You are on page 1of 110

ZXR10 M6000-S

Carrier-Class Router

Configuration Guide (Policy Template)


Version: 3.00.10

ZTE CORPORATION
No. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: +86-755-26771900
Fax: +86-755-26770801
URL: http://support.zte.com.cn
E-mail: support@zte.com.cn

LEGAL INFORMATION
Copyright 2014 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited.

Additionally, the contents of this document are protected by

contractual confidentiality obligations.


All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided as is, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit the ZTE technical support website http://support.zte.com.cn to inquire for related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.

Revision History
Revision No.

Revision Date

Revision Reason

R1.0

2014-10-20

First edition.

Serial Number: SJ-20140731105308-017


Publishing Date: 2014-10-20 (R1.0)

SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Contents
About This Manual ......................................................................................... I
Chapter 1 Policy Template Overview........................................................ 1-1
Chapter 2 AAA Configuration.................................................................... 2-1
2.1 AAA Overview.................................................................................................... 2-1
2.2 Configuring AAA ................................................................................................ 2-2
2.3 AAA Configuration Instance ................................................................................ 2-4

Chapter 3 SAMGR Configuration .............................................................. 3-1


Chapter 4 Time-Range Configuration....................................................... 4-1
4.1 Time-Range Overview ........................................................................................ 4-1
4.2 Configuring a Time-Range .................................................................................. 4-2
4.3 Time-Range Configuration Examples................................................................... 4-4
4.3.1 Configuration Instance 1: Configuring a Time-Range .................................. 4-4
4.3.2 Configuration Instance 2: ACL Calling a Time-Range ................................. 4-7
4.3.3 Configuration Instance 3: SQA Calling a Time-Range................................. 4-9

Chapter 5 ACL Configuration .................................................................... 5-1


5.1 ACL Overview.................................................................................................... 5-1
5.2 Configuring an ACL ............................................................................................ 5-1
5.3 ACL Configuration Instance ................................................................................ 5-5

Chapter 6 Prefix-List Configuration.......................................................... 6-1


6.1 Prefix-List Overview ........................................................................................... 6-1
6.2 Configuring a Prefix-List...................................................................................... 6-2
6.3 Prefix-List Configuration Instances ...................................................................... 6-4
6.3.1 Prefix-List Configuration Instance .............................................................. 6-4
6.3.2 Prefix-List Called by IP Multicast ............................................................... 6-5
6.3.3 Prefix-List Called by OSPF ....................................................................... 6-7
6.3.4 Prefix-List Called by BGP.......................................................................... 6-9
6.3.5 Prefix-List Called by a Route-Map ........................................................... 6-14

Chapter 7 ROUTE-MAP Policy Configuration .......................................... 7-1


7.1 Route-Map Overview.......................................................................................... 7-1
7.2 Routing Policy Configuration ............................................................................... 7-2
7.2.1 Routing Policy Overview ........................................................................... 7-2
7.2.2 Configuring a Routing Policy ..................................................................... 7-4

I
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

7.2.3 Routing Policy Configuration Instances .....................................................7-11


7.3 Policy Routing Configuration ............................................................................. 7-32
7.3.1 Policy Routing Overview ......................................................................... 7-32
7.3.2 Configuring Policy Routing ...................................................................... 7-33
7.3.3 Policy Routing Configuration Examples.................................................... 7-35

Figures............................................................................................................. I
Glossary ........................................................................................................ III

II
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

About This Manual


Purpose
This manual describes the principle, configuration commands and configuration examples
about policy templates of the ZXR10 M6000-S.

Intended Audience
This manual is intended for:
l
l
l

Network planning engineers


Commissioning engineers
Maintaining engineers

What Is in This Manual


This manual contains the following chapters:
Chapter

Summary

1, Policy Template Overview

Describes functions related to the policy templates.

2, AAA Configuration

Describes the principle, configuration commands and configuration


examples of the AAA.

3, SAMGR Configuration

Describes the SAMGR principle. For the configuration of SAMGR,


refer to the ZXR10 M6000-S Carrier-Class Router Configuration
Guide (Reliability).

4, Time-Range Configuration

Describes the principle, configuration commands and configuration


examples of the time range.

5, ACL Configuration

Describes the principle, configuration commands and configuration


examples of the ACL.

6, Prefix-List Configuration

Describes the principle, configuration commands and configuration


examples of the prefix-list.

7, ROUTE-MAP Policy

Describes the ROUTE-MAP, related routing policies and policy

Configuration

routing principles, configuration commands and configuration


examples of the route-map policy.

Conventions
This manual uses the following typographical conventions:
Typeface

Meaning

Italics

Variables in commands. It may also refer to other related manuals and documents.

I
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Typeface

Meaning

Bold

Menus, menu options, function names, input fields, option button names, check boxes,
drop-down lists, dialog box names, window names, parameters, and commands.

Constant

Text that you type, program codes, filenames, directory names, and function names.

width
[]

Optional parameters.

{}

Mandatory parameters.

Separates individual parameter in series of parameters.


Danger: indicates an imminently hazardous situation. Failure to comply can result in
death or serious injury, equipment damage, or site breakdown.
Warning: indicates a potentially hazardous situation. Failure to comply can result in
serious injury, equipment damage, or interruption of major services.
Caution: indicates a potentially hazardous situation. Failure to comply can result in
moderate injury, equipment damage, or interruption of minor services.
Note: provides additional information about a certain topic.

II
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 1

Policy Template Overview


Policy Template Overview
This manual describes the following policy template functions:
l
l
l
l
l
l

Authentication, Authorization and Accounting (AAA) template


Service Availability Manager (SAMGR)
Time-range
Access Control List (ACL)
Internet Protocol (IP) prefix-list
Route-map

The policy templates function only after being called by other services. Policy templates
can provide some policies and control mechanisms for other services, such as controlling
the authentication and authorization modes, and controlling service time-range.
When not called, the policy templates do not affect any services. The policy templates
can be called only when other services are interested in the policies provided by the policy
templates.
Once called, policy templates will function to make the services more flexible.

AAA Template
An AAA template provides templates for authentication, authorization and accounting.
The meaning of an AAA template is:
Several modes are available for any "A". To use an AAA template, configure the modes
in the AAA template first, and then apply the AAA template to the services so that the
services and the expected modes are associated.

SAMGR
In practical applications, a router provides multiple detection technologies. At the same
time, there are also many protection switching applications that need to monitor detection
results on a real-time basis to meet the requirements for availability in different network
structures. Therefore, the SAMGR is used to implement the linkage between various
detection technologies and services. The SAMGR can collect the results of various
availability detections to form a result set. Services that are concerned with the availability
can determine whether to take protection and switching measures in accordance with the
state of the result set.
In this way, services only need to be associated with the result list, instead of needing to
know the result of the availability detections.
1-1
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

Time-Range
A timerange provides the wake-up/hypnosis service for other services. A service can
subscribe to the state of a time-range list as the standard to start the service at specified
time. When the state of the timerange list changes, the service is informed to change its
own state.

ACL
An ACL filters packets in accordance with the fields in the packets. The most common
fields are the quintuplet in a packet, including the source IP address, the destination IP
address, the protocol type, the source port number, and the destination port number.
There may be several rules in an ACL. Each rule describes a certain matching condition.
For a specified packet, an ACL determines whether the packet matches a condition
from the first rule. Once the packet matches a condition, the ACL will take the action
(permit/deny) defined in the rule. After an ACL is applied to a service, the permit/deny
action is mapped to some actions defined for the service, for example, policy routing that
takes effect on the forwarding plane.
An ACL is mostly applied to an interface that forwards packets, and used as the basis for
permitting or denying packets.

IP Prefix-List
In an IP prefix-list, the prefix of the specified routes can be permitted or denied. After the
prefix-list is used in a service, the matched prefixes are mapped to actions in the service
in accordance with the corresponding permit/deny action.

Route-map
The function of a route-map is to set a specified action for a specified feature.
l
l

The match command is used to set a specified feature.


The set command is used to set a specified action.

When the match command is used, an ACL template or a prefix-list template can be called.
The ACL template and the prefix-list template are advanced templates in which other
templates can be embedded in this document.

1-2
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 2

AAA Configuration
Table of Contents
AAA Overview ............................................................................................................2-1
Configuring AAA.........................................................................................................2-2
AAA Configuration Instance........................................................................................2-4

2.1 AAA Overview


All network Service Providers (SPs) have to ensure a reasonable usage of network
resources and user profit. AAA is developed to solve the requirements, which provides
an effective platform to manage users.
l
l
l

Authentication: Validates the identities of users before allowing them to use network
resources.
Authorization: Authorizes users to use network resources by using a specified
method.
Accounting: Charges and audits users through collecting and recording the usage of
network resources.

AAA function uses a client/server model.


l

The client is a program operating on a router. The client is responsible for forming
and sending data to the specified server, receiving responding messages from the
server, configuring data in accordance with the response of the server, and notifying
the application to perform different operations.
The server is an AAA server program operating on a remote PC. The server is
responsible for receiving connection requests from users, authenticating user identity,
and returning user configuration information.

Remote Authentication Dial In User Service (RADIUS) implements AAA. Currently, AAA
supports the RADIUS authentication, authorization and accounting. AAA also supports
Terminal Access Controller Access-Control System Plus (TACACS+) authentication,
authorization and accounting.
For example, a user wants to log in to a router through SSH. User identity needs to
be authenticated. The SSH program sends authentication information (user name,
and password) to the AAA server. The AAA server checks the received authentication
information by using the database, and determines whether the authentication can be
passed. Users can run commands with some privilege levels after the authentication is
passed.

2-1
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

2.2 Configuring AAA


To configure AAA is to configure a rule list. The AAA configuration includes authentication,
authorization, and accounting configuration. After the rule list is configured, users can
perform the authentication, authorization, and accounting operations in accordance with
the configured rule.
To configure AAA, perform the following steps:

Steps
1. Configure the authentication function.
Step

Command

Function

ZXR10(config)#aaa-authentication-template

Configures an authentication

<number>

template and enters authentication


configuration mode. The range of
the number is 1-2128.

ZXR10(config-aaa-authen-template)#aaa-au

Configures the authentication mode

thentication-type {none|local|radius|local-radius|r

in the authentication template in

adius-local|radius-none|local-tacacs|tacacs|tacacs-

authentication configuration mode.

local|tacac-none|diameter}
3

ZXR10(config-aaa-authen-template)#authen

Configures a RADIUS authentication

tication-radius-group <group-number>

group in authentication configuration


mode. The RADIUS group should
have been configured. The range of
the group number is 1-2000.

ZXR10(config-aaa-authen-template)#authen

Configures a Terminal Access

tication-tacacs-group <tacacs-name>

Controller Access-Control System


(TACACS) authentication group in
authentication configuration mode.
The TACACS group should have
been configured.

ZXR10(config-aaa-authen-template)#authen

Configures the DIAMETER

tication-diameter-group <group-number>

authentication group in
authentication configuration
mode.

ZXR10(config-aaa-authen-template)#descrip

Configures description information

tion < description >

in authentication configuration
mode. The description is with 1-31
characters.

local-radius: The local authentication is used first. If the user does not exist, the
RADIUS authentication is used. If local authentication is refused, the RADIUS
authentication is not used.
2-2
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 2 AAA Configuration

radius-local: The RADIUS authentication is used first. If RADIUS configuration is


wrong or times out, the local authentication is used. If radius authentication is refused,
the local authentication is not used.
radius-none: The RADIUS authentication is used first. If the RADIUS configuration is
wrong or times out, no authentication is used.
local-tacacs: The local authentication is used first. If the user does not exist, the
TACACS authentication is used. If the local authentication is refused, the TACACS
authentication is not used.
tacacs: TACACS remote authentication is used.
tacacs-local: The TACACS authentication is used first. If the TACACS configuration is
wrong or times out, the local authentication is used. If the TACACS authentication is
refused, the local authentication is not used.
tacacs-none: The TACACS authentication is used first. If the TACACS configuration is
wrong or times out, no authentication is used.
2. Configure the authorization function.
Step

Command

Function

ZXR10(config)#aaa-authorization-template

Configures an authorization

<number>

template and enters authorization


configuration mode. The range of the
number is 1-2128.

ZXR10(config-aaa-author-template)#aa

Configures the authorization mode

a-authorization-type {none|local |loacl-radius

in the authorization template in

|loacl-tacacs |radius |radius-local |tacacs

authorization configuration mode.

|tacacs-local}
3

ZXR10(config-aaa-author-template)#authoriz

Configures a RADIUS authorization

ation-radius-group <group-number>

group in authorization configuration


mode. The RADIUS group should
have been configured.The range of
the group number is 1-2000.

