIS Routing Policy
The neighbor relationship between R1 and R2 is established in the level-1-2 area
successfully, and the status is up, see Figure 7-2.
R1 is configured with 2 static routes. The static route redistributed in ISIS level-1 should
carry the route-map parameter.
Figure 7-2 Configuration Example of an ISIS Routing Policy
Configuration Flow
1. Configure the neighbor relationship between R1 and R2 in the level-1-2 area.
2. Configure the route-map testisis on R1.
3. Configure several static routes on R1.
4. Redistribute a static route with the route-map parameter on R1.
1. Run the following commands to configure the neighbor relationship between R1 and
R2 in the level-1-2 area.
Run the following commands to configure the ISIS on R1:
R1(config)#router isis 44
R1(config-isis)#system-id 5555.5555.5555
R1(config-isis)#area 44
R1(config-isis)#is-type level-1-2
R1(config-isis)#metric-style narrow
R1(config-isis)#interface gei-0/1/0/3
R1(config-isis-if)#ip router isis
R1(config-isis-if)#exit
R1(config-isis)#exit
Run the following commands to configure the ISIS on R2:

R2(config-isis)#system-id 2222.2222.2222
R2(config-isis)#area 44
R2(config-isis)#is-type level-1-2
R2(config-isis)#metric-style narrow
R2(config-isis)#interface gei-0/1/0/1
R2(config-isis-if)#ip router isis
7-15

R2(config-isis-if)exit
2. Run the following commands to configure route-map testisis on R1.
R1(config)#route-map testisis permit 10
R1(config-route-map)#set level level-1
R1(config-route-map)#set ip metric-type external
3. Run the following commands to configure three valid static routes on R1.
R1(config)#ip route 1.2.3.4 255.255.255.255 192.168.1.103
R1(config)#ip route 20.0.0.0 255.255.255.0 192.168.5.203
R1(config)#ip route 168.178.19.0 255.255.255.0 177.77.16.2
4. Run the following commands to redistribute a static route with the route-map parameter
on R1.
R1(config-isis)#redistribute static route-map testisis
Check the ISIS configuration result, which is displayed as follows:
R1(config)#show running-config isis
! <ISIS>
router isis 44
area 44
system-id 5555.5555.5555
is-type level-1-2
metric-style narrow
redistribute static route-map testisis
interface gei-0/1/0/3
ip router isis
$
! </ISIS>
R2(config)#show running-config isis
! <ISIS>
router isis 44
area 44
system-id 2222.2222.2222
is-type level-1-2
metric-style narrow
ip router isis
$
! </ISIS>
Check the ROUTE-MAP configuration result, which is displayed as follows:
7-16

R1(config)#show route-map testisis

[route-map testisis] IP type: IPv4
route-map testisis permit 10
set level level-1
set ip metric 10
set ip metric-type external
Check the static route configuration result, which is displayed as follows:

R1(config)#show ip forwarding route static
IPv4 Routing Table:
*> 1.2.3.4/32 192.168.1.103 gei-0/5/0/2 static 1 0
*> 20.0.0.0/24 192.168.5.203 gei-0/5/0/2 static 1 0
*> 168.178.19.0/24 177.77.16.2 smartgroup47 static 1 0
Verify that the result is as expected. Check routes in the level-1 area on R1.
narrow mode metric-type external, metric=10+64=74,
The routes will be redistributed to the level-2 area by default. After the route-map is
configured, the routes can only be distributed to the level-1 area.
R1(config)#show isis database level-1 detail process-id 44
Process ID:44
IS-IS Level-1 Link State Database:
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
R1.00-00* 0x6 0xd6dc 1142 0/0/0
NLPID: 0xcc
Area Address: 00
Ip Address: 55.1.1.1
Hostname: R1
Metric: 10 IS neighbor R1.02
Metric: 10 IP-Internal 55.1.1.0 255.255.255.0
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
R1.00-01* 0x8 0x9223 934 0/0/0
Metric: 74 IP-External 1.2.3.4 255.255.255.255
Hostname: R1
Check three pieces of ISIS route information from R1 on R2, which is displayed as follows:
R2(config)#show ip forwarding route isis-l1

IPv4 Routing Table:
*> 1.2.3.4/32 55.1.1.1 gei-0/3/0/5 isis_l1 115 84
*> 20.0.0.0/24 55.1.1.1 gei-0/3/0/5 isis_l1 115 84
7-17

*> 168.178.19.0/24 55.1.1.1 gei-0/3/0/5 isis_l1 115 84
7.2.4.3 Configuration Example of the OSPF Routing Policy
Interfaces of both R1 and R2 are in the OSPF area 1. The OSPF neighbor relationship is
established between R1 and R2 successfully through R1/R2 interfaces, and the status is
full. After three static routes are configured on R1, R1 redistributes the static routes that
carry the route-map parameter in the OSPF area, see Figure 7-3.
Figure 7-3 Configuration Example of the OSPF Routing Policy
Configuration Flow
1. Establish the relationships between R1 and R2 in the OSPF area 1.
2. Configure the route-map on R1.
3. Configure several static routes on R1.
4. Redistribute the static routes that carry the route-map parameter in the OSPF area on
R1.
1. Run the following commands to set the same network segment address for R1 and
R2 to build the OSPF neighbor.
R1(config-if)#ip add 55.1.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#router ospf 2
R1(config-ospfv2)#network 55.1.1.0 0.0.0.255 area 0.0.0.1
R1(config-ospfv2)#exit
R2(config-if)#ip add 55.1.1.2 255.255.255.0
R2(config-if)#exit
R2(config-ospfv2)#network 55.1.1.0 0.0.0.255 area 0.0.0.1
2. Run the following commands to configure the route-map on R1.
R1(config)#route-map ff
7-18

R1(config-route-map)#match ip metric 0
R1(config-route-map)#set ip metric-type type-1
R1(config-route-map)#set ip tag 100
3. Run the following commands to configure several static routes on R1.
R1(config)#ip route 1.2.3.4 255.255.255.255 192.168.1.103
R1(config)#ip route 20.0.0.0 255.255.255.0 192.168.5.203
R1(config)#ip route 168.178.19.0 255.255.255.0 177.77.16.2
4. Run the following commands to redistributes the static route that carries the route-map
parameter in the OSPF area on R1.
R1(config-ospfv2)#redistribute static route-map ff
Check the configuration result on R1 and the static and OSPF routes on R1, which is
R1(config)#show route-map ff
[route-map ff] IP type: IPv4
route-map ff permit 10
match ip metric 0
set ip metric 50
set ip metric-type type-1
set ip tag 100
R1(config)#show ip forwarding route static

IPv4 Routing Table:
*> 1.2.3.4/32 192.168.1.103 gei-0/5/0/2 static 1 0
*> 20.0.0.0/24 192.168.5.203 gei-0/5/0/2 static 1 0
*> 168.178.19.0/24 177.77.16.2 smartgroup47 static 1 0
R1(config)#show running-config | begin router ospf
router ospf 2
redistribute static route-map ff
network 55.1.1.0 0.0.0.255 area 0.0.0.1
R1(config)#show ip ospf database process 2
OSPF Router with ID (61.61.61.1) (Process ID 2)
Router Link States (Area 0.0.0.1)
Link ID ADV Router Age Seq# Checksum Link count
7-19

