No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - IP Services 01

This is NE40E V800R010C10SPC500 Feature Description - IP Services
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ACLs Applied to a Filter Policy

ACLs Applied to a Filter Policy

About Filter Policy

Filter policy can use ACL, IP-prefix and route-policy to filter routes during importing or exporting routes.

Take OSPF as an example. As shown in the following figure. There are three routes to 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24 on RTA.

If you do not want to advertise the routes to 10.1.1.0/24 and 10.1.2.0/24 on RTB, you can configure the following commands.

[RTB] acl 2000
[RTB-acl2000] rule 5 deny source 10.1.1.0 0.0.0.255
[RTB-acl2000] rule 10 deny source 10.1.2.0 0.0.0.255
[RTB-acl2000] rule 15 permit source any
[RTB] ospf 100
[RTB-ospf-100] filter-policy acl 2000 export
NOTE:
Filter-policy impacts only on the routes advertised to or received from neighbors, not on the routes imported from a route protocol to another route protocol. To import routes learned by other routing protocols, run the import-route command in the OSPF view.

Matching Principle of ACLs Applied to a Filter-policy

Figure 3-5 ACL matching procedure in a filter-policy

ACL Rule Matching Result Processing Result of Filter-policy
Route matches PERMIT rule The route is imported or advertised
Route matches DENY rule The route is not imported or advertised
There are rules in the ACL but no rule is matched The route is not imported or advertised
The ACL does not exist All routes are imported or advertised
The ACL exists but there is no rule in the ACL All routes are not imported or advertised

If Unsupported ACL Filter Option Applied to Filter-policy

Only numbered basic ACL (rule ID ranges from 2000 to 2999) or named ACL (rule ID ranges from 42768 to 75535) can apply to filter-policy.

The numbered basic ACL and named ACL applied to filter-policy support only two matching options, source-address and the time-range, and do not support other options (such as destination-address, vpn-instance).

If the unsupported matching option is configured for filter-policy, the matching result of the option is "permit".

Example1

In the following configurations, the result is, all static routes are advertised to BGP peer.

acl name example number 42768
 rule 5 deny ip destination 10.1.0.0 0.0.0.255
#
bgp 100
  ipv4-family unicast
  filter-policy acl-name example export
#

Example2

In the following configurations, the result is, only the static route 20.1.0.0/24 can be advertised to BGP peer. The "destination 10.1.0.0 0.0.0.255" does not take effect.

acl name example number 42768
 rule 5 permit ip source 20.1.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255
#
bgp 100
  ipv4-family unicast
  filter-policy acl-name example export
#

Example3

In the following configurations, the result is, all routes to 10.1.0.0/24 cannot be advertised to all BGP VPNv4 peers, no matter the L3VPNs the denied routes belong to. The "vpn-instance vpnb" does not take effect.

acl number 2000
 rule 5 deny ip source 10.1.0.0 0.0.0.255 vpn-instance vpnb
 rule 10 permit
#
route-policy policy1 permit node 10
  if-match acl example
#
bgp 100
ipv4-family vpnv4
  filter-policy 2000 export
#

What is "Route Matches ACL Rule" in Filter-policy?

In filter-policy, if the route is in the network segment range defined by the source address and its wildcard mask of the ACL rule, the route is considered to match the ACL rule.

For example, in the following configurations, the routes 10.1.1.0/24, 10.1.1.0/25, 10.1.1.0/30 is in the segment range of 10.1.1.0/24. Therefore, these routes are considered to match the ACL rule. The route 10.1.1.0/16 is considered to mismatch the ACL rule since it is outside of the segment range of 10.1.1.0/24.

acl number 2000
  rule 1 permit source 10.1.1.0 0.0.0.255
  rule 99 deny any
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055041

Views: 10930

Downloads: 48

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next