ZXR10(config-aaa-author-template)#authoriz

Configures a TACACS authorization

ation-tacacs-group <tacacs-name>

group in authorization configuration


mode. The TACACS group should
have been configured.

ZXR10(config-aaa-author-template)#descript

Configures description information

ion < description >

in authorization configuration
mode. The description is with 1-31
characters.

loacl-radius: The RADIUS authorization is used when there is no local authorization.


loacl-tacacs: The TACACS authorization is used when there is no local authorization.
2-3
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

radius-local: The local authorization is used when the RADIUS authorization times out.
tacacs-local: The local authorization is used when the TACACS authorization times
out.
3. Configure the accounting function.
Step

Command

Function

ZXR10(config)#aaa-accounting-template

Configures an accounting template

<number>

and enters accounting configuration


mode. The range of the number is
1-2128.

ZXR10(config-aaa-acct-template)#aaa-accou

Configures the accounting mode in

nting-type {none | radius | tacacs}

an accounting template in accounting


configuration mode.

ZXR10(config-aaa-acct-template)#account

Configures a RADIUS accounting

ing-radius-group first <group-number>[second

group in accounting configuration

<group-number>]

mode.

ZXR10(config-aaa-acct-template)#accounting

Configures the TACACS accounting

-tacacs-group <tacacs-name>

group in accounting configuration


mode after the TACACS group is
configured.

ZXR10(config-aaa-acct-template)#description

Deletes description information in

< description >

accounting configuration mode.

4. Verify the configurations.


Command

Function

ZXR10#show running-config aaa

Displays configuration related to AAA.

ZXR10#show aaa-authentication-template [<number>]

Displays configuration related to the


authentication template.

ZXR10#show aaa-accounting-template [<number>]

Displays configuration related to the


accounting template.

ZXR10#show aaa-authorization-template [<number>]

Displays configuration related to the


authorization template.

End of Steps

2.3 AAA Configuration Instance


Configuration Description
AAA is authentication, authorization and accounting.
On a ZXR10 device, an
authentication template, an authorization template and an accounting template can be
2-4
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 2 AAA Configuration

configured respectively. In an authentication template, there are multiple authentication


modes: TACACS+, RADIUS, LOCAL, none and their combinations. In an authorization
template, there are multiple authorization modes: LOCAL, none, TACACS, RADIUS
and their combinations. In an accounting template, there are three accounting modes:
TACACS, RADIUS and none.
As shown in Figure 2-1, the authentication mode and authorization mode are TACACS+,
and the accounting mode is RADIUS.
Figure 2-1 AAA Configuration Instance Topology

1. Configure an authentication template, an authorization template and an accounting


template.
In the authentication template, there are multiple authentication modes: TACACS+,
RADIUS, LOCAL, NONE and their combinations. Among the authentication modes,
radius-local and RADIUS are preferred. When the RADIUS has no response, use the
LOCAL mode.
After the modes are configured in the templates, it is necessary to configure the server
groups that corresponds to the modes in the templates (it is unnecessary to configure
the server groups for the LOCAL mode and the NONE mode).
2. Configure a subscriber management authentication template and a subscriber
management authorization template. Bind the AAA templates to the subscriber
management templates. When subscribers log in, authentication and authorization
will be performed according to the AAA configuration. If AAA is not used in subscriber
management, AAA does not function when subscribers log in.

Configuration Flow
1. Determine the authentication, authorization and accounting modes that will be used.
Before AAA templates are configured, it is necessary to create the server groups
corresponding to the modes first. (For example, in this example, the TACACS+
authentication mode is used, it is necessary to create a TACACS+ server group first.
Otherwise, when the authentication/authorization/accounting server is configured for
the specified mode in an AAA template, the system will prompts that the server group
does not exist.
2. The AAA templates are configured individually, so other services can use these
templates. Configure the templates (authentication/authorization/accounting), and
specify a sequence numbers for the templates.
3. Configure the modes in the templates. If the modes are related to TACACS+ or
RADIUS, it is necessary to specify server groups for the modes.
2-5
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

4. After the AAA templates are configured and when other service call the templates, the
AAA templates function.

Configuration Command
Run the following commands on ZXR10:
/*Enable the TACACS+ service on the device. Configure the TACACS+ server group
that will be used by the authentication template and the authorization template.
(For details, please refer to the TACACS chapter.)*/
ZXR10(config)#tacacs enable
ZXR10(config)#tacacs-server host 10.1.1.1 key zte
ZXR10(config)#tacplus group-server ztegroup
ZXR10(config-sg)#server 10.1.1.1
ZXR10(config-sg)#exit

/*radius configuration*/
ZXR10(config)#radius authentication-group 1
ZXR10(config-authgrp-1)#server 1 10.1.1.1 master key zte
ZXR10(config-authgrp-1)#algorithm round-robin
ZXR10(config-authgrp-1)#max-retries 3
ZXR10(config-authgrp-1)#timeout 30
ZXR10(config-authgrp-1)#deadtime 0
ZXR10(config-authgrp-1)#exit

ZXR10(config)#aaa-authentication-template 2001
ZXR10(config-aaa-authen-template)#aaa-authentication-type tacacs-local
ZXR10(config-aaa-authen-template)#authentication-tacacs-group ztegroup
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-authorization-template 2001
ZXR10(config-aaa-author-template)#aaa-authorization-type local-tacacs
ZXR10(config-aaa-author-template)#authorization-tacacs-group ztegroup
ZXR10(config-aaa-author-template)#exit ZXR10(config)#aaa-accounting-template 1
ZXR10(config-aaa-acct-template)#aaa-accounting-type radius
ZXR10(config-aaa-acct-template)#accounting-radius-group first 1
ZXR10(config-aaa-acct-template)#exit

Configuration Verification
The AAA configuration is shown below.
ZXR10(config)#show running-config aaa
!<AAA>
aaa-authentication-template 2001
aaa-authentication-type tacacs-local
authentication-tacacs-group ztegroup
!

2-6
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 2 AAA Configuration


aaa-authorization-template 2001
aaa-authorization-type local-tacacs
authorization-tacacs-group ztegroup
!
aaa-accounting-template 1
aaa-accounting-type radius
accounting-radius-group first 1
!
!</AAA>

2-7
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

This page intentionally left blank.

2-8
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 3

SAMGR Configuration
For SAMGR principle and configuration, refer to the ZXR10 M6000-S Configuration Guide
(Reliability).

3-1
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

This page intentionally left blank.

3-2
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 4

Time-Range Configuration
Table of Contents
Time-Range Overview................................................................................................4-1
Configuring a Time-Range..........................................................................................4-2
Time-Range Configuration Examples .........................................................................4-4

4.1 Time-Range Overview


Time-Range Introduction
A timerange provides the wake-up/hypnosis service for other services. A user can
configure multiple time-ranges. Each time-range has its own name. In a time-range,
multiple periodic time segments and one absolute time segment can be defined.
A time-range takes effect in the following situations:
l
l

Only an absolute time segment is configured, and the current system time is in the
absolute time segment.
Only a periodic time segment is configured. No matter how many periodic time
segments are configured, the time-range is effective if the current system time
corresponds to any periodic time segment.
Both absolute and periodic time segments are configured. The time-range is effective
only when the current system time corresponds to both absolute time segment and
any periodic time segment.
After a time-range list is configured, no time segment is added. For an empty
time-range list, the state is always active.

An application can subscribe to some time-range from a time-range module. When the
state of the time-range changes, the time-range module will inform the application module
of the current state of the time-range, including active and inactive.

Time-Range Features
The time-range subsystem uses the Client/Server (C/S) structure.
l
l

The main functions of time-range server are time-range configuration management,


time management, state broadcast, and data synchronization.
The client is responsible for managing the registrations of application modules,
receiving the time-range state broadcast by the server, and informing the applications
that the time-range state is changed. To provide time-range state index, the client
also needs to maintain a table for saving all configured time-ranges and the states.
4-1

SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

In time-range time management, the system time is used as the reference time for setting
a timer. The states of all time-ranges are checked periodically (once every 5 seconds).
The state of a time-range is scanned once every 5 seconds. So, during the configuration
of a time segment, the state of the time-range changes frequently, which is unfavourable
to stability. Therefore, it is necessary to use the operation area and working area mode.
A user can modify the data in the operation area when configuring the time-range. After
finishing the configuration, the user can exit the configuration mode and synchronize the
data from the operation area to the working area. During time segment calculation, only
the configuration in the working area is read.
An application module quotes a time-range name directly and obtains the current state
from the client.
1. The server informs the client of all time-range tables and states to the client. Later, it
inspects the time-range states and informs the client of the states periodically.
2. The client informs the application modules in turn after receiving the notifications. The
application modules perform the corresponding operations in accordance with their
actual requirements.

4.2 Configuring a Time-Range


The time-range function provides other application modules with the wake-up and hypnotic
service.
To configure the time-range function, perform the following steps:

Steps
1. Configure a time-range.
Step

Command

Function

ZXR10(config)#time-range enable

Enables the time-range


function and initializes the
related data.

ZXR10(config)#time-range <time-range-name>

Creates and names a


time-range, and enters
time-range configuration
mode.

ZXR10(config-tr-name)#absolute {[start

Configures an absolute time

<start-time><start-date>],[end <end-time><end-date>]}

segment rule for the current


time-range.A time-range only
can have an absolute time
segment.

4-2
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 Time-Range Configuration

Step

Command

Function

ZXR10(config-tr-name)#periodic [days-of-week]<hh:m

Configures a periodic time

m:ss> to [days-of-week]<hh:mm:ss>

segment for the current


time-range. A time-range
can have many periodic time
segments.

<start-time>: The start time of an absolute time. The format of the start time is
hh:mm:ss, and the second must be a multiple of 15.
<start-date>: The start date of an absolute time. The format of the start date is
mm-dd-yyyy, and the year ranges from 2001 to 2037.
<end-time>: The end time of an absolute time. The format of the end time is
hh:mm:ss, and the second must be a multiple of 15.
<end-date>: The end date of an absolute time. The format of the end date is
mm-dd-yyyy, and the year ranges from 2001 to 2037.
<hh:mm:ss>: Hour: minute: second. The second must be a multiple of 15.
<days-of-week>: Specified one or more days in a week. It can be Monday, Tuesday,
Wednesday, Thursday, Friday, Saturday, Sunday, daily, weekend (Saturday and
Sunday) or weekdays (Monday to Friday).
2. Verify the configurations.
Command

Output

ZXR10#show time-range <time-range-name>

Displays the state information of a


time-range.
Displays the state information of all

ZXR10#show time-range

time-ranges.

3. Maintain the time-range.


Command

Output

ZXR10#time-range disable [clear]

Disables the time-range function, and


clear the configuration.

ZXR10#debug time-range [change-to {inactive | active}]

Displays the system time, time-range


name, state before change and state
after change when the sate of a
time-range changes.
Displays the TimeRange list when the

ZXR10#show debug time-range

TimeRange status is changed.

End of Steps
4-3
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

4.3 Time-Range Configuration Examples


4.3.1 Configuration Instance 1: Configuring a Time-Range
Configuration Description
1. On a device, 2048 time-ranges can be configured at most. In a time-range, 24 time
segments can be configured at most.
2. There ate two types of time segments, absolute time segments and periodic time
segments. An absolute time segment consists of a specified time and a specified
date. A periodic time segment consists of a specified time and some day of a week.
A periodic time segment circulates by week.
3. The absolute time segments and the periodic time segments can be configured
according to demand in time-ranges. Note that in a time-rage, there is only one
absolute time segment, and there may be several periodic time segments.
4. A time-range takes effect in the following situations.
l Only an absolute time segment is configured, and the current system time is in
the absolute time segment.
l Only a periodic time segment is configured. No matter how many periodic time
segments are configured, the time-range is effective if the current system time
corresponds to any periodic time segment.
l Both absolute and periodic time segments are configured. The time-range is
effective only when the current system time corresponds to both absolute time
segment and any periodic time segment.
l After a time-range is configured, no time segment is configured. For an empty
time-range, the state is always active.

Configuration Flow
In this example, it is intended to configure a time-range named test. In this time-range,
configure an absolute time segment. The specified time segment is from 9:30 A.M. on
20110114 to 9:30 A.M. on 20110115. In this time-range, configure two periodic time
segments. One is from 8:00 A.M. to 8:30 A.M. every day, and the other is from 0:00 A.M.
every Saturday to 10:00 P.M. every Sunday.
According to the third rule in which situation a time-range takes effect, the time intersections
of the absolute time segment and the periodic time segments are the effective time of a
time-range. When the system is in this effective range, the time-range takes effect.
According to the configurations, the result of the time-range is described below.
From 8:00 A.M. to 8:30 A.M. on 20110115 (Friday), and from 0:00 A.M. every Saturday
to 10:00 P.M. every Sunday, the state of the time-range is active. The first time intersection
is included in the second time intersection, which does not affect the time-range to take
effect.
The configuration procedure is described below.
4-4
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 Time-Range Configuration

1. Enable the time-range function and configure a time-range.


2. Determine the times to trigger the service and configure the time segments in the
time-range.
3. Confirm the system time of the rack and make sure that the reference time of the
time-range is correct.