61.61.61.1 61.61.61.1 138 0x80000003 0xa7a1 1

1.2.3.2 1.2.3.2 140 0x80000003 0x8526 1
Net Link States (Area 0.0.0.1)
Link ID ADV Router Age Seq# Checksum

55.1.1.1 61.61.61.1 138 0x80000001 0x394f
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag

20.0.0.0 61.61.61.1 189 0x80000001 0xd7f9 100
1.2.3.4 61.61.61.1 189 0x80000001 0x6e6d 100
168.178.19.0 61.61.61.1 189 0x80000001 0x1a5d 100
Check the attributes of the OSPF route on R2, which is displayed as follows:
R2(config-ospfv2)#show ip forwarding route ospf
IPv4 Routing Table:
*> 1.2.3.4/32 55.1.1.1 gei-0/3/0/5 ospf 110 51
*> 20.0.0.0/24 55.1.1.1 gei-0/3/0/5 ospf 110 51
*> 168.178.19.0/24 55.1.1.1 gei-0/3/0/5 ospf 110 51
7.2.4.4 Configuration Example of the BGP Routing Policy
The EBGP neighbor relationship is established between R1 and R2, and the IBGP
neighbor relationship is established between R2 and R3. R1 advertises the route to R2,
see Figure 7-4.
The route-map test 1 configured on R2 takes effect on the ingress of R2. The route-map
test2 configured on R2 takes effect on the egress of R2.
Figure 7-4 Configuration Example of the BGP Routing Policy
Configuration Flow
1. Establish the EBGP neighbor relationship between R1 and R2, and the IBGP neighbor
relationship between R2 and R3.
2. R1 advertises BGP routes to R2, and R2 and R3 can learn these routes.
7-20

3. Configure ipv4-access-list 1, ipv4-access-list 2, route-map test1 and route-map test2

on R2.
4. Configure route-map test 1 on R2, and apply this policy to the ingress of R2, and
configure route-map test2 on R2, and apply this policy to the egress of R2.
Note:
l The route-map can be used for both ingress and egress. For the ingress, the set
operation takes effect on community, local preference, and next_hop. For the egress,
the set operation takes effect for all objects.
l The specified options for the BGP protocol in route-map include: community-list,
dampening, local-preference, origin, and as-path for the set operation, as-path, and
community-list for the Match operation.
Configuration Flow
1. Run the following commands to set the IP addresses for the direct interfaces of three
routes to the same value, and establish the EBGP neighbor relationship.
R1(config)#interface xgei-0/3/0/2
R1(config-if)#exit
R1(config)#router bgp 1011
R1(config-bgp)#neighbor 131.4.1.2 remote-as 200
R1(config-bgp)#exit

R2(config-if)#exit
R2(config-if)#exit
R2(config-bgp)#exit

7-21


R3(config-if)#exit
R3(config-bgp)#exit
2. Run the following commands to advertise five BGP routes to R2.
R1(config-bgp)#network 7.7.7.0 255.255.255.0
R1(config-bgp)#exit
3. Run the following commands to configure route-map test 1 and ACL on R2.
R2(config)#ipv4-access-list 1
R2(config-ipv4-acl)#rule 1 permit 7.7.7.0 0.0.0.255
R2(config)#ipv4-access-list 2
R2(config-ipv4-acl)#rule 1 permit 8.8.8.0 0.0.0.255
R2(config)#route-map test1 permit 10
R2(config-route-map)#match ip address 1
R2(config-route-map)#set local-preference 30000
R2(config-route-map)#match ip metric 5
R2(config-route-map)#match as-path 1
R2(config-route-map)#match community-list 1
R2(config-route-map)#set as-path prepend 2
R2(config-route-map)#set local-preference 200
R2(config-route-map)#set next-hop 10.1.1.0
R2(config-route-map)#set origin incomplete
4. Run the following commands to configure route-map test 1 on R2, and apply this policy
to the ingress of R2, and configure route-map test2 on R2, and apply this policy to the
egress of R2.
R2(config-bgp)#neighbor 131.4.1.1 route-map test1 in
R2(config-bgp)#neighbor 131.4.2.1 route-map test2 out
R2(config-bgp)#exit
7-22

1. In step 2, after route advertisement, R2 and R3 can learn five routes.
R2(config)#show ip bgp route

*> 7.7.7.0/24 131.4.1.1 0 20 1011 i
*> 7.7.8.0/24 131.4.1.1 0 20 1011 i
*> 7.7.9.0/24 131.4.1.1 0 20 1011 i
*> 8.8.8.0/24 131.4.1.1 0 20 1011 i
*> 9.9.9.0/24 131.4.1.1 0 20 1011 i
R3(config)#show ip bgp route


*>i 7.7.7.0/24 131.4.1.1 0 100 200 1011 i
*>i 7.7.8.0/24 131.4.1.1 0 100 200 1011 i
*>i 7.7.9.0/24 131.4.1.1 0 100 200 1011 i
*>i 8.8.8.0/24 131.4.1.1 0 100 200 1011 i
*>i 9.9.9.0/24 131.4.1.1 0 100 200 1011 i
2. In Step 4, after R2 is bound with a routing policy, you can learn route 7.7.7.0/24 and
8.8.8.0/24 of the match items in route-map test1. You cannot learn the routes that
are unmatched.
3. If there are several match items in the same routing policy, the relation between these
items is "and". The match route-map test2 permit 10 item is not matched, so the
route 7.7.7.0 will not be advertised to R3.
4. After using the BGP routing policy:
R2(config)#show ip bgp summary /*R2 learns two BGP routes from R1.*/
Neighbor Ver As MsgRcvd MsgSend Up/Down State/PfxRcd
131.4.1.1 4 1011 34 33 00:16:23 2
131.4.2.1 4 200 32 33 00:16:23 0
R2(config)#show ip bgp route /*Information on two BGP routes*/

*> 7.7.7.0/24 131.4.1.1 0 30000 20 1011 i
*> 8.8.8.0/24 131.4.1.1 0 30000 20 1011 i
The following is the detailed information of the two BGP routes.
R2(config)#show ip bgp route network 7.7.7.0 mask 255.255.255.0