Configuration Command
1. Enable the time-range function and configure a time-range.
R2(config)#time-range enable
R2(config)#time-range test
R2(config-tr-test)#

2. Configure time segments.


R2(config-tr-test)#?
absolute

Specify an absolute entry

end

Exit to privilege mode

exit

Exit from time range configuration mode

no

Negate a command or set its defaults

periodic

Specify a periodic entry

ping

Send echo messages

ping6

Send IPv6 echo messages

show

Show running system information

trace

Trace route to destination

trace6

Trace route to destination using IPv6

R2(config-tr-test)#absolute ?
end End point of the time range
start Begin point of the time range
/*Configure an absolute time segment. Configure the start time and end time
according to demand. This means that the time-range is effective in a
specific time on a specific date. (You can configure the start time
only, which means that the time-range is always effective from the start
time. You can also configure the end time only, which means that the
time-range is not effective from the end time.)*/

R2(config-tr-test)#absolute start ?
hh:mm:ss Starting time
R2(config-tr-test)#absolute start 9:30:00 ?
mm-dd-yyyy Starting date (year: 2001-2037)
R2(config-tr-test)#absolute start 9:30:00 1-14-2011 ?
end End point of the time range
<cr>
R2(config-tr-test)#absolute start 9:30:00 1-14-2011 end ?
hh:mm:ss Ending time
R2(config-tr-test)#absolute start 9:30:00 1-14-2011 end 9:30:00 1-15-2011
/*Configure an absolute time segment. The effective time is from 9:30 A.M. on

4-5
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


20110114 to 9:30 A.M. on 20110115. According to the first rule in which
situation a time-range takes effect, the time-range is effective in this absolute
time segment. If there are other time segments in this time-range, so long as
the absolute time segment has an time intersection with any periodic time segment
in the time-range, the time range is effective during the time intersection.*/

R2(config-tr-test)#periodic ?
daily From Monday to Sunday
friday Friday
monday Monday
saturday Saturday
sunday Sunday
thursday Thursday
tuesday Tuesday
wednesday Wednesday
weekdays From Monday to Friday
weekend Saturday and Sunday
/*Configure periodic time segments. In a periodic time segment, the specific
data is not configured. Instead, some say of a week is configured, or daily,
weekdays and weedend can be configured.*/

R2(config-tr-test)#periodic daily ?
hh:mm:ss Starting time
R2(config-tr-test)#periodic daily 8:00:00 ?
to The ending point of the time range
R2(config-tr-test)#periodic daily 8:00:00 to 8:30:00 ?
<cr>
R2(config-tr-test)#periodic daily 8:00:00 to 8:30:00
/*Configure a periodic time segment. The effective time segment is

from

8:00 A.M. to 8:30 A.M. every day.*/

R2(config-tr-test)#periodic saturday 00:00:00 to ?


hh:mm:ss Ending time
sunday Sunday
/*Configure another periodic time segment. The start time is Saturday, and
the end time is the unique day after Saturday in a week, that is, Sunday.*/

R2(config-tr-test)#periodic saturday 00:00:00 to sunday 22:00:00


/*Configure another periodic time segment. The effective time is from 0:00 A.M.
every Saturday to 10:00 P.M. every Sunday.*/
R2(config-tr-test)#exit
/*After the configurations are completed, exit from time-range configuration mode
and continue other configurations.*/

3. Confirm whether the system time is correct.


R2(config)#show clock

4-6
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 Time-Range Configuration


09:37:09 UTC Fri Jan 14 2011
R2(config)#
/*The system time is the reference time of the time-range. When the system time
is in the effective range of the time-range, the time-range takes effect.
So, make sure that the system time is correct.*/

Configuration Verification
1. Check the configuration result of the time-range.
R2(config)#show running-config time-range
!<TR>
time-range enable
time-range test
absolute start 09:30:00 01-14-2011 end 09:30:00 01-15-2011
periodic daily 08:00:00 to 08:30:00
periodic saturday 00:00:00 to sunday 22:00:00
$
!</TR>
R2(config)#
/*The displayed information is the same as that configured. There is one absolute
time segment and two periodic time segments.*/

2. Check the time-range. When the system time is not in the time segments, the state of
the time-range is inactive.
R2(config)#show time-range test
Current time is 09:38:20 01-14-2011 Friday
time-range test <inactive>
absolute start 09:30:00 01-14-2011 end 09:30:00 01-15-2011
periodic daily 08:00:00 to 08:30:00
periodic saturday 00:00:00 to sunday 22:00:00

3. Check the time-range. When the system time is not in the time segments, the state of
the time-range is active.
R2(config)#show time-range test
Current time is 03:59:33 01-15-2011 Saturday
time-range test <active>
absolute start 09:30:00 01-14-2011 end 09:30:00 01-15-2011
periodic daily 08:00:00 to 08:30:00
periodic saturday 00:00:00 to sunday 22:00:00

4.3.2 Configuration Instance 2: ACL Calling a Time-Range


Configuration Instance
In a time-range, the time-range active time segment can be configured. The active state of
a time-range does not function to any user operation. Therefore, it is necessary to bind a

4-7
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

time-range to an ACL so that the ACL will become active and limit the time segment when
the ACL can take effect.
In applications, for example, in a company, the staff are not allowed to access the Internet
during working hours, and after the working hours, the staff are allowed to access the
Internet. In this situation, a time segment can be configured. In the working hours,
any request sent from the company inside are denied, and requests in other hours are
permitted.
As shown in Figure 4-1, assume that PC1 sends TELNET requests to R1 through R2.
However, R1 only hopes to receives the login requests of PC1 in a certain time segment.
So, a time-range can be created and bound to an ACL. In the inbound direction on
gei-0/1/0/3, bind this ACL. In this way, TELNET packets from PC1 can be filtered in
the specific time segment (the ACL can also be bound in the outbound direction on
gei-0/1/0/2).
Figure 4-1 Time-Range Configuration Instance

It is only necessary to configure one time-range and bind it to an ACL. In the ACL, configure
the following rules: For the packets that match the PC1 IP address, whose protocol type
is Transfer Control Protocol (TCP) and whose port type is TELNET, deny these packets in
the specific time segment. Then, bind this ACL to the inbound direction on gei-0/1/0/3 or
in the outbound direction on gei-0/1/0/2.
After the configuration, only in the specific time segment of the time-range will the ACL
take effect. In this time segment, PC1 cannot log in to R1. After the active time segment
of the time-range, PC1 can log in to R1.

Configuration Flow
1. Create a time-range. Users can define a name for the time-range when creating it.
The name supports 31 characters at most.
2. Enter time-range configuration mode and add a time segment.
3. Bind the time-range to the corresponding ACL according to demand. The ACL will be
take effect in the time segment.

Configuration Command
The configuration of R2 is described below.
1. Create a time-range.
R2(config)#time-range enable
/*Enable the time-range function. If the time-range function is not enable, the
time-range cannot be created.*/

4-8
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 Time-Range Configuration


R2(config)#time-range test
R2(config-tr-test)#
/*Create a time-range named test.*/

2. Add a time segment to the time-range.


R1(config-tr-test)#periodic daily 09:00:00 to 17:00:00
/*Start from 08:00:00 on 2010-1-1 and end till 17:00:00 on 2010-12-31.*/
R1(config-tr-test)#exit

3. Bind the time-range to an ACL.


R2(config)#ipv4-access-list test
R2(config-ipv4-acl)#rule 1 deny tcp 10.20.30.20 0.0.0.0 eq telnet
30.20.10.1 0.0.0.0 time-range test
R2(config-ipv4-acl)#rule 2 permit any
R2(config-ipv4-acl)#exit
R2(config)#ipv4-access-group interface gei-0/1/0/3 ingress test
/*The time-range is bound successfully. The ACL only takes effect when the
time-range is active.*/

Configuration Verification
View the time-range information, including the current system, the time-range name, the
time segments and the time-range state (active or inactive).
R1(config)#show time-range
Current time is 08:36:03 10-26-2012 Friday
time-range test <inactive>
periodic daily 09:00:00 to 17:00:00

View the information of a specified time-range.


R1(config)#show time-range test
Current time is 08:37:28 10-26-2012 Friday
time-range test <inactive>
periodic daily 09:00:00 to 17:00:00

4.3.3 Configuration Instance 3: SQA Calling a Time-Range


Configuration Description
In a subscriber login control situation, it is intended to perform RADIUS authentication for
the subscribers who log in to the ZXR10 M6000-S. The ZXR10 M6000-S operates as a
client sending authentication requests, and it communicates with the RADIUS server. To
ensure that the RADIUS authentication service runs properly, it is necessary to verify the
connectivity between ZXR10 M6000-S and the RADIUS server. The connectivity can be
verified by using Internet Control Message Protocol (ICMP) type SQA. The SQA detection
time can be control through a time-range.
The network topology of this example is shown in Figure 4-2.

4-9
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

Figure 4-2 SQA Calling a Time-Range

Configuration Flow
Configure an SQA instance whose type is ICMP. The SQA detection time can be controlled
through a time-range.
1. Configure a time-range and configure a time segment according to demand.
2. Configure an SQA instance. Set the SQA detection type to ICMP.
3. Set the SQA detection start time to be controlled through the specific time-range.

Configuration Command
1. Configure a time-range and configure a time segment according to demand.
R2(config)#show clock
10:20:47 UTC Thu Jan 13 2011

R2(config)#time-range enable
R2(config)#time-range 1
R2(config-tr)#absolute start 10:30:00 1-13-2011
R2(config-tr)#exit

2. Configure an SQA instance. Set the SQA detection type to ICMP.


R2(config)#sqa-test 1
R2(config-sqa)#type-icmp vrf zte 169.1.109.130
R2(config-sqa)#

3. Set the SQA detection start time to be controlled through the specific time-range.
R2(config-sqa)#sqa-begin timerange 1 once
R2(config-sqa)#exit

Note:
SQA detection by using a time-range can only be triggered once. No matter how many
effective time segments there are in the time-range, only the first effective time segment
triggers the detection, that is, the meaning of "once" in this command. The following
effective time segments of the time-range will not trigger SQA detection.Configure the start
time of SQA detection.
If the specific time-range is null, this equals to "now" and SQA detection will start
immediately.

4-10
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 Time-Range Configuration

Configuration Verification
Run the show sqa-test command to view the configuration result.
R2(config)#show sqa-test 1
test number:1
test type: ICMP
vrf:zte
destination IP:169.1.109.130
repeat:1
tos: 0
ttl: 255
size: 36
inte-time:100
send trap:disable
timerange name: 1

When the time-range has not been effective, run the show sqa-result command. The
information is displayed below.
R2(config)#show clock
10:22:41 UTC Thu Jan 13 2011
R2(config)#show sqa-result icmp

When the time-range is effective, run the show sqa-result command. The information is
displayed below.
R2#show sqa-result icmp
icmp test[1] result
SendPackets:1

ResponsePackets:0

Completion:success

Destination IP Address: 169.1.109.130

Min/Max/Avg/Sum RTT:0/0/0/0ms
Min/Max/Avg/Sum Positive Jitter:0/0/0/0ms
Min/Max/Avg/Sum Negative Jitter:0/0/0/0ms
Min/Max/Avg/Sum Jitter:0/0/0/0ms
Packet loss rate:100%
Last Probe Time:2012-9-13 10:30:4

The meaning of the above output information is as follows: Detection was performed at
10:30:04 A.M. on 2012-09-13. ZXR10 sendt an ICMP echo request to the host whose
address is 169.1.109.130, and there was no response.
The possible reason why no response is received is as follows: This might be because
the IP address was unreachable due to the network environment, or ICMP service was not
enabled on the host whose address is 169.1.109.130, or the firewall on this host was set
not to respond ICMP echo requests.

4-11
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

This page intentionally left blank.

4-12
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 5

ACL Configuration
Table of Contents
ACL Overview ............................................................................................................5-1
Configuring an ACL ....................................................................................................5-1
ACL Configuration Instance........................................................................................5-5

5.1 ACL Overview


An ACL is a flow classification tool. It can implement port-ACL, Unicast Reverse Path
Forwarding (URPF), and PBR functions.
An ACL filters packets in accordance with the fields in the packets. The most common
fields are the quintuplet in a packet, including the source IP address, the destination IP
address, the protocol type, the source port number, and the destination port number.
There may be several rules in an ACL. Each rule describes a certain matching condition.
For a specified packet, an ACL determines whether the packet matches a condition
from the first rule. Once the packet matches a condition, the ACL will take the action
(permit/deny) defined in the rule. After an ACL is applied to a service, the permit/deny
action is mapped to some actions defined for the service, for example, policy routing that
takes effect on the forwarding plane.

5.2 Configuring an ACL


This procedure describes how to configure an ACL rule and bind it to the specific interface
to classify the flow.

Steps
1. Configure an ACL.
Step

Command

Function

ZXR10(config)#ipv4-access-list <name>

Creates or configures an ACL.

5-1
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

Step

Command

Function

ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit |

Configures a standard source

deny}{<source>[<source-wildcard>]| any}[time-range

address-based ACL rule.

<time-range-name>][log]
ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit |

Configures an extended ACL

deny}{<0-255>| ip |<protocol-type>}{<source><source-wildc

rule.

ard>| any}{<destination><destination-wildcard>| any}[{tos


<tos-value>| precedence <precedence-value>| dscp
<dscp-value>}][range <1-255>-<1-255>}][fragments][ttl
{{eq | ge | le | neq}<TTL_value>| range <TTL_ValueRange
>}][time-range <time-range-name>][log]
ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit

Configures a TCP-based ACL

| deny} tcp {<source><source-wildcard>| any}[{<oper

rule.

ator>{<0-65535>|<source-porttype>}| range <0-6553


5>-<0-65535>}]{<destination><destination-wildcard>|
any}[{<operator>{<0-65535>|<destination-porttype>}|
range <0-65535>-<0-65535>}][{[established] ,[syn{+ |
-}]}][{tos <tos-value>| precedence <precedence-value>|
dscp <dscp-value>}][fragments][ttl {{eq | ge | le | neq}<T
TL_value>| range <TTL_ValueRange>}][time-range
<time-range-name>][log]
ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit |

Configures a User Datagram

deny} udp {<source><source-wildcard>| any}[{<oper

Protocol (UDP)-based ACL

ator>{<0-65535>|<source-porttype>}| range <0-6553

rule.

5>-<0-65535>}]{<destination><destination-wildcard>|
any}[{<operator>{<0-65535>|<destination-porttype>}|
range <0-65535>-<0-65535>}][{tos <tos-value>|
precedence <precedence-value>| dscp <dscp-value>}][f
ragments][ttl {{eq | ge | le | neq}<TTL_value>| range
<TTL_ValueRange>}][time-range <time-range-name>][log]
ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit

Configures an ICMP-based

| deny} icmp {<source><source-wildcard>|

ACL rule.

any}{<destination><destination-wildcard>| any}[{<i
cmp-type-value>|<icmp-type>}[<icmp-code>]][{tos
<tos-value>| precedence <precedence-value>| dscp
<dscp-value>}][fragments][ttl {{eq | ge | le | neq}<TT
L_value>| range <TTL_ValueRange>}][time-range
<time-range-name>][log]

<rule-id>: It is an unique identifier of the rule in ACL list. This ID decides the sequence
of the rule in ACL list. The range is 1-2147483644. If the command is used without
this parameter, the rule will be placed at the ending of list by default, and the rule-id is

5-2
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 5 ACL Configuration

allocated according to the default base and increment (the default base is 10, and the
default increment is 10).
<0255>: Type of the matching protocol, indicating the IP protocol number. Range:
0255.
ip: Indicates any type of network protocols.
<protocol-type>: IP protocol type. It may be one of the following keywords: igmp, gre,
ospf, pim, and vrrp.
<source-wildcard>: The wildcard of source IPv4 address, in dotted decimal notation.
<destination-wildcard>: The wildcard of destination IPv4 address, in dotted decimal
notation.
<operator> eq | ge | le | range: The type of operations to the port. It can be one
keyword among eq, ge, le and range. For the keyword range, it is necessary to specify
two port operation numbers to fix a port range, and the start value of the range should
not be larger than the end value.
<source-port>: Source port number, in the range of 0-65535.
<destination-port>: Destination port number, in the range of 0-65535.
precedence <value>: Precedence, in the range of 0-7.
tos <value>: Type Of Service (ToS) field, in the range of 0-15.
dscp <value>: Differentiated Services Code Point (DSCP) field, in the range of 0-63.
time-range <time-range-name>: Setting time-range parameter, which adds time
attribute of an ACL. The ACL is effective during this time range.
established: The keyword for establishing TCP connection, only available for TCP.
log: Statistics count.
<icmp-type>: The type of an ICMP message. It may be echo-reply, unreachable,
source-quench,
redirect,
alternate-address,
echo,
router-advertisement,
router-solicitation,
time-exceeded,
parameter-problem,
timestamp-request,
timestamp-reply, or information-request.
<icmp-type-value>: The type value of an ICMP message. It ranges from 0 to 255.
<icmp-code>: The code of an ICMP message. It ranges from 0 to 255.
syn{+ | -}: The value of the SYN flag on the TCP header. "-" means that the check does
not carry a message with this flag, and "+" means that the check carries a message
with this flag.
eq | ge | le | neq: The operation type of TTL. eq means equal to, le means less than or
equal to, and neq means not equal to.
<TTL_value>: The value of TTL. It ranges from 1 to 255.
<TTL_ValueRange>: The range of a TTL. The range is : <1-255>-<1-255>, and the
start value should not be more than the end value.
5-3
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

2. Bind the ACL rule to the specific interface.


Command

Function

ZXR10(config-if-interface-name)#ipv4-access-group

Binds an ACL to current interface

{ingress | egress}<acl-name>}

in a specified direction in
interface configuration mode.

ZXR10(config)#ipv4-access-group interface <interface-name

Binds an ACL to one or more

>{ingress | egress}<acl-name>

interfaces in global configuration


mode.

3. Verify the configurations.


Command

Function

ZXR10#show ipv4-access-lists [|{begin|exclude|include}]

Displays the ACL list information.

ZXR10#show ipv4-access-lists brief [name <acl-name>][|{begin

Displays the brief ACL list

|exclude|include}]

information.

ZXR10#show ipv4-access-lists usage <interface-name>{ingress|eg

Displays the number of times for

ress} port-acl [|{begin|exclude|include}]

how many the ACL rule is used.


(Only applicable for rules that
have been configured with log)

ZXR10#show ipv4-access-lists name <acl-name>[{from <rule

Displays the information of a

-id>}{to <rule-id>}][usage <interface-name>{ingress|egress}

specified ACL.

port-acl][|{begin|exclude|include}]
ZXR10#show ipv4-access-lists config [|{begin|exclude|include}]

Displays the ACL resource


usage on the whole device.

ZXR10#show ipv4-access-groups [{[by-access-list

Displays the binding information.

<acl-name>],[by-direction {ingress | egress}],[by-interface


<interface-name>}]

4. Maintain the ACL.


Command

Function

ZXR10(config-ipv4-acl)#move < target-rule-id><

Moves an ACL rule.

target-New-rule-id>
ZXR10(config-ipv4-acl)#no rule {<rule-id>| all }

Deletes a specified ACL rule or


all ACL rules.

ZXR10(config)#resequence-access-list ipv4 <acl-name>[<bas

Re-sequences ACL rules.

e>[<increment>]]

End of Steps

5-4
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 5 ACL Configuration

5.3 ACL Configuration Instance


Configuration Description
As shown in Figure 5-1, PC1 and PC2 both send TELNET requests to R1 through R2, but
R1 only wants to receive the TELNET request coming from PC1 but not PC2. To realize
the requirement of R1, bind ACL to ingress of gei-0/1/0/1 to filter the TELNET packets
coming from PC2 (The ACL also can be bound to egress of gei-0/1/0/2).
Figure 5-1 ACL Configuration Instance Topology

Here, create a ACL and add the rule into the ACL. The rule is that deny the packets which
IP addresses belong to PC2, protocol type is TCP and the port type is TELNET. All other
packets are permitted. Bind the ACL to ingress of gei-0/1/0/1 or egress of gei-0/1/0/2.
After that, the TELNET request coming from PC2 cannot arrive at R1 even if PC2 gets
R1s TELNET user name and password. The TELNET request packet is discarded by R2.
The other communications between R1 and PC2 are not affected.

Configuration Flow
1. Create an ipv4access-list. User can name the list. The length of this list name cannot
be more than 31 characters.
2. Enter IPv4 ACL configuration mode after the list is created. Add rules in IPv4 ACL
configuration mode. Each rule can designate a kind of packets, and define this kind
of packets is denied or permitted.
3. According to the requirements for traffic filtering, bind the customized ACL
ipv4access-list to the egress or ingress of interface to be filtered the traffic.

Configuration Command
Configuration on R2:
R2(config)#ipv4-access-list test
R2(config-ipv4-acl)#rule 10 deny tcp 10.20.30.20 0.0.0.0 eq telnet
30.20.10.1 0.0.0.0
R2(config-ipv4-acl)#rule 20 permit any
R2(config-ipv4-acl)#exit

5-5
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


R2(config)#ipv4-access-group interface gei-0/1/0/1 ingress test

Configuration Verification
There are three methods to view ACL configuration.
Method 1:
R2(config)#show ipv4-access-lists brief
/*This only shows the name of each ACL and the number of rules in each ACL.*/
No.

ACL

RuleSum

-----------------------------------------------1

test

The ACL binding information on interfaces is shown below.


R2(config)#show ipv4-access-groups
Interface name|vlan

Direction

ACL name

--------------------------------------------------------gei-0/1/0/1

Ingress

test

Method 2:
R2(config)#show ipv4-access-lists name test
/*View an ACL. Brief or detail information can be viewed after the name is specified.
ipv4-access-list test
2/2 (showed/total)
10 deny tcp 10.20.30.20 0.0.0.0 eq telnet 30.20.10.1 0.0.0.0
20 permit any
R2(config)#show ipv4-access-lists brief name test
No.

ACL

RuleSum

-----------------------------------------------------1

test

Method 3:
R2(config)#show ipv4-access-lists
/*View all ACLs configured on the device. The mode is to view detail information.*/
ipv4-access-list test
2/2 (showed/total)
10 deny tcp 10.20.30.20 0.0.0.0 eq telnet 30.20.10.1 0.0.0.0
20 permit any

5-6
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 6

Prefix-List Configuration
Table of Contents
Prefix-List Overview ...................................................................................................6-1
Configuring a Prefix-List .............................................................................................6-2
Prefix-List Configuration Instances .............................................................................6-4

6.1 Prefix-List Overview


After the prefix-list is used in a service, the matched prefixes are mapped to actions in the
service in accordance with the corresponding permit/deny action. In this way, the actions
taken by this prefix can be controlled, which provides necessary security guarantee for the
network.
The following services can invoke a prefix-list.
l
l
l
l

IP multicast
Open Shortest Path First (OSPF)
Intermediate System-to-Intermediate System (IS-IS)
Border Gateway Protocol (BGP)

A prefix-list is a list that filters packets in accordance with route prefixes. A prefix-list
consists of a filter list and rules in the filter list.
l

Filter list
A filter list is described by a name. In the system, several filter lists can be configured.

Rule
A rule consists of a sequence number, a result (permit/deny), and the rule information
(that is, a network segment specified by an address and a mask range).

The name of a filter list can be configured through the related command. In a filter list,
several rules can be configured.
l

The rules are ordered. When matching a prefix-list, a packet starts matching the rules
in accordance with the sequence. Once it matches a rule, the matching procedure
ends and the result (permit/deny) of this rule is returned.
If two rules in a filter list have an intersection, the flows in the intersection only match
the rule that is configured first.

6-1
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

6.2 Configuring a Prefix-List


This procedure describes how to configure a prefix-list to filter the specific routing prefix to
provide necessary security guarantee for the network.
To configure a prefix list, perform the following steps:

Steps
1. Configure a prefix-list.
Command

Function

ZXR10(config)#ip prefix-list <prefix-list-name>{[seq

Configures a prefix-list.

<seq-number>]{deny | permit}<network-num><len>[ge
<value>][le <value>]| description <LINE>}

<prefix-list-name>: The prefix-list name, 31 characters at most.


seq <seq-number>: The sequence number of a prefix-list, range: 1-4294967294.
<network-num>: An IP address in the V4 format.
<len>: The mask length, range: 0-32.
permit: If an IP address is in the prefix range of this list, the address passes the filter
and does not continue the following matching. If the IP address is not in the prefix
range of this list, the IP address continues the following matching.
deny: If an IP address is in the prefix range of this list, the address does not pass the
filter and does not continue the following matching. If the IP address is not in the prefix
range of this list, the IP address continues the following matching.
ge <value>: After the matching range of the IP address prefix is specified, the matching
address prefix length needs to be more than or equal to this value. The range of this
value is 1-32.
le <value>: After the matching range of the IP address prefix is specified, the matching
address prefix length needs to be less than or equal to this value. The range of this
value is 1-32.
description <LINE>: Description of a prefix-list, 79 characters at most.
2. Configure a prefix-list called by IP multicast
Step

Command

Function

ZXR10(config)#ip multicast-routing

Enters IP multicast configuration


mode.