BGP routing table entry for 7.7.7.0/24
7-23

2d18h received from 131.4.1.1 (1.2.3.1)

origin i,nexthop 131.4.1.1,metric 0,localpref 30000,rtpref 20,best,
as path [1011]
as4 path
R2(config)#show ip bgp route network 8.8.8.0 mask 255.255.255.0
BGP routing table entry for 8.8.8.0/24
2d18h received from 131.4.1.1 (1.2.3.1)
origin i,nexthop 131.4.1.1,metric 0,localpref 30000,rtpref 20,best,
as path [1011]
as4 path
2d18h advertised to 131.4.2.1 (1.2.3.2)
origin ?,nexthop 10.1.1.0,metric 0,localpref 200,
as path [2 1011]
as4 path
7.2.4.5 Configuration Example of the VRF Routing Policy
For the VRF routing policy configuration example of a network, see Figure 7-5.
Figure 7-5 Configuration Example of the VRF Routing Policy
1. The basic L3VPN network is established. PE1 and PE2 are in the same AS. The
MPIBGP neighbor is established, see Figure 7-5.
2. VRF test1 is on PE1. The route 199.199.199.1/32 of the address generated by local
loopback address and the direct route 198.198.198.0/24 interconnected to CE1 are
advertised.
3. VRF test1 is on PE2. The route 123.123.123.1/32 of the address generated by local
Loopback address and the direct route 182.192.182.0/24 interconnected to CE2 are
advertised.
4. The VRF test1 route tables on two PEs contain local and remote routes, such as
199.199.199.1/32,198.198.198.0/24 and 123.123.123.1/32,182.192.182.0/24.
5. The route-map routing policy is used on the vrf test1 of PE.
Perform the following policies on the incoming 123.123.123.1/32,182.192.182.0/24
routes: You can import 182.182.182.0/24 route from the VPN neighbor.
Perform the following policies on the outgoing 199.199.199.1/32,198.198.198.0/24

routes: You can advertise the 199.199.199.1/32 route to the VPN neighbor.
7-24

6. Verify the result of the routing policy after the configuration.
Configuration Flow
1. Configure the basic L3VPN network environment for CE1-PE1-PE2-CE2.
2. Learn all routes in the configuration description of the private network route table on
two PEs.
3. Configure route-map on PE1, and define characteristics of the route where the routing
policy will be performed, that is to define a group of matching rules. You can set these
principles based on different properties in route information, such as target address,
router address of routing information.
4. Apply the route-map to the VRF example on PE1, import/export routes, and
receive/import route release.
1. Run the following commands to configure the basic L3VPN network on PE1 and PE2.
Run the following commands on PE1:
PE1(config)#ip vrf test1
PE1(config-vrf)#rd 10:10
PE1(config-vrf)#route-target both 10:10
PE1(config-vrf)#address-family ipv4
PE1(config-vrf-af)#exit
PE1(config-vrf)#exit
PE1(config)#interface loopback30
PE1(config-if)#ip vrf forwarding test1
PE1(config-if)#ip address 199.199.199.1 255.255.255.255
PE1(config-if)#exit
PE1(config)#interface gei-0/3/0/2
PE1(config-if)#no shutdown
PE1(config-if)#exit
PE1(config)#interface gei-0/3/0/2.10
PE1(config-subif)#ip vrf forwarding test1
PE1(config-subif)#ip address 198.198.198.1 255.255.255.0
PE1(config-subif)#exit
PE1(config)#vlan
PE1(config-vlan)#interface gei-0/3/0/2.10
PE1(config-subvlan-if)#encapsulation-dot1q 10
PE1(config-subvlan-if)#exit
PE1(config-vlan)#exit
PE1(config-if)#exit
PE1(config)#router bgp 200
PE1(config-bgp)#neighbor 1.2.3.82 remote-as 200
7-25

PE1(config-bgp)#neighbor 1.2.3.82 update-source loopback1

PE1(config-bgp)#address-family vpnv4
PE1(config-bgp-af)#neighbor 1.2.3.82 activate
PE1(config-bgp-af)#exit
PE1(config-bgp)#address-family ipv4 vrf test1
PE1(config-bgp-af)#redistribute address
PE1(config-bgp-af)#redistribute connected
PE1(config-bgp)#exit

PE2(config-if)#ip vrf forwarding test1
PE2(config-if)#exit
PE2(config-if)#no shutdown
PE2(config-if)#exit
PE2(config)#interface gei-0/1/0/2.10
PE2(config-subif)#ip vrf forwarding test1
PE2(config-subif)#ip address 182.182.182.1 255.255.255.0
PE2(config-subif)#exit
PE2(config)#vlan-configuration
PE2(config-vlan)#interface gei-0/1/0/2.10
PE2(config-subvlan-if)#encapsulation-dot1q 10
PE2(config-subvlan-if)#exit
PE2(config-vlan)#exit
PE2(config-if)#exit
PE2(config-bgp)#address-family ipv4 vrf test1
PE2(config-bgp-af)#redistribute address
PE2(config-bgp-af)#redistribute connected
7-26

PE2(config-bgp)#exit
2. Run the following commands to check VRF routes on PE1 and PE2.
The displayed results on PE1 are as follows:
PE1(config)#show ip forwarding route vrf test1
IPv4 Routing Table:
*> 123.123.123.1/32 1.2.3.82 posgroup2 bgp 200 0
*> 182.182.182.0/24 1.2.3.82 posgroup2 bgp 200 0
*> 182.182.182.1/32 1.2.3.82 posgroup2 bgp 200 0
*> 198.198.198.0/24 198.198.198.1 gei-0/3/0/2.10 direct 0 0
*> 198.198.198.1/32 198.198.198.1 gei-0/3/0/2.10 address 0 0
*> 199.199.199.1/32 199.199.199.1 loopback30 address 0 0

IPv4 Routing Table:
*> 182.182.182.0/24 182.182.182.1 gei-0/1/0/2.10 direct 0 0
*> 182.182.182.1/32 182.182.182.1 gei-0/1/0/2.10 address 0 0
*> 198.198.198.0/24 1.2.3.80 posgroup2 bgp 200 0
*> 198.198.198.1/32 1.2.3.80 posgroup2 bgp 200 0
*> 199.199.199.1/32 1.2.3.80 posgroup2 bgp 200 0
3. Run the following commands to configure the route-map on PE1, and apply it to the
VRF.
Configure the route-map test 1 to limit route advertisement on the egress.
PE1(config)#ip prefix-list test1 seq 5 permit 199.199.199.1 32
PE1(config)#route-map test1
PE1(config-route-map)#match ip address prefix-list test1
PE1(config-route-map)#exit
Configure the route-map test 2 to limit the route advertisement on the ingress.
PE1(config)#ip prefix-list test2 seq 5 permit 182.182.182.0 24 ge 32
PE1(config)#route-map test2
PE1(config-route-map)#match ip address prefix-list test2
Apply the route-amp to vrf test1.