ZXR10(config-mcast)#router pim

Enables Protocol Independent


Multicast - Sparse Mode (PIM-SM).

6-2
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 6 Prefix-List Configuration

Step

Command

Function

ZXR10(config-mcast-pim)#rp-candidate <interf

Makes the router advertise itself as

ace-name>[group-list <prefix-list-name>][priority

a candidate RP.

<priority>]

The priority of a candidate RP,


range: 0-255.

ZXR10(config-mcast-pim)#static-rp

Configures a static RP address.

<ip-address>[group-list <prefix-list-name>][priority

The priority of a static RP, range:

<priority>]

0-255, default: 192.

3. Configure a prefix-list called by OSPF.


Step
1

Command

Function

ZXR10(config-ospf-process-id)#distribute-list

Controls the routes whose prefixes

prefix <prefix-list-name>{in | out}

match the prefix-list (the routes


whose prefixes do not match the
prefix-lest will be denied).
The in keyword in this command is
used for filtering the routes whose
owners are OSPF.
The out keyword in this command
is used for controlling the external
routes that are imported to an OSPF
area after Type 5 and Type 7 Link
State Advertisements (LSAs) are
generated. This is a supplement to
the redistribute command.

ZXR10(config-ospf-id)#distribute-list prefix

Controls the OSPF routes whose

<prefix-list-name> gateway <prefix-list-name> in

prefixes and gateways match


the prefix-lists respectively in the
inbound direction.

4. Configure a prefix-list called by BGP.


Step

Command

Function

ZXR10(config)#router bgp <as-number>

Configures a BGP instance.

ZXR10(config-bgp)#neighbor

Applies a prefix-list to BGP in the

{<ipv4-address>|<peer-group-name>}

inbound/outbound direction.

prefix-list <prefix-list name>{in | out}

in | out, applying the prefix-list for input


routes or output routes

5. Configure a prefix-list called by a route-map.

6-3
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

Command

Function

ZXR10(config-route-map)#match ip address

Configures a prefix-list in a route-map.

prefix-list <prefix-list-name>

The name of the prefix-list contains 31


characters at most.

6. Verify the configurations.


Command

Function

ZXR10#show ip prefix-list [{<detail>|<summary>}][<pr

Displays the information related to the

efix-list-name>]

IP address filter lists.

End of Steps

6.3 Prefix-List Configuration Instances


This section describes the following information.
l
l
l

Prefix-list configuration instance


Prefix-list called by services (IP multicast, OSPF and BGP)
Prefix-list called by a route-map

6.3.1 Prefix-List Configuration Instance


Configuration Description
l

In this example, it is intended to configure a prefix-list named test. The prefix-list


permits the route prefixes 192.168.120.0/24 and 192.168.110.1/32, and permits the
route prefixes that are in the 192.168.100.0 network segment and whose mask lengths
are in the range of 24-32.
The configuration effect is: When a service calls this prefix-list, the route prefixes
that match 192.168.120.0/24 and 192.168.110.1/32 can pass, and the prefixes
whose mask lengths are between 24 bits and 32 bits and whose high 24 bits match
192.168.100.0 can pass. Other route prefixes are denied.
Use the default sequence. The default sequence ID starts from 5 and increments by
5.

Configuration Flow
Configure the prefix-list rules one by one.

Configuration Command
ZXR10(config)#ip prefix-list test permit 192.168.120.1 24
ZXR10(config)#ip prefix-list test permit 192.168.110.1 32
ZXR10(config)#ip prefix-list test permit 192.168.100.0 24 le 32

6-4
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 6 Prefix-List Configuration

Configuration Verification
Run the show running-config prefix-list command to view the configuration result.
ZXR10(config)#show running-config prefix-list
!<prefix-list>
ip prefix-list test seq 5 permit 192.168.120.0 24
ip prefix-list test seq 10 permit 192.168.110.1 32
ip prefix-list test seq 15 permit 192.168.100.0 24 le 32
!</prefix-list>

6.3.2 Prefix-List Called by IP Multicast


Configuration Description
The multicast PIM-SM supports both the static RP and dynamic RP at the same time.
l
l

To use a static RP, it is required to configure the static RP for all PIM routers in the
PIM domain.
To use a dynamic RP, it is required to configure the candidate RPs for several PIM
routers in the PIM domain. The RP is elected from the candidate RPs. At the same
time, it is required to configure several C-BSRs. The BSR is elected from the C-BSRs.

The following uses the dynamic RP as an example. R1 is added to the multicast resource,
and R2 is added to the IGMP group. Configure the C-BSR on R2, and set the group-list
to the C-RP of zte. zte is the name of the prefix-list. The group range is 225.0.0.0/24, see
Figure 6-1.
Figure 6-1 Prefix-List Called by IP Multicast

Configuration Flow
1. Configure related interfaces.
2. Enter IP multicast configuration mode.
3. Enter PIM-SM configuration mode.

6-5
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

4. Set loopback5 to C-BSR and C-RP on R2 at the same time. The range of the prefix
list matched with the RP is 225.0.0.0/24.
5. Enter related interfaces and enable PIM-SM.
6. Configure a unicast route to the RP on R1. Configure a unicast route to the IP multicast
source on R2. In this example, static routes also can be used to accomplish the Interior
Gateway Protocol (IGP) connectivity.

Configuration Command
The configuration of R1:
R1(config)#interface gei-0/2/0/3
R1(config-if-gei-0/2/0/3)#no shutdown
R1(config-if-gei-0/2/0/3)#ip address 199.1.1.1 255.255.255.0
R1(config-if-gei-0/2/0/3)#exit
R1(config)#interface gei-0/2/0/7
R1(config-if-gei-0/2/0/7)#no shutdown
R1(config-if-gei-0/2/0/7)#ip address 33.1.1.2 255.255.255.0
R1(config-if-gei-0/2/0/7)#exit

R1(config)#ip multicast-routing
R1(config-mcast)#router pim
R1(config-mcast-pim)#interface gei-0/2/0/3
R1(configmcast-pim-if-gei-0/2/0/3)#pimsm
R1(config-mcast-pim-if-gei-0/2/0/3)#exit
R1(config-mcast-pim)#interface gei-0/2/0/7
R1(config-mcast-pim-if-gei-0/2/0/7)#pimsm
R1(config-mcast-pim-if-gei-0/2/0/7)#exit
R1(config-mcast-pim)#exit
R1(config-mcast)#exit

R1(config)#ip route 5.5.5.35 255.255.255.255 199.1.1.2

The configuration of R2:


R2(config)#ip prefix-list zte permit 225.0.0.0 24
R2(config)#interface gei-0/3/0/8
R2(config-if-gei-0/3/0/8)#no shutdown
R2(config-if-gei-0/3/0/8)#ip address 199.1.1.2 255.255.255.0
R2(config-if-gei-0/3/0/8)#exit
R2(config)#interface gei-0/3/0/7
R2(config-if-gei-0/3/0/7)#no shutdown
R2(config-if-gei-0/3/0/7)#ip address 35.1.1.1 255.255.255.0
R2(config-if-gei-0/3/0/7)#exit
R2(config)#interface loopback5
R2(config-if-loopback5)#ip address 5.5.5.35 255.255.255.255
R2(config-if-loopback5)#exit

6-6
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 6 Prefix-List Configuration

R2(config)#ip multicast-routing
R2(config-mcast)#router pim
R2(config-mcast-pim)#bsr-candidate loopback5
R2(config-mcast-pim)#rp-candidate loopback5 group-list zte
R2(config-mcast-pim)#interface gei-0/3/0/8
R2(config-mcast-pim-if-gei-0/3/0/8)#pimsm
R2(config-mcast-pim-if-gei-0/3/0/8)#exit
R2(config-mcast-pim)#interface gei-0/3/0/7
R2(config-mcast-pim-if-gei-0/3/0/7)#pimsm
R2(config-mcast-pim-if-gei-0/3/0/7)#exit
R2(config-mcast-pim)#exit
R2(config-mcast)#exit

R2(config)#ip route 33.1.1.0 255.255.255.0 199.1.1.1

Configuration Verification
Run the show ip pimsm rp mapping command on R1 to view the RP information.
R1(config)#show ip pim rp mapping
Group(s): 225.0.0.0/24(SM)
RP: 5.5.5.35, v2, Priority:192
BSR: 5.5.5.35, via bootstrap
Uptime: 00:00:28, expires: 00:02:02

Group(s): 0.0.0.0/0(NOUSED)

R1(config)#show ip pim rp hash 225.0.0.1


rp address: 5.5.5.35

6.3.3 Prefix-List Called by OSPF


Configuration Description
1. In ospfv2 configuration mode, configure distribute-list with a prefix to filter OSPF routes
whose match the prefix-list.
l Configure the distribute-list prefix-list <prefix-list-name> in command to filter the
routes whose owners are OSPF.
l Configure the distribute-list prefix-list <prefix-list-name> out command to control
the external routes that are imported to an OSPF area after Type 5 and Type 7
LSAs are generated. This is a supplement to the redistribute command.
l If the distribute-list command is not configured, routes are not filtered and the
external LSAs imported are not controlled.
2. Pay attention when using the in keyword. Considered the relevance of OSPF routes,
take the following suggestions.
6-7
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

It is better not to filter the routes corresponding to Type 2 LSAs. Otherwise,


network topology will be not complete.
l When a Type 3 route is allowed to be imported, make sure that the corresponding
Area Border Router (ABR) route exists. If the route does not exist, it is necessary
to set permit for the corresponding route in the template configuration.
l When a Type 5 route is allowed to be imported, make sure that the forwarding
address route exists. If the route does not exist, it is necessary to set permit for
the corresponding route in the template configuration.
3. When the called prefix-list does not exist, the calling effect equals to permit any.
4. For a prefix-list that is not null, there is a default rule deny all after the configured
rules. That is to say, the prefixes that are not configured to be permitted will be denied.
Therefore, to deny some routes, it is necessary to configure the permit all command
to permit other route prefixes.

Configuration Flow
1. Configure a prefix-list to deny the OSPF routes whose prefixes are 23.2.2.0/24 and
permit other routes.
2. In the OSPFv2 distribute-list, call the prefix-list.

Configuration Command
1. Configure a prefix-list to filter the routes whose prefixes are 23.2.2.0/24 in the following
routing table.
ZXR10(config)#show ip forwarding route ospf
IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

status codes: *valid, >best


Dest

Gw

Interface

Owner

*>1.1.1.0/24

26.1.1.22 gei-0/1/0/1 OSPF

110 101

*>11.1.1.0/24

26.1.1.22 gei-0/1/0/1 OSPF

110 101

*>12.1.1.0/24

23.1.1.22 gei-0/1/0/3 OSPF

110 20

*>16.1.1.0/24

26.1.1.22 gei-0/1/0/1 OSPF

110 101

*>23.2.2.0/24

23.1.1.22 gei-0/1/0/3 OSPF

110 20

*>26.1.3.0/24

26.1.1.22 gei-0/1/0/1 OSPF

110 101

*>100.1.1.0/24 23.1.1.22 gei-0/1/0/3 OSPF

Pri Metric

110 20

ZXR10(config)#ip prefix-list zte deny 23.2.2.0 24


ZXR10(config)#ip prefix-list zte permit 0.0.0.0 0 le 32
/*This command accomplishes "permit any".*/

2. In the route advertisement filter, use the distribute-list to call the prefix-list.
6-8
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 6 Prefix-List Configuration


ZXR10(config)#router ospf 1
ZXR10(config-ospf-1)#distribute-list prefix zte in
ZXR10(config-ospf-1)#exit
/*If it is applied to the outbound distribution direction, it is necessary to
configure the redistribute command first.*/

Configuration Verification
View the routing table after filter to check whether the routes are filtered successfully, as
shown below.
ZXR10(config)#show ip forwarding route ospf
IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

Status codes: *valid, >best;


Dest

Gw

Interface

Owner Pri Metric

*>1.1.1.0/24

26.1.1.22 gei-0/1/0/1 OSPF

110 101

*>11.1.1.0/24

26.1.1.22 gei-0/1/0/1 OSPF

110 101

*>12.1.1.0/24

23.1.1.22 gei-0/1/0/3 OSPF

110 20

*>16.1.1.0/24

26.1.1.22 gei-0/1/0/1 OSPF

110 101

*>26.1.3.0/24

26.1.1.22 gei-0/1/0/1 OSPF

*>100.1.1.0/24 23.1.1.22 gei-0/1/0/3 OSPF

110 101
110 20

6.3.4 Prefix-List Called by BGP


Configuration Description
As shown in Figure 6-2, the networks 192.1.1.0/24 and 10.12.0.0/24 are connected to
R1. R1 and R2 establish BGP neighbor relationship. R2 hopes to learn the route to the
20.0.0.0/8 network only. The route learning can be controlled by configuring a prefix-list,
that is, permitting R1 to advertise the route to the 192.1.1.0/24 network to R2 and not to
advertise the route to the 10.12.0.0/24 network.
Figure 6-2 Prefix-List Called by BGP

6-9
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

Configuration Flow
1.
2.
3.
4.
5.