PE1(config-vrf)#address ipv4
PE1(config-vrf-af)#export map test1
7-27

PE1(config-vrf-af)#import map test2

4. Run the following commands to check the VRF routing table on PE1 and PE2 to check
whether the VRF routing policy takes effect.
IPv4 Routing Table:
*> 182.182.182.1/32 1.2.3.82 posgroup2 bgp 200 0
*> 198.198.198.0/24 198.198.198.1 gei-0/3/0/2.10 direct 0 0
*> 198.198.198.1/32 198.198.198.1 gei-0/3/0/2.10 address 0 0

IPv4 Routing Table:
*> 182.182.182.0/24 182.182.182.1 gei-0/1/0/2.10 direct 0 0
*> 182.182.182.1/32 182.182.182.1 gei-0/1/0/2.10 address 0 0
*> 199.199.199.1/32 1.2.3.80 posgroup2 bgp 200 0
If the configuration is successful, run the show running-config command to check the
results, which are displayed as follows:
PE1#show running-config bgp
! <BGP>
router bgp 200
neighbor 1.2.3.82 update-source loopback1
address-family ipv4 vrf test1
redistribute address
redistribute connected
$
address-family vpnv4
$
$
! </BGP>
PE1#show running-config vrf | begin test1
7-28

ip vrf test1
rd 10:10
route-target import 10:10
route-target export 10:10
address-family ipv4
import map test2
export map test1
$
!
! </VRF>
PE1#show route-map test1
[route-map test1] IP type: IPv4
route-map test1 permit 10
match ip address prefix-list test1
PE1#show route-map test2
[route-map test2] IP type: IPv4
route-map test2 permit 10
match ip address prefix-list test2
PE1#show ip prefix-list test1
ip prefix-list test1 :
seq 5 permit 199.199.199.1 32
PE1#show ip prefix-list test2
ip prefix-list test2 :
seq 5 permit 182.182.182.0 24 ge 32
Before the VRF route policy is used, the vrf test1 route table on PE1 is:

IPv4 Routing Table:
*> 123.123.123.1/32 1.2.3.82 posgroup2 bgp 200 0
*> 182.182.182.0/24 1.2.3.82 posgroup2 bgp 200 0
*> 182.182.182.1/32 1.2.3.82 posgroup2 bgp 200 0
*> 198.198.198.0/24 198.198.198.1 gei-0/3/0/2.10 direct 0 0
*> 198.198.198.1/32 198.198.198.1 gei-0/3/0/2.10 address 0 0
After some routes are imported, the vrf test1 route table is changed to:

IPv4 Routing Table:
*> 182.182.182.1/32 1.2.3.82 posgroup2 bgp 200 0
*> 198.198.198.0/24 198.198.198.1 gei-0/3/0/2.10 direct 0 0
7-29

*> 198.198.198.1/32 198.198.198.1 gei-0/3/0/2.10 address 0 0

The route policy test2 used for the import direction filters two routes advertised by the peer
PE2.
*> 123.123.123.1/32 1.2.3.82 posgroup2 bgp 200 0
*> 182.182.182.1/32 1.2.3.82 posgroup2 bgp 200 0
The route-map test 2 specifies that the route that matches ip prefix-list test2 seq 5 permit
182.182.182.0 24 ge 32 can be learned.
*> 182.182.182.1/32 1.2.3.82 posgroup2 bgp 200 0
Before the route policy test1 is exported on PE1 , the vrf test1 route table on PE2 is:
IPv4 Routing Table:
*> 182.182.182.0/24 182.182.182.1 gei-0/1/0/2.10 direct 0 0
*> 182.182.182.1/32 182.182.182.1 gei-0/1/0/2.10 address 0 0
*> 198.198.198.0/24 1.2.3.80 posgroup2 bgp 200 0
*> 198.198.198.1/32 1.2.3.80 posgroup2 bgp 200 0
*> 199.199.199.1/32 1.2.3.80 posgroup2 bgp 200 0
After the route policy test1 is exported on PE1, the vrf test1 route table on PE2 is:
IPv4 Routing Table:
*> 182.182.182.0/24 182.182.182.1 gei-0/1/0/2.10 direct 0 0
*> 182.182.182.1/32 182.182.182.1 gei-0/1/0/2.10 address 0 0
*> 199.199.199.1/32 1.2.3.80 posgroup2 bgp 200 0
As seen from above, only one route is learned from remote 1.2.3.80.
*> 199.199.199.1/32 1.2.3.80 posgroup2 bgp 200 0
This above command is used to match ip prefix-list test1 seq 5 permit 199.199.199.1
32 defined in the route-map test1.
Two unmatched items will be filtered out, including:
*> 198.198.198.0/24 1.2.3.80 posgroup2 bgp 200 0

*> 198.198.198.1/32 1.2.3.80 posgroup2 bgp 200 0
7-30

7.3 Policy Routing Configuration

7.3.1 Policy Routing Overview
Policy Routing Introduction
Conventionally, a router obtains the next hop by searching in routing tables in accordance
with the destination address, and then it forwards packets. The routing table entry is
specified by the network administrator statically or generated by routing protocols through
routing algorithm dynamically.
Compared with the traditional routing, policy routing is more powerful and more flexible.
With policy routing, the network administrator can select the forwarding path in accordance
with the destination address, packet application (TCP/UDP port number) or source IP
address.
In packet forwarding control, policy routing is more powerful than conventional routing.
Policy routing can implement traffic engineering to a certain extent, thus making traffic of
different service quality or different service data (such as voice and File Transfer Protocol
(FTP)) goes through different paths. The users have higher requirements for network
performance. Therefore, it is necessary to select different packet forwarding paths based
on the differences of services or user categories.
On the ZXR10 M6000, the network administrator can define different route-maps by using
the match and set clauses, and apply the route-map to the interfaces which receive packets,
to implement path selection.
Each route-map has a series of sequences. Each sequence contains many match and set
clauses.
l The match clause defines matching conditions. When the received packets match the
conditions, perform policy routing.
l The set clause defines the actions to be performed when the conditions are matched.
When a packet fails to meet the match conditions of a sequence, it will continue to match
the next sequence.
Policy Routing Work Flow

When a router receives a packet, it determines whether the policy routing is bound to the
egress interface at first. If there is no binding, the router searches in the routing table in
accordance with destination address, and then forwards the packet. If policy routing has
already bound to the egress interface, the router processes the packet in accordance with
the sequences of route-map. The detailed steps are listed below,
1. At first, the router uses the received packet to match the ACL configured in the first
sequence. If the matching fails, the router continues to use the packet to match to the
ACL configured in the next sequence. The rest can be done in the same manner. If
the matching is successful, the router can obtain the attribute of the sequence.
7-31

2. When the attribute of the sequence is deny, the packet will be forwarded in normal
route. If the attribute is permit, the router will forward the packet in accordance with
the set item of the sequence.
3. The router determines whether a valid set ip path interface item exists. If the valid set
ip path interface item exists, the packet will be sent to the specified next hop.
4. The router determines whether a valid set ip next-hop item exists. For multiple set ip ne
xt-hop items, the router selects the first valid next-hop in accordance with configuration
sequence. If the valid set ip next-hop item exists, the router forwards the packet to the
specified next-hop.
5. If the set ip next-hop item is not set or there is no valid set ip next-hop item, the router
needs to check whether a valid egress interface exists (The egress exists, and it is
in UP state). When multiple set interface items exist, the router selects the first valid
egress interface in accordance with the configuration sequence. If the egress interface
exists, the router forwards the packet from the egress interface directly. Otherwise, it
forwards the packet in normal route.
6. When a packet is forwarded in a normal route, if the router finds the corresponding
route in the forwarding table, it forwards the packet in accordance with the route.
Otherwise, if the system does not set a default route, the router will discard the packet.
If the next hop of the policy routing is the indirect-connected IP address, the policy routing
still can be valid as long as the next hop can be found by searching in the local routing
table. The next hop address of policy routing is set to 200.1.1.2 on R1, see Figure 7-6.
Figure 7-6 Next Hop of an Indirect-Connected IP Address
The ip next hop of policy routing can be set to the IP address of ISP2 on R1, and it will
take effect immediately once there is a route from R1 to ISP2. If R1 has a route pointing
to ISP2 and the next-hop of the route is R2, the traffic coming from ISP1 which meets the
matching rules of the policy routing will be sent to R2 after the policy routing is bound to
gei-2/2 on R1. If the traffic does not meet the matching rules of the policy routing, it will be
discarded.
7.3.2 Configuring Policy Routing