Configure BGP neighbors on R1 and R2.


Import two routes to BGP on R1.
Configure a prefix-list on R1 to permit route M and deny route N.
Use the prefix-list to filter the routes advertised to R2 in BGP on R1.
The configuration result is: When R1 advertises BGP routes to R2, route M is
advertised and route N is not advertised. In the routing table on R2, there is route M
and there is not route N.

Configuration Command
1. Configure BGP neighbors on R1 and R2 (omitted).
2. Import routes to R1.
a. In this example, run the network command to advertise the routes on R1. The
routes on R1 are shown below.
R1(config)#show ip forwarding route
IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: user-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

status codes: *valid, >best


Dest

Gw

Interface

Owner

Pri Metric

*> 1.1.1.1/32

100.1.3.1

gei-0/0/0/2

Static

*> 10.12.0.0/24

10.12.0.1

gei-0/0/0/10

Direct

*> 10.12.0.1/32

10.12.0.1

gei-0/0/0/10

Address

*> 100.1.3.0/24

100.1.3.2

gei-0/0/0/2

Direct

*> 100.1.3.2/32

100.1.3.2

gei-0/0/0/2

Address

*> 100.1.31.0/24

100.1.31.1 smartgroup30.10 Direct

*> 100.1.31.1/32

100.1.31.1 smartgroup30.10 Address

*> 100.10.1.0/24

100.10.1.1

gei-0/0/1/4

Direct

*> 100.10.1.1/32

100.10.1.1

gei-0/0/1/4

Address

*> 100.10.2.0/24

100.10.2.1

gei-0/0/1/4.1

Direct

*> 100.10.2.1/32

100.10.2.1

gei-0/0/1/4.1

Address

*> 100.10.2.2/32

100.10.2.2

gei-0/0/1/4.1

Static

*> 100.20.1.0/24

100.20.1.1

gei-0/0/0/7

Direct

*> 100.20.1.1/32

100.20.1.1

gei-0/0/0/7

Address

*> 192.1.1.0/24

192.1.1.1

gei-0/0/0/9

Direct

*> 192.1.1.1/32

192.1.1.1

gei-0/0/0/9

Address

b. Advertise the routes to the destination 1.1.1.1/32, 10.12.0.0/24 and 192.1.1.0/24.


R1(config)#router bgp 1
R1(config-bgp)#network 1.1.1.1 255.255.255.255

6-10
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 6 Prefix-List Configuration


R1(config-bgp)#network 192.1.1.0 255.255.255.0
R1(config-bgp)#network 10.12.0.0 255.255.255.0
R1(config-bgp)#exit

c.

Check the configuration result on R1.


R1(config)#show running-config bgp
! <route-bgp>
router bgp 1
synchronization
network 1.1.1.1 255.255.255.255
network 192.1.1.0 255.255.255.0
network 10.12.0.0 255.255.255.0
neighbor 100.10.1.2 remote-as 2
neighbor 100.10.1.2 activate
address-family ipv4 multicast
$
address-family l2vpn vpls
$
address-family vpnv4
$
address-family vpnv4 mcast
$
address-family vpnv4 multicast
$
address-family ipv6
synchronization disable
$
address-family ipv6 multicast
$
address-family vpnv6
$
address-family route-target
$
$
! </route-bgp>

d. Check the route advertisement result on R1.


R1(config)#show ip bgp route
Status codes: * valid, > best, i-internal, s-stale
Origin codes: i-IGP, e-EGP, ?-incomplete
Network

NextHop

Metric LocPrf RtPrf Path

*> 1.1.1.1/32

1.1.1.1

*> 10.12.0.0/24

10.12.0.1 0

*> 192.1.1.0/24

192.1.1.1 0

e. Check the BGP route learning on R2.


R2(config)#show ip forwarding route bgp

6-11
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

status codes: *valid, >best


Dest
*> 1.1.1.1/32

Gw

Interface

Owner Pri Metric

100.10.1.1 gei-0/5/1/7 BGP

20

*> 10.12.0.0/24 100.10.1.1 gei-0/5/1/7 BGP

20

*> 192.1.1.0/24 100.10.1.1 gei-0/5/1/7 BGP

20

3. Configure a prefix-list on R1 and permit some routes imported in Step 2.


R1(config)#ip prefix-list zte permit 192.1.1.0 24
R1(config)#show running-config prefix-list
! <prefix-list>
ip prefix-list zte seq 5 permit 192.1.1.0 24
! </prefix-list>

4. Use the prefix-list to filter the routes advertised to R2 in BGP on R1.


a. Use the prefix-list zte to advertise routes to R2.
R1(config)#router bp 1
R1(config-bgp)#neighbor 100.10.1.2 prefix-list zte out
R1(config-bgp)#exit

b. Check the configuration result on R1.


R1(config)#show running-config bgp
! <route-bgp>
router bgp 1
synchronization
network 1.1.1.1 255.255.255.255
network 192.1.1.0 255.255.255.0
network 10.12.0.0 255.255.255.0
neighbor 100.10.1.2 remote-as 2
neighbor 100.10.1.2 activate
neighbor 100.10.1.2 prefix-list zte out

! </route-bgp>

5. Check the routes learnt on R2.


R2(config)#show ip forwarding route bgp
IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,

6-12
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 6 Prefix-List Configuration


GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;
status codes: *valid, >best
Dest

Gw

Interface

Owner Pri Metric

*> 192.1.1.0/24 100.10.1.1 gei-0/5/1/7 bgp

20

Configuration Verification
Check the prefix-list configuration and BGP configuration on R1.
R1#show running-config prefix-list
! <prefix-list>
ip prefix-list zte seq 5 permit 192.1.1.0 24
! </prefix-list>

ZXR10#show running-config bgp


! <route-bgp>
router bgp 1
synchronization
network 1.1.1.1 255.255.255.255
network 192.1.1.0 255.255.255.0
network 10.12.0.0 255.255.255.0
neighbor 100.10.1.2 remote-as 2
neighbor 100.10.1.2 activate
neighbor 100.10.1.2 prefix-list zte out

! </route-bgp>

Check the BGP configuration on R2.


R2#show running-config bgp
! <route-bgp>
router bgp 2
synchronization
neighbor 100.10.1.1 remote-as 1
neighbor 100.10.1.1 activate

! </route-bgp>

Check the BGP route advertisement result on R1.


R1#show ip bgp route
Status codes: * valid, > best, i-internal, s-stale
Origin codes: i-IGP, e-EGP, ?-incomplete
Network

NextHop

Metric LocPrf RtPrf Path

*> 1.1.1.1/32

1.1.1.1

*> 10.12.0.0/24

10.12.0.1

*> 192.1.1.0/24

192.1.1.1

6-13
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

Check the BGP route learning on R2.


R2#show ip bgp summary
Neighbor

Ver As MsgRcvd MsgSend Up/Down

100.10.1.1 4

125

120

State/PfxRcd

01:00:13

RouterB#show ip bgp route


Status codes: * valid, > best, i-internal, s-stale
Origin codes: i-IGP, e-EGP, ?-incomplete
Network

NextHop

Metric LocPrf RtPrf Path

*> 192.1.1.0/24 100.10.1.1

20

On R2, run the show ip forwarding route bgp command to check the BGP routes in the
forwarding table. The information shows that there is only one route that is learnt from R1
and permitted by the prefix-list.
R2#show ip forwarding route bgp
IPv4 Routing Table:
Headers: Dest: Destination, Gw: Gateway, Pri: Priority;
Codes : BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,
MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;
status codes: *valid, >best;
Dest

Gw

Interface

Owner Pri Metric

*> 192.1.1.0/24 100.10.1.1 gei-0/5/1/7 BGP

20

6.3.5 Prefix-List Called by a Route-Map


Configuration Description
The same as a prefix-list, a route-map is also a type of template. In some applications,
the prefix-lists are not called directly. Instead, the prefix-lists are called through the
route-maps, and then the route-maps are called by the services.
For example, in IS-IS redistribution, a prefix-list is not associated directly. Prefix-list
matching of address prefixes are performed through a route-map. (This type of IS-IS call
will be described in the Policy Routing Configuration chapter.)

Configuration Flow
1. Configure a prefix-list.
2. Match the prefix-list in a route-map.

Configuration Command
1. Create an IP prefix-list.
6-14
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 6 Prefix-List Configuration


ZXR10(config)#ip prefix-list zte permit 192.168.100.0 24

2. Configure a route-map and call the prefix-list.


ZXR10(config)#route-map zte1
ZXR10(config-route-map)#match ip address prefix-list zte
ZXR10(config-route-map)#exit

Configuration Verification
Run the show ip prefix-list <prefix-list-name> command to check whether the prefix-list is
configured correctly.
ZXR10(config)#show ip prefix-list zte
ip prefix-list zte :
seq 5 permit 192.168.100.0 24

Run the show route-map <route-map-name> command to check whether the route-map is
configured correctly.
ZXR10(config)#show route-map zte1
[route-map zte1] IP type: IPv4
route-map zte1 permit 10
match ip address prefix-list zte

6-15
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

This page intentionally left blank.

6-16
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7

ROUTE-MAP Policy
Configuration
Table of Contents
Route-Map Overview..................................................................................................7-1
Routing Policy Configuration ......................................................................................7-2
Policy Routing Configuration ....................................................................................7-32

7.1 Route-Map Overview


Route-Map Introduction
The Route-Map is a powerful filter and modifier. As a policy template, the Route-Map is
widely used in policy routing and routing policy.
l
l

When the Route-Map is applied to an interface and specifies the routes for the
specified incoming traffic of the interface, it is called policy routing.
When the Route-Map is applied to route protocols, and interrupts generation, release
and selection of the routes to optimize route tables, it is called routing policy.

As a policy template, the Route-Map is unavailable unless applied to the interface as policy
routing or applied to the routing protocol as routing policy.

Route-Map Features
A Route-Map consists of one or more sequences, and the attributes of each sequence
can be flexibly set to permit or deny. The internal configuration of each sequence can be
divided into match item and set item.
l
l

As a filter, the match item makes the Route-Map effective only to objects of specified
types.
As a modifier, the set item performs specified operation on eligible objects to achieve
policy target.

After being called, the Route-Map will match the match item in accordance with the
sequence IDs in descending order, and perform the specified set operation of the
sequence where it matches the match item.
For the sequence of the Permit attribute, the Route-Map performs operation on the objects
which comply with the match condition in accordance with the policy, and search for the
next sequence if no one can be matched. For the sequence of the Deny attribute, the
7-1
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

Route-Map does not perform any operation on the matched objects, and searches for the
next sequence if no object is matched.
The routing policy and policy routing differ in:
l

When the Route-Map is applied to an interface, it is called policy routing. The policy
routing provides packet transferring policy. The matched objects are packets. The
match item filters the objects based on the featured fields of the packets, and specifies
the set operation on these objects. The set operation is divided into routing item which
is used to change transferring path and packet modification item which is used to
modify the features for filtered packets.
When the Route-Map is applied to protocols, it is called routing policy. The routing
policy provides routing release policy. The match item filters out routes based on
their features, and provides policies for these filtered routes. Note that the called
Route-Map configuration command has contained an operation, such as distribute
and leak commands. The distribute and leak operations in these commands are
called default operations. When performing the set operation on the objects matched
successfully, these default operations will also be performed.

7.2 Routing Policy Configuration


7.2.1 Routing Policy Overview
Routing Policy Introduction
A routing policy refers to the policy of routing release and routing receipt.
The selection routing policy is a type of routing policy. Although they have the same
network architecture, different routing policies generate different route tables because of
different implementation mechanisms, different cost calculation principles and different
priority definitions.
The routing policy means to affect routing generation, routing release and routing selection
by modifying some parameters or setting some control methods based on some principles.
When applied to the routing policy, the Route-Map filters the notification or sets the routing
attributes of the matched routes. The T8000 device supports the following routes which
use routing policy:
l
l
l
l
l

RIP
OSPF
ISIS
BGP
VRF

RIP Routing Policy


The RIPg is a routing protocol based on the distance vector algorithm. The RIP reallocation
imports the routes generated by other protocols into the RIP routing domain, and then notify
7-2
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration

its neighbors about the import. To be more detailed, the RIP reallocation imports other
routes into local route table and notify the neighbor router about this. This reallocation
methods is also available when other protocol routes are imported into the router. The
routing policy name in the reallocation can be specified.
There are two types of route-map: permit and deny.
l
l

Permit: The router will reallocate the route if the match item is found, and perform
operations set in the configuration command.
deny: After finding the match item, the router only performs operations set in the
configuration command instead of route reallocation. If failed to find match item,
the router will neither perform route reallocation nor perform operations set in the
configuration command.

After configuring the reallocation function for RIP, you should check the routes to be
reallocated and check whether this route is available. If so, follow the route-map routing
policy principles set in the reallocation command, and match related principles. If the
route satisfies the policy principles, import it into local RIP routing table and make related
adjustment, otherwise, for example, the imported routing metric is 10, the route metric in
the local RIP routing table will be modified to 10. After receiving route information, the
neighbor will add it to local RIP routing table.

ISIS Routing Policy


l

ISIS Reallocation
A router can run the ISIS protocol and other routing protocols simultaneously, such as
RIP and OSPF protocols. Each routing protocol generates different routes. The ISIS
protocol can obtain other protocol routes after reallocation.
Set the route policy during reallocation, which means to filter or set the routing during
reallocation. For example, if match ip metric is set to 10 in the route map module
configuration, the ISIS reallocation module will filter the route whose metric value is
10. If set ip metric 20 is set on this route map module, the ISIS will set metric on this
routes after importing other protocol routes.

ISIS Routing Leakage


If connecting to other areas, the L1/L2 router will set ATT bit in L1 LSP to inform the L1
router in local area about an exit point. The L1 router in local area selects an L2 router
where ATT bit is set to be the default exit point, and the a default route is generated.
The L1 router selects the latest L1/L2 router as the exit point, but this latest route is not
optimum, the concept of suboptimum route and routing penetration is introduced. To
avoid the suboptimum route, you can distribute route information of the backbone area
to the common level-1 area to ensure that the common area acquires route information
of the entire IS-IS route domain. For example, the match ip metrc value is set to 10
on the route map module, the ISIS reallocation module will filter the route whose metric
value is 10.

7-3
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

OSPF Routing Policy


A router can run the OSPF protocol and other routing protocols simultaneously, such as
RIP, BGP, and IS-IS protocols. Each routing protocol generates different routes. If the
OSPF protocol needs to share routes of other protocols, it can import these protocols
through reallocation.
A routing policy can be configured to filter or set the routes during reallocation. For
example, if the match ip tag 1 command is configured in the Route-Map, routes with tag
value of 1 are filtered. If the set ip tag 4 command is also configured in the Route-Map,
the OSPF protocol imports routes of other protocols and sets tags of these routes.

BGP Routing Policy


A router can run the BGP protocol and other routing protocols simultaneously, such as
RIP, OSPF or ISIS protocols. Each routing protocol generates different routes. The BGP
protocol can obtain other protocol routes after reallocation.
Set the route policy during reallocation, which means to filter or set the routing during
reallocation. For example, if match ip metric is set to 10 in the route map module
configuration, the BGP reallocation module will filter the route whose metric value is 10.
If set ip metric 20 is set on this route map module, the BGP will set metric on this routes
after importing other protocol routes.

VRF Routing Policy


The VRF routing policy can be implemented by the following steps:
1. Define the features of routing where the routing policy will be carried out, which means
to define a group of match principles. You can set the principles based on varied
attributes in routing information, such as destination address, and the router address
which releases routing information.
2. The match principles are used in routing policy, such as route release, route receipt
and route allocation.

7.2.2 Configuring a Routing Policy


This procedure describes how to configure attributes and functions related to a routing
policy, including basic attributes, route attributes, and how to invoke a routing policy during
the routing protocol.

Steps
1. Configure basic attributes for a routing policy.
Step

Command

Function

ZXR10(config)#route-map <route-map-name>[perm

Creates a route-map of the routing

it|deny][<sequence-number>]

policy and enters routing mapping


configuration mode.
7-4

SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration

Step

Command

Function

ZXR10(config-route-map)#match ip address

Sets the match item in routing

*(<access-list-name>)

mapping configuration mode. Sets


the match type to IPv4 routing
item. Selects ACL for matching.

ZXR10(config-route-map)#match ip address

Sets the match item in routing

prefix-list *(<prefix-list-name>)

mapping configuration mode. Sets


the match type to IPv4 routing item.
Selects prefix-list for matching.

ZXR10(config-route-map)#match ip metric

Matches the metric value of the

*(<metric-value>)

routes, you can match several


values.

ZXR10(config-route-map)#match ip tag

Matches the targe value of the

*(<tag-value>)

routes. The OSPF and static


route carry this attribute, you
can configure several values if
necessary.

ZXR10(config-route-map)#match as-path

Matches the as-path attributes


of the GP protocol route, you

*(<as-path-list-number>)

can configure several values if


necessary.
ZXR10(config-route-map)#match community-list

Matches the community attributes

*(<community-list-number>)

of the BGP protocol route, you


can configure several values if
necessary.

ZXR10(config-route-map)#match extcommunity-l

Matches the extcommunity

ist *(<community-list-number>)

attributes of the BGP/VPN protocol


route, you can configure several
values if necessary.

ZXR10(config-route-map)#match route-type

The match route type.

{external [type-1 | type-2]|internal|level-1|level-2|local}

<route-map-name>: The name of the route mapping. Length: 1-31 characters.


permit | deny: There are one or more sequences in a Route-Map. The sequence
attribute can be set to permit or deny flexibly. Permit means to perform routing policy
after matching, and deny means to perform no operations regardless of the match
result.
<sequence-number>: The sequence ID of the Route-Map. Each Route-Map supports
one or more sequences. All the routes are matched according to the sequence ID in
an ascending sequence. Once the route is matched, decide whether to perform the
routing policy according to its sequence attribute.
7-5
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

<access-list-name>: Sets the match type to ipv4-access-list. Matches the route and the
ACL.
prefix-list <prefix-list-name>: Sets the match type to prefix-list. Matches the route and
the prefix list.
ip metric *(<metric-value>): Sets the match type to ip metric. Range: 0-4294967295.
You can match several routes if necessary.
ip tag *(<tag-value>): Sets the match type to ip metric. Range: 0-4294967295. You
can match several routes if necessary.
as-path *(<as-path-list-number>): Sets the match type to as-path. Range: 1-199. You
can match several routes if necessary.
community-list *(<community-list-number>): Sets the match type to community-list.
Range: 1-499. You can match several routes if necessary.
extcommunity-list *(<community-list-number>):
Sets the match type
extcommunity-list. Range: 1-500. You can match several routes if necessary.

to

route-type {external [type-1|type-2]|internal|level-1|level-2|local}: Sets the match type to


route-type. Select the routing type based on requirements. You can configure several
match items of this type rather than configure several routes.
2. Configure routing attributes for a routing policy.
Command

Function

ZXR10(config-route-map)#set as-path prepend *(<as

Configures the route attributes of the

number>)

routing policy. Sets the configuration


type to as-path which is the particular
attribute of the BGP protocol. You can
configure several values if necessary.

ZXR10(config-route-map)#set community {none |

The setting is exclusive to the BGP

additive*{no-advertise | no-export | no-export-subconfed |

protocol. Sets the group attribute.

internet |<0-65535>:<0-65535>|<1-4294967295>})}
ZXR10(config-route-map)#set extcommunity rt-trans

The setting is exclusive to the BGP

{{remove | additive *{<0-65535>:<0-4294967295>|<1-655

protocol. Sets the extended group

35>.<0-65535>:<0-65535>| A.B.C.D:<0-65535>}}|{<0-65

attribute.

535>:<0-4294967295>|<1-65535>.<0-65535>:<0-65535>|
A.B.C.D:<0-65535>})}
ZXR10(config-route-map)#set extcommulity soo-trans

The setting is exclusive to the BGP

{<0-65535>:<0-4294967295>|<1-65535>.<0-65535>:<0-6

protocol. Sets the extended group

5535>| A.B.C.D:<0-65535>| remove}

attribute.

ZXR10(config-route-map)#set dampening

The setting is exclusive to the

<half-life><reuse><suppress><max-suppress-time>

BGP protocol. Sets the dampening


attribute of the route.

7-6
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration

Command

Function

ZXR10(config-route-map)#set local-preference <value>

The setting is exclusive to the BGP


protocol. Sets the local-preference
attribute of the route.

ZXR10(config-route-map)#set origin {igp|egp

The setting is exclusive to the BGP

|incomplete }

protocol. Sets the route source


attribute.

ZXR10(config-route-map)#set level <level-value>

Used by the ISIS protocol. Sets the


ISIS routing attribute.

ZXR10(config-route-map)#set next-hop

Sets the next hop router in the routing

<ip-address>[<ip-address>]

policy.

ZXR10(config-route-map)#set ip metric

Sets the metric value of the route.

[+|-]<metric-value>
ZXR10(config-route-map)#set ip metric-type {internal

|external |type-1 |type-2 }


ZXR10(config-route-map)#set ip tag <tag-value>

Sets the attributes of the OSPF and


Static routes.

<half-life>: Changes the half period of routing damping sectors. Range: 1-45.
<reuse>: Changes the reuse value of the routing damping sectors. Range: 1-20000.
<suppress>: Changes the routing suppress value of the routing damping sectors.
Range: 1-20000.
<max-suppress-time>: Changes the maximum routing suppress value of the routing
damping sectors. The penalty value will not increase once the routing suppress time
expires. Range: 1-255.
3. Configure the RIP invoking routing policy.
Step

Command

Function

ZXR10(config)#router rip

Enters RIP configuration


mode.

ZXR10(config-rip)#redistribute <protocol>[process-i

Reallocates the routes to the

d][metric <metric-value>][route-map <route-map-name>]

RIP domain from other routing


protocol.

[process-id]: You should set instance IDs when reallocating the OSPF or the ISIS
routes. OSPF range: 1-65535, ISIS range: 0-65535, the ISIS value is 0 by default.
<protocol>: The key words of the reallocated source routing protocols can be :
ospf-ext, ospf-int, static, bgp-ext, bgp-int, connected, isis-1, isis-2, isis-1-2, nat, natpt,
ps-busi-addr, ps-user-addr, subscriber-aggregation, subscriber-host and user-special.

7-7
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

metric <metric-value>>: Specify the route metric when this route is reallocated from
OSPF route to RIP route. Range: 1-16.
route-map <route-map-name>: The name of the reallocated routing mapping. Length:
1-31 characters. The RIP uses the Routing-Map routing policy in the reallocation
command.
4. Configure the IS-IS invoking routing policy.
Step

Command

Function

ZXR10(config)#router isis [<process-id>][vrf <vrf-name>]

Enters IS-IS route


configuration mode.

ZXR10(config-isis-id)#redistribute <protocol>[ level-1

Configures the reallocation in

][ level-1-2 ][ level-2 ][metric-type <metric-type>][metric

IS-IS route mode.

<metric-value>][route-map <route-map-name>]
3

ZXR10(config-isis-id)#router-leak level-2 into level-1

Configures the reallocation

route-map <route-map-name>

leakage in IS-IS route mode.

<protocol>: Sets the routing source, such as connected, static, rip, isis <process-id>,
ospf <process-id>, bgp, nat, natpt, ps-busi-addr, ps-user-addr, sl-nat64-ipv4,
subscriber-aggregation, subscriber-host and user-special. If you want to re-allocate
the IS-IS or the OSPF route, you need to specify the corresponding instance number.
level-1: Route information is reallocated to the level-1 area.
level-1-2: Route information is reallocated to the level-1 and level-2 areas.
level-2: Route information is reallocated to the level-2 area.
<metric-type>: Decides the metric value (interface or external) carried by the
reallocated route.
<metric-value>: The metric value. Range: 0-4261412864.
route-map <route-map-name>: A reallocated route-map.
5. Configure the OSPF invoking routing policy.
Command

Function

ZXR10(config-ospf-process-id)#redistribute

Configures the reallocation in

{sl-nat64-ipv4|user-special|nat|natpt|subscriber-host|sub

OSPF route mode.

scriber-aggregation|static|connected|rip|{ospf-int|ospf-ex
t}<process-id>|{isis-1|isis-2|isis-1-2}[<process-id>]|{bgp-e
xt|bgp-int}[{[as <1-65535>/<1-65535>.<0-65535>],[peer
<peer-address>]}]|{ps-busi-addr|ps-user-addr}[with-originate-m
etric]}[{[tag|<tag-value>],[metric <metric-value>],[metric-type
{ext-2|ext-1}],[route-map <map-tag>]}]

The reallocation routing source is connected, static, rip, is-is <process-id>,


ospf-int <process-id>, ospf-ext <process-id>, bgp-int, bgp-ext, nat, natpt,
7-8
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration

ps-busi-addr, ps-user-addr, sl-nat64-ipv4, subscriber-aggregation, subscriber-host


and user-special. If you want to re-allocate the IS-IS or the OSPF route, you need to
specify the corresponding instance number.
<metric-type>: Set the LSA metric type after the redistribution, ext-1 or ext-2.
<metric-value>: The metric value. Range: 1-16777214.
route-map <route-map-name>: A reallocated route-map.
6. Configure the BGP invoking routing policy.
Step

Command

Function

ZXR10(config)#router bgp {<1~65535>|<1~65535>.<0

Enters BGP route

~65535>}

configuration mode.