To configure policy routing on the ZXR10 M6000, perform the following steps:
7-32

1 ZXR10(config)#route-map <route-map-name>[permit | Creates a route-map for a policy routing

deny][<sequence-number>] and enters route map configuration mode.
2 ZXR10(config-route-map)#match ip address *(<access-list- Configures the match item in route map

name> configuration mode and performs policy
routing on the packets which match the
ACL table.
ACL can be either standard or extended.
3 ZXR10(config-route-map)#set ip next-hop *(<ip-address>) Routes data packets to the specified next

hop when policy routing is available for
data packets. At most 10 IP addresses
can be set.
ZXR10(config-route-map)#set ip path interface Routes data packets to the specified

<interface-name> next-hop <ip-address> Ethernet port and the next hop when
policy routing is available for data packets.
ZXR10(config-route-map)#set interface *(<interface-name>) Routes data packets to the specified

interface when policy routing is available
for data packets.
ZXR10(config-route-map)#set global ip next-hop <ip-address> Makes the police of routing packets

from the access side of a Virtual Route
Forwarding (VRF) example to a normal
interface.
ZXR10(config)#ip policy interface < interface-name> route-map Configures fast forwarding based on
< route-map-name> policy routing.
<map-tag> Name of route mapping. Length: 1-31 characters
permit If the route map meets matching conditions, redistribution or policy

route is permitted.
deny If the route map meets matching conditions, redistribution or policy

route is denied.
<sequence-number> Sequence number. Range: 0-65535.
To configure a VRF policy route on the ZXR10 M6000, perform the following steps:
1 ZXR10(config)#route-map <map-tag>[permit | Creates a route-map for policy route and

deny][<sequence-number>] enters route map configuration mode.
7-33

2 ZXR10(config-route-map)#set vrf <vrf-name> Sets VRF name. When data packets

meet a matching item of the policy map for
policy routing, run the set vrf command to
route data packets to the specified vpnid.
3 ZXR10(config-route-map)#set vrf <vrf-name> ip next-hop Sets the next-hop address of the specified
<ip-address>[track <sqa-name>] VRF.
7.3.3 Policy Routing Maintenance

To maintain the policy route on the ZXR10 M6000, run the following commands:
Command Function
ZXR10#show route map < route map-name> Displays the route-map information.
ZXR10#show running-config pbr Displays the PBR binding information of the

interface.
7.3.4 Policy Routing Configuration Examples

7.3.4.1 Policy Routing Configuration Example One
The router (ZXR10) accesses users of two subnets through different interfaces. Two
ISP egresses are available. Users select different egresses in accordance with their IP
addresses. Users belonging to the subnet 10.10.0.0/24 uses the ISP1 egress and users
belonging to the subnet 11.11.0.0/24 uses the ISP2 egress, see Figure 7-7.
Figure 7-7 Policy Routing Configuration Example One
7-34

Configuration Flow
1. Configure IP addresses for interfaces.
2. Create ACL to define the traffic to be controlled.
3. Create a route-map, associate it to an ACL, and define actions.
4. Associate route-map to the corresponding interfaces.
Run the following commands on the ZXR10:
ZXR10(config)#interface gei-0/1/1/1
ZXR10(config-if)#no shutdown
ZXR10(config-if)#description To User1
ZXR10(config-if)#ip address 10.10.0.254 255.255.255.0
ZXR10(config-if)#exit
ZXR10(config)#show running-config-interface gei-0/1/1/1
!<INTERFACE>
no shutdown
description To User1
ip address 10.10.0.254 255.255.255.0
!
!</INTERFACE>
ZXR10(config)#ip policy interface gei-0/1/1/1 route-map source-ip
/*Bind route-map source-ip to an interface*/
ZXR10(config)#show running-config pbr
!<PBR>
ip policy interface gei-0/1/1/1 route-map source-ip
!</PBR>
ZXR10(config-if)#description To User2
!<INTERFACE>
no shutdown
description To User2
ip address 11.11.0.254 255.255.255.0
!
!</INTERFACE>

/*Bind route-map source-ip to an interface*/
7-35

!<PBR>
!</PBR>
ZXR10(config-if)#description To ISP1

!<INTERFACE>
no shutdown
description To ISP1
ip address 100.1.1.2 255.255.255.252
!
!</INTERFACE>
!<INTERFACE>
no shutdown
description To ISP2
ip address 200.1.1.2 255.255.255.252
!
!</INTERFACE>
ZXR10(config)#ip route 0.0.0.0 0.0.0.0 100.1.1.1
ZXR10(config)#ipv4-access-list 10
ZXR10(config-ipv4-acl)#rule 1 permit 10.10.0.0 0.0.0.255
ZXR10(config-ipv4-acl)#exit
ZXR10(config)#show ipv4-access-lists name 10
ipv4-access-list 10
1/1 (showed/total)
rule 1 permit 10.10.0.0 0.0.0.255
ipv4-access-list 20
7-36

1/1 (showed/total)
rule 1 permit 11.11.0.0 0.0.0.255
ZXR10(config)#route-map source-ip permit 10

/*Forward packets matching ACL 10 to 100.1.1.1*/
ZXR10(config-route-map)#match ip address 10
ZXR10(config-route-map)#set ip next-hop 100.1.1.1
/*Forward packets matching ACL 20 to 200.1.1.1*/
ZXR10(config-route-map)#set ip next-hop 200.1.1.1
In this example, there are three conditions.

1. When both the ISP1 and ISP2 egresses run properly, user service of the 10.10.0.0/24
sub-network uses the ISP1 egress and users services of the 11.11.0.0./24 sub-network
uses the ISP2 egress.
2. When the ISP1 egress runs properly but the ISP2 egress runs improperly, user
services of both subnetworks use the ISP1 egress. At this time, user service of
subnetwork 11.11.0.0/24 uses the default route.
3. When the ISP1 egress runs improperly but the ISP2 egress runs properly, user
service of subnetwork 11.11.0.0/24 is normal, but that of subnetwork 10.10.0.0/24 is
interrupted.
Check the configuration of the route-map, which is displayed as follows:
ZXR10(config)#show route-map source-ip
[route-map source-ip] IP type: IPv4
route-map source-ip permit 10
match ip address 10
set ip next-hop 100.1.1.1
match ip address 20
set ip next-hop 200.1.1.1
7.3.4.2 Policy Routing Configuration Example Two
When users of different subnetworks are accessed through the same interface of a router,
the configuration of a policy routing needs to be modified, see Figure 7-8.
7-37

Figure 7-8 Policy Routing Configuration Example Two
Configuration Flow
1. Configure IP addresses for interfaces.
2. Create an ACL and define the traffic to be controlled.
3. Create a route-map, associate it to an ACL, and define actions.
4. Associate the route-map to the corresponding interfaces.
Run the following commands on the ZXR10:
ZXR10(config-if)#description To User
!<INTERFACE>
no shutdown
description To User
ip address 192.168.1.1 255.255.255.252
!
!</INTERFACE>
ZXR10(config)#sho running-config-interface gei-0/2/1/1
!<INTERFACE>
no shutdown
description To ISP1
7-38

ip address 100.1.1.2 255.255.255.252

!
!</INTERFACE>
!<INTERFACE>
no shutdown
description To ISP2
ip address 200.1.1.2 255.255.255.252
!
!</INTERFACE>
Run the following commands to configure the route-map.

/* This configures an ACL to be used in a route-map.*/
ipv4-access-list 10
1/1 (showed/total)
rule 1 permit 10.10.0.0 0.0.0.255
ipv4-access-list 10
1/1 (showed/total)
rule 1 permit 11.11.0.0 0.0.0.255
/*This configures the information of a route-map.

The sequence number is 10 and 20.*/
/* This forwards the packets matching ACL 10 to 100.1.1.1,

and configures 200.1.1.1 as a backup egress.*/
ZXR10(config-route-map)#set ip next-hop 100.1.1.1 200.1.1.1
7-39


/* This forwards the packets matching ACL 20 to 200.1.1.1

and configures 100.1.1.1 as a backup egress.*/
ZXR10(config-route-map)#set ip next-hop 200.1.1.1 100.1.1.1
Run the following commands to apply the route-map to an interface.

/*This binds route-map source-ip to an interface.*/
!<PBR>
!</PBR>
In this example, the two ISP egresses back up each other. There are two conditions.
1. When both ISP1 and ISP2 egresses run properly, user service of 10.10.0.0/24 uses
the ISP1 egress and user services of 11.11.0.0./24 uses the ISP2 egress.
2. When one egress has fault, the user service uses a backup egress. Therefore, the
service will not be interrupted as long as the two egresses do not have fault at the
same time.
Check the configuration of the route-map, which is displayed as follows:
ZXR10(config)#show route-map source-ip
match ip address 10
set ip next-hop 100.1.1.1 200.1.1.1
match ip address 20
set ip next-hop 200.1.1.1 100.1.1.1
7.3.4.3 Policy Routing Configuration Example Three
Users of different subnetworks are accessed through the same interface of the router.
When users of vpn1 access the network of vpn2, the remote VRF policy routing is used,
see Figure 7-9.
7-40

Figure 7-9 Remote VRF Policy Routing Configuration Example
Configuration Command:
/*Configure an interface*/
PE1(config-if)#exit
PE1(config)#show running-config-interface loopback1
!<INTERFACE>
interface loopback1
ip address 1.2.3.30 255.255.255.255
!
!</INTERFACE>
PE1(config)#ip vrf vpn1
PE1(config-if)#description to vpn1
PE1(config-if)#ip vrf forwarding vpn1
PE1(config-if)#exit
PE1(config)#show running-config-interface gei-0/6/0/1
!<INTERFACE>
7-41

no shutdown
description to vpn1
ip vrf forwarding vpn1
ip address 30.1.1.1 255.255.255.0
!
!</INTERFACE>
PE1(config-if)#exit
!<INTERFACE>
no shutdown
description to vpn2
ip address 40.1.1.1 255.255.255.0
!
!</INTERFACE>
PE1(config-if)#exit
!<INTERFACE>
no shutdown
ip address 20.1.1.1 255.255.255.0
!
!</INTERFACE>
PE1(config)#show ip vrf brief
* Being deleted
Name Default RD Protocol Interfaces
vpn1 1:1 ipv4 gei-0/6/0/1
vpn2 1:2 ipv4 gei-0/1/0/1
mng < not set > mng1
/*Configure OSPF*/
PE1(config)#router ospf 1 vrf vpn1
PE1(config-ospfv2)#network 30.1.1.0 0.0.0.255 area 0.0.0.0
PE1(config-ospfv2)#exit
PE1(config)#router ospf 2 vrf vpn2
7-42

PE1(config)#router ospf 3
PE1(config)#show running-config ospf
!<OSPF>
router ospf 1 vrf vpn1
network 30.1.1.0 0.0.0.255 area 0.0.0.0
!
router ospf 2 vrf vpn2
network 40.1.1.0 0.0.0.255 area 0.0.0.0
!
router ospf 3
network 1.2.3.30 0.0.0.0 area 0.0.0.0
network 20.1.1.0 0.0.0.255 area 0.0.0.0
!
!</OSPF>
PE1(config)#show ip ospf neighbor
Neighbor ID Pri State DeadTime Address Interface

30.1.1.2 0 FULL/DROTHER 00:00:33 30.1.1.2 gei-0/6/0/1

40.1.1.2 0 FULL/DROTHER 00:00:33 40.1.1.2 gei-0/1/0/1

1.2.3.29 1 FULL/BDR 00:00:36 20.1.1.2 gei-0/6/0/2
/*Configure BGP*/
PE1(config-bgp)#neighbor 1.2.3.29 ebgp-multihop ttl 8
PE1(config-bgp)#address-family ipv4 vrf vpn1
PE1(config-bgp-af)#redistribute ospf-int
PE1(config-bgp-af)#redistribute ospf-ext
7-43

PE1(config)#show running-config bgp
!<BGP>
router bgp 1
neighbor 1.2.3.29 ebgp-multihop ttl 8
address-family ipv4 vrf vpn1
redistribute ospf-int
redistribute ospf-ext
redistribute connected
$
$
$
!</BGP>
PE1(config)#show bgp vpnv4 unicast summary
Neighbor Ver As MsgRcvd MsgSend Up/Down(s) State/PfxRcd
1.2.3.29 4 2 180 187 01:32:00 0
/*Configure LDP*/
PE1(config)#mpls ldp instance 1
PE1(config-ldp)#interface gei-0/6/0/2
PE1(config-ldp-if)#exit
PE1(config-ldp)#router-id loopback1 force
PE1(config-ldp)#exit
PE1(config)#show running-config ldp
!<MPLS>
mpls ldp instance 1
router-id loopback1 force
$
!</MPLS>
PE1(config)#show mpls ldp neighbor detail instance 1
Peer LDP Ident: 1.2.3.29:0; Local LDP Ident 1.2.3.30:0
TCP connection: 1.2.3.29.646 - 1.2.3.30.1028
state: Oper; Msgs sent/rcvd: 113/135; Downstream
7-44

Up Time: 01:25:38
LDP discovery sources:
gei-0/6/0/2; Src IP addr: 20.1.1.2
Addresses bound to peer LDP Ident:
1.2.3.29 20.1.1.2 130.131.132.29

/*Configure an interface*/
PE2(config-if)#exit
PE2(config)#show running-config-interface loopback1
!<INTERFACE>
interface loopback1
ip address 1.2.3.29 255.255.255.255
!
!</INTERFACE>
PE2(config-if)#exit
!<INTERFACE>
no shutdown
ip address 20.1.1.2 255.255.255.0
!
!</INTERFACE>
7-45

PE2(config-if)#exit
!<INTERFACE>
no shutdown
description to vpn1
ip address 10.1.1.1 255.255.255.0
!
!</INTERFACE>
PE2(config)#show ip vrf brief
* Being deleted
Name Default RD Protocol Interfaces
vpn1 1:1 ipv4 gei-0/1/0/5
vpn2 1:2
mng < not set > mng1
/*Configure OSPF*/
PE2(config)#router ospf 16
PE2(config)#show running-config ospf
!<OSPF>
router ospf 16
network 1.2.3.29 0.0.0.0 area 0.0.0.0
network 20.1.1.0 0.0.0.255 area 0.0.0.0
!</OSPF>
PE2(config)#show ip ospf neighbor

1.2.3.30 1 FULL/DR 00:00:32 20.1.1.1 gei-0/1/0/4
/*Configure BGP*/
PE2(config-bgp)#neighbor 1.2.3.30 ebgp-multihop ttl 8
7-46

PE2(config)#show running-config bgp

!<BGP>
router bgp 2
neighbor 1.2.3.30 ebgp-multihop ttl 8
$
$
!</BGP>
PE2(config)#show bgp vpnv4 unicast summary
Neighbor Ver As MsgRcvd MsgSend Up/Down(s) State/PfxRcd
1.2.3.30 4 1 255 246 02:06:06 22
/*Configure LDP*/
PE2(config)#mpls ldp instance 1
PE2(config-ldp)#interface gei-0/1/0/4
PE2(config-ldp-if)#exit
PE2(config-ldp)#router-id loopback1 force
PE2(config-ldp)#exit
PE2(config)#show running-config ldp
!<MPLS>
mpls ldp instance 1
router-id loopback1 force
$
!</MPLS>
PE2(config)#show mpls ldp neighbor detail instance 1
Peer LDP Ident: 1.2.3.30:0; Local LDP Ident 1.2.3.29:0
TCP connection: 1.2.3.30.1028 - 1.2.3.29.646
state: Oper; Msgs sent/rcvd: 188/151; Downstream
Up Time: 01:58:43
LDP discovery sources:
gei-0/1/0/4; Src IP addr: 20.1.1.1
Addresses bound to peer LDP Ident:
1.2.3.30 158.1.1.1 158.158.158.158 123.12.23.2
17.1.1.1 50.1.1.1 12.1.1.2 20.1.1.1
70.1.1.1
Run the following command to configure a route-map and its applications:
7-47

/*Configure ACL in a route-map*/

PE2(config)#ipv4-access-list 2
PE2(config-ipv4-acl)#rule 1 permit 10.1.1.2 0.0.0.0
PE2(config-ipv4-acl)#exit
PE2(config)#show ipv4-access-lists name 2
ipv4-access-list 2
1/1 (showed/total)
rule 1 permit 10.1.1.2 0.0.0.0
/*Configure a route-map*/
PE2(config)#route-map test
PE2(config-route-map)#match ip address 2
PE2(config-route-map)#set vrf vpn2
PE2(config)#show route-map test
route-map test permit 10
match ip address 2
set vrf vpn2
/*Apply the route-map to gei-0/1/0/5 on PE2*/
PE2(config)#ip policy interface gei-0/1/0/5 route-map test
PE2(config)#show running-config pbr
!<PBR>
ip policy interface gei-0/1/0/5 route-map test
!</PBR>
After the neighbor relationship is established between PE1 and PE2, check the routes of
VPN1, which is displayed as follows:
PE1(config)#show ip protocol routing vrf vpn1
Routes of vpn:
status codes: *valid, >best, s-stale
Dest NextHop Intag Outtag RtPrf Protocol

*> 10.1.1.0/24 10.1.1.1 163845 notag 0 connected
*> 10.1.1.1/32 10.1.1.1 163844 notag 0 connected
*> 15.15.15.0/24 1.2.3.30 163914 163975 20 bgp-ext
*> 15.15.16.0/24 1.2.3.30 163913 163974 20 bgp-ext
*> 15.15.17.0/24 1.2.3.30 163912 163973 20 bgp-ext
*> 15.15.18.0/24 1.2.3.30 163911 163972 20 bgp-ext
*> 15.15.19.0/24 1.2.3.30 163910 163971 20 bgp-ext
*> 15.15.20.0/24 1.2.3.30 163909 163970 20 bgp-ext
*> 15.15.21.0/24 1.2.3.30 163908 163969 20 bgp-ext
*> 15.15.22.0/24 1.2.3.30 163907 163968 20 bgp-ext
*> 15.15.23.0/24 1.2.3.30 163906 163967 20 bgp-ext
7-48

*> 15.15.24.0/24 1.2.3.30 163905 163966 20 bgp-ext

*> 30.1.1.0/24 1.2.3.30 163903 163962 20 bgp-ext
*> 30.1.1.2/32 1.2.3.30 163904 163965 20 bgp-ext
Check the routes of VPN2, which is displayed as follows:

PE1(config)#show ip protocol routing vrf vpn2
Routes of vpn:
status codes: *valid, >best, s-stale
Dest NextHop Intag Outtag RtPrf Protocol
*> 14.14.14.0/24 1.2.3.30 163926 163993 20 bgp-ext
*> 14.14.15.0/24 1.2.3.30 163925 163992 20 bgp-ext
*> 14.14.16.0/24 1.2.3.30 163934 164001 20 bgp-ext
*> 14.14.17.0/24 1.2.3.30 163933 164000 20 bgp-ext
*> 14.14.18.0/24 1.2.3.30 163932 163999 20 bgp-ext
*> 14.14.19.0/24 1.2.3.30 163931 163998 20 bgp-ext
*> 14.14.20.0/24 1.2.3.30 163930 163997 20 bgp-ext
*> 14.14.21.0/24 1.2.3.30 163929 163996 20 bgp-ext
*> 14.14.22.0/24 1.2.3.30 163928 163995 20 bgp-ext
*> 14.14.23.0/24 1.2.3.30 163927 163994 20 bgp-ext
In this example, if a part of users in VPN1 on PE1 want to access the VPN2 network,
configure the match item for the route-map, configure the users according to the ACL rule,
and configure the set item for the route-map. Note that a private network route must exist
on PE1.
For example, users of network segment 10.1.1.2 want to access network segment
14.14.14.0/24, but users belong to vpn1 and network segment 14.14.14.0 belongs to
vpn2. In this case, run the show ip protocol routing vrf vpn2 command to check the route
of network segment 14.14.14.0, implement this operation by the remote VRF policy route,
and set the set item by running the vrf vpn2 command.
7-49

7-50

Figures
Figure 2-1 AAA Configuration Example Topology...................................................... 2-5
Figure 4-1 Time-Range Configuration Example......................................................... 4-7
Figure 4-2 Configuration Example of SQA Invoking a Time-Range ........................... 4-8
Figure 5-1 ACL Configuration Example Topology ...................................................... 5-5
Figure 6-1 Prefix-List Called by IP Multicast .............................................................. 6-6
Figure 6-2 Prefix-List Called by BGP....................................................................... 6-10
Figure 7-1 Configuration Example of the RIP Redistribution Routing Policy ............ 7-12
Figure 7-2 Configuration Example of an ISIS Routing Policy ................................... 7-15
Figure 7-3 Configuration Example of the OSPF Routing Policy ............................... 7-18
Figure 7-4 Configuration Example of the BGP Routing Policy ................................. 7-20
Figure 7-5 Configuration Example of the VRF Routing Policy.................................. 7-24
Figure 7-6 Next Hop of an Indirect-Connected IP Address ...................................... 7-32
Figure 7-7 Policy Routing Configuration Example One............................................ 7-34
Figure 7-8 Policy Routing Configuration Example Two ............................................ 7-38
Figure 7-9 Remote VRF Policy Routing Configuration Example .............................. 7-41

Figures
II

Glossary
AAA
- Authentication, Authorization and Accounting
ABR
- Area Border Router
ACL
- Access Control List
BGP
- Border Gateway Protocol
BSR
- Bootstrap Router
C/S
- Client/Server
DSCP
- Differentiated Services Code Point
FTP
- File Transfer Protocol
ICMP
- Internet Control Message Protocol
IGMP
- Internet Group Management Protocol
IGP
- Interior Gateway Protocol
IP
- Internet Protocol
IS-IS
- Intermediate System-to-Intermediate System
LSA
- Link State Advertisement
OSPF
- Open Shortest Path First
PIM-SM
- Protocol Independent Multicast - Sparse Mode
RADIUS
- Remote Authentication Dial In User Service
III

RP
- Rendezvous Point
SP
- Service Provider
TACACS+
- Terminal Access Controller Access-Control System Plus
TCP
- Transmission Control Protocol
ToS
- Type of Service
UDP
- User Datagram Protocol
URPF
- Unicast Reverse Path Forwarding
VRF
- Virtual Route Forwarding
IV

SJ-20130205142913-020-ZXR10 M6000 (V1.00.60) Carrier-Class Router Configuration Guide (Policy Template)

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SJ-20130205142913-020-ZXR10 M6000 (V1.00.60) Carrier-Class Router Configuration Guide (Policy Template)

Hochgeladen von

Copyright:

Verfügbare Formate

ZXR10 M6000

Revision No. Revision Date Revision Reason

R2.2 2012-02-28 Fourth edition

R2.0 2012-07-20 Third edition

R1.1 2012-03-30 Second edition

R1.0 2011-12-10 First edition

Serial Number: SJ-20130205142913-020

Publishing Date: 2013-02-28 (R2.2)

SJ-20130205142913-020|2013-02-28 (R2.2) ZTE Proprietary and Confidential

Chapter 3 SAMGR Configuration .............................................................. 3-1

Chapter 5 ACL Configuration .................................................................... 5-1

Chapter 6 Prefix-List Configuration.......................................................... 6-1

Chapter 7 ROUTE-MAP Policy Configuration .......................................... 7-1

SJ-20130205142913-020|2013-02-28 (R2.2) ZTE Proprietary and Confidential

SJ-20130205142913-020|2013-02-28 (R2.2) ZTE Proprietary and Confidential

What Is in This Manual

1, Policy Template Overview Describes functions related to the policy templates.

2, AAA Configuration Describes the principle, configuration commands, maintenance

4, Time-Range Configuration Describes the principle, configuration commands, maintenance

5, ACL Configuration Describes the principle, configuration commands, maintenance

6, Prefix-List Configuration Describes the principle, configuration commands, maintenance

SJ-20130205142913-020|2013-02-28 (R2.2) ZTE Proprietary and Confidential

| Separates individual parameter in series of parameters.

Danger: indicates an imminently hazardous situation. Failure to comply can result in

Warning: indicates a potentially hazardous situation. Failure to comply can result in

Caution: indicates a potentially hazardous situation. Failure to comply can result in

Note: provides additional information about a certain topic.

SJ-20130205142913-020|2013-02-28 (R2.2) ZTE Proprietary and Confidential

The meaning of an AAA template is:

SJ-20130205142913-020|2013-02-28 (R2.2) ZTE Proprietary and Confidential

SJ-20130205142913-020|2013-02-28 (R2.2) ZTE Proprietary and Confidential

SJ-20130205142913-020|2013-02-28 (R2.2) ZTE Proprietary and Confidential

2.2 Configuring AAA

Step Command Function

1 ZXR10(config)#aaa-authentication-template <number> Selects an authentication template and

2 ZXR10(config-aaa-authen-template)#aaa-authentication Configures the authentication mode for the

3 ZXR10(config-aaa-authen-template)#authentication-ra Configures a RADIUS authentication group

4 ZXR10(config-aaa-authen-template)#authentication-t Configures a Terminal Access Controller

5 ZXR10(config-aaa-authen-template)#description Configures description information in

6 ZXR10(config)#aaa-authorization-template <number> Selects an authorization template and enters

7 ZXR10(config-aaa-author-template)#aaa-authorization-t Configures the authorization mode

8 ZXR10(config-aaa-author-template)#authorization-taca Configures a TACACS authorization group

9 ZXR10(config-aaa-author-template)#description Configures description information in

SJ-20130205142913-020|2013-02-28 (R2.2) ZTE Proprietary and Confidential

Step Command Function

10 ZXR10(config)#aaa-accounting-template <number> Selects an accounting template and enters

11 ZXR10(config-aaa-acct-template)#aaa-accounting-type Configures the accounting mode for

12 ZXR10(config-aaa-acct-template)#accounting-radius-gr Configures a RADIUS accounting group

13 ZXR10(config-aaa-acct-template)#description Configures description information in

14 ZXR10(config-aaa-acct-template)#accounting-tacacs- Configures the TACACS charging group

Parameter descriptions in Step 2 are as follows:

local Local authentication.

radius RADIUS remote authentication.

radius-none Perform the RADIUS authentication first. If RADIUS configuration is wrong or

tacacs TACACS remote authentication.

tacacs-none Perform the TACACS authentication first. If TACACS configuration is wrong or

SJ-20130205142913-020|2013-02-28 (R2.2) ZTE Proprietary and Confidential

Parameter descriptions in Step 7 are as follows:

mix-radius RADIUS hybrid authorization.

mix-tacacs TACACS hybrid authorization.

tacacs TACACS authorization. It is a user authorization mode when the

radius RADIUS authorization, no command authorization. It is the same as

Parameter descriptions in Step 11 are as follows:

radius RADIUS accounting.