ZXR10(config-bgp)#redistribute <protocol>[route-map

Configures the reallocation to

<route-map-name>[metric <metric-value>]]

route other protocol types to

the BGP.
<protocol>, the protocol type.
The instance ID is required for
OSPF and ISIS.
<route-map-name>, length:
1-31 characters.
3

ZXR10(config-bgp)#bgp dampening [route-map

Enables the BGP routing

<route-map-name>]

dampening, or modifies the


BGP routing dampening
sectors.

ZXR10(config-bgp)#neighbor {< ipv4-address>|<peer-gr

Filters the route sent by

oup-name>} route-map <route-map-name>{ in | out}

the neighbor peer group or


received by the neighbor
peer group. Sets the routing
priority.
in | out, used by importing or
exporting.

ZXR10(config-bgp)#address-family ipv4 vrf <vrf-name>

Enters the IPv4 vrf address


cluster configuration mode.

ZXR10(config-bgp-af)#aggregate-address <

Creates an aggregation policy

ip-address>< net-mask>[ attribute-map < route-map

in the VRF route table.

-name>][ suppress-map< route-map-name>][as-set][


summary-only][ strict]

7. Configure the VRF invoking routing policy.


Step

Command

Function

ZXR10(config)#ip vrf <vrf-name>

Creates VRF.

7-9
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

Step

Command

Function

ZXR10(config-vrf-name)#rd <route-distinguisher>

Configures RD.

ZXR10(config-vrf-name)#route-target [import | export

Creates the route-target

| both ]<extended-community >

extended group attributes


associated with VRF.

Activates the IPv4 VRF

ZXR10(config-vrf-name)#address-family ipv4

address family.
5

ZXR10(config-vrf-name-af-ipv4)#import map

Configures the imported route

<route-map-name>

mapping associated with VRF.

ZXR10(config-vrf-name-af-ipv4)#export map

Configures the exported route

<route-map-name>

mapping associated with VRF.

8. Verify the configurations.


Command

Function

ZXR10(config)#show running-config rip

Displays the RIP protocol configuration, and


checks whether the routing policies are used by
various routing protocols.

ZXR10(config)#show running-config isis

Displays the ISIS protocol configuration, and


checks whether the routing policies are used by
various routing protocols.

ZXR10(config)#show running-config ospfv2

Displays the OSPF protocol configuration, and

| ospfv3

checks whether the routing policies are used by


various routing protocols.

ZXR10(config)#show running-config bgp

Displays the BGP protocol configuration, and


checks whether the routing policies are used by
various routing protocols.

ZXR10(config)#show running-config vrf

Checks whether the routing policies are used by


VRF.

ZXR10(config)#show ip vrf detail

Displays detailed VRF configuration. You

[<vrf-name>]

can specify a VRF instance and query its


configuration.

ZXR10(config)#show ip vrf [<vrf-name>]

Displays the configuration information of the


VRF.

ZXR10(config)#show ip vrf brief [<vrf-name>]

Displays the brief information of the VRF.

ZXR10(config)#show ip vrf summary

Displays the summary of the VRF.

7-10
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration

Command

Function

ZXR10(config)#show route-map

Displays detailed route-map template

[<route-map-name>]

configuration.

End of Steps

7.2.3 Routing Policy Configuration Instances


7.2.3.1 Configuration Instance of an RIP Reallocation Routing Policy
Configuration Description
As shown in Figure 7-1, the Routing Information Protocol (RIP) is run on R1 and R2. R1
and R2 can notify their RIP routes to each other, or reallocate routing information from
other routing protocols into their RIP routing information base. This topic takes a static
route as an example.
Figure 7-1 Configuration Instance of the RIP Reallocation Routing Policy

Configuration Approach
You can configure the RIP reallocation routing policy by:
1. Setting IPv4 addresses on the interfaces.
2. Enabling the RIP protocol on the network segment of the interfaces.
3. Reallocating routing information from other routing protocols. Set the reallocation
command.
4. Adding the route-map name(s) to the reallocation command.
5. Configuring the route-map policy.
6. Query the configuration result, and verify that two devices can learn route information
from the opposite end respectively.

Configuration Flow
R1 is configured as follows:
R1(config)#router rip
R1(config-rip)#redistribute static route-map www
R1(config-rip)#network 192.168.1.0 0.0.0.255
R1(config-rip)#exit
R1(config)#ip route 3.3.3.0 255.255.255.0 loopback1 4
/*Not the optimun route, and will not be reallocated*/

7-11
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


R1(config)#ip route 3.3.3.0 255.255.255.0 gei-0/1/0/6 30.0.0.6 3
R1(config)#ip route 5.5.5.0 255.255.255.0 loopback2
R1(config)#route-map www permit 10
R1(config-route-map)#set ip metric 10
R1(config-route-map)#exit

R2 is configured as follows:
R2(config)#router rip
R2(config-rip)#network 192.168.1.0 0.0.0.255
R2(config-rip)#exit

Configuration Verification
Run the show command to query configuration information of RIP, route-map and static
route on the R1 and R2, IPv4 route information and RIP route table.
Route information on R1 is shown below:
R1(config)#show running-config rip
! <rip>
router rip
network 192.168.1.0 0.0.0.255
redistribute static route-map www
$
! </rip>

R1(config)#show running-config static


! <static_route>
ip route 3.3.3.0 255.255.255.0 loopback1 4
ip route 3.3.3.0 255.255.255.0 gei-0/1/0/6 30.0.0.6 3
ip route 5.5.5.0 255.255.255.0 loopback2
! </static_route>

R1(config)#show running-config route-map


! <route-map>
route-map www permit 10
set ip metric 10
$
! </route-map>

R1(config)#show ip rip database


Routes of rip:
h : is possibly down,in holddown time
f : out holddown time before flush

Dest
*> 3.0.0.0/8

Metric

RtPrf

InstanceID

Time

From

10

254

00:00:24

0.0.0.0

7-12
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration


*> 3.3.3.0/24

10

00:00:00

0.0.0.0

*> 5.0.0.0/8

10

254

00:00:24

0.0.0.0

*> 5.5.5.0/24

10

00:00:00

0.0.0.0

00:00:00

0.0.0.0

*> 192.168.1.0/24 0

Route information on R2 is shown below:


R2(config)#show running-config rip
! <rip>
router rip
network 192.168.1.0 0.0.0.255
$
! </rip>

R2(config)#show ip rip database


Routes of rip:
h : is possibly down,in holddown time
f : out holddown time before flush

Dest

Metric

RtPrf

InstanceID

Time

From

*> 3.0.0.0/8

11

120

00:00:10

192.168.23.115

*> 5.0.0.0/8

11

120

00:00:10

192.168.23.115

*> 192.168.1.0/24

00:00:00

0.0.0.0

R2(config)#show ip protocol routing


Codes: OSPF-3D = ospf-type3-discard, OSPF-5D = ospf-type5-discard, TE = rsvpte,
OSPF-7D = ospf-type7-discard, USER-I = user-ipaddr, RIP-D = rip-discard,
OSPF-E = ospf-ext, ASBR-V = asbr-vpn, GW-FWD = ps-busi, GW-UE = ps-user,
BGP-AD = bgp-aggr-discard, BGP-CE = bgp-confed-ext, NAT64 = sl-nat64-v4,
USER-N = user-network, USER-S = user-special, DHCP-S = dhcp-static,
DHCP-D = dhcp-dft
Marks: *valid, >best, s-stale

Dest

NextHop

RoutePrf

RouteMetric Protocol

*>

3.0.0.0/8

192.168.23.115

120

11

*>

5.0.0.0/8

192.168.23.115

120

11

RIP

*>

192.168.1.0/24

192.168.23.111

Direct

*>

192.168.1.2/32

192.168.23.111

Direct

RIP

7.2.3.2 Configuration Instance of an ISIS Routing Policy


Configuration Description
As shown in Figure 7-2, R1 and R2 has built neighbor relations in the level-1-2 area
successfully.

7-13
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

Configured with 2 static routes, R1 should carry the route-map when reallocating static
routes to the routing domain in the ISIS level-1 area.
Figure 7-2 Configuration Instance of an ISIS Routing Policy

Configuration Approach
1.
2.
3.
4.
5.

Configure the IPv4 address of interfaces


R1 and R2 are defined to the level-1-2 area and built with neighbor relations.
Configure the route-map testisis on R1.
Configure several static routes on R1.
R1 should carry the route-map when reallocating static routes to the routing domain.

Configuration Flow
1. Configure the IPv4 address of interfaces.
Configure the IP address of interfaces on R1:
R1(config)#interface gei-0/1/0/3
R1(config-if-gei-0/1/0/3)#no shutdown
R1(config-if-gei-0/1/0/3)#ip address 55.1.1.1 255.255.255.0
R1(config-if-gei-0/1/0/3)#exit

Configure the IP address of interfaces on R2:


R2(config)#interface gei-0/1/0/1
R2(config-if-gei-0/1/0/1)#no shutdown
R2(config-if-gei-0/1/0/1)#ip address 55.1.1.2 255.255.255.0
R2(config-if-gei-0/1/0/1#exit

2. R1 and R2 are defined to the level-1-2 area and built with neighbor relations.
Configure the ISIS on R1:
R1(config)#router isis 44
R1(config-isis-44)#system-id 5555.5555.5555
R1(config-isis-44)#area 44
R1(config-isis-44)#is-type level-1-2
R1(config-isis-44)#metric-style narrow
R1(config-isis-44)#interface gei-0/1/0/3
R1(config-isis-44-if-gei-0/1/0/3)#ip router isis
R1(config-isis-44-if-gei-0/1/0/3)#exit
R1(config-isis-44)#exit

Configure the ISIS on R2:


R2(config)#router isis 44

7-14
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration


R2(config-isis-44)#system-id 2222.2222.2222
R2(config-isis-44)#area 44
R2(config-isis-44)#is-type level-1-2
R2(config-isis-44)#metric-style narrow
R2(config-isis-44)#interface gei-0/1/0/1
R2(config-isis-44-if-gei-0/1/0/1)#ip router isis
R2(config-isis-44-if-gei-0/1/0/1)exit
R2(config-isis-44)#exit

3. Configure route-map testisis on R1.


R1(config)#route-map testisis permit 10
R1(config-route-map)#set level level-1
R1(config-route-map)#set ip metric 10
R1(config-route-map)#set ip metric-type external
R1(config-route-map)#exit

4. Configure three static routes on R1.


R1(config)#ip route 1.2.3.4

255.255.255.255

192.168.1.103

R1(config)#ip route 20.0.0.0 255.255.255.0 192.168.5.203


R1(config)#ip route 168.178.19.0 255.255.255.0 177.77.16.2

5. R1 should carry the route-map when reallocating static routes to the routing domain.
R1(config)#router isis 44
R1(config-isis-44)#redistribute static route-map testisis
R1(config-isis-44)#exit

Configuration Verification
The ISIS configuration result is as follows:
R1(config)#show running-config isis
! <route_isis>
router isis 44
area 44
system-id 5555.5555.5555
is-type level-1-2
metric-style narrow
redistribute static route-map testisis
interface gei-0/1/0/3
ip router isis
$
$
! </route_isis>
R2(config)#show running-config isis
! <route_isis>
router isis 44
area 44
system-id 2222.2222.2222
is-type level-1-2

7-15
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


metric-style narrow
interface gei-0/1/0/1
ip router isis
$
$
! </route_isis>

The ROUTE-MAP configuration result is as follows:


R1(config)#show route-map testisis
[route-map testisis] IP type: IPv4
route-map testisis permit 10
set level level-1
set ip metric 10
set ip metric-type external

The static route configuration result is as follows:


R1(config)#show ip forwarding route static
IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

status codes: *valid, >best


Dest

Gw

Interface

Owner

Pri Metric

*> 1.2.3.4/32

192.168.1.103

gei-0/5/0/2

Static

*> 20.0.0.0/24

192.168.5.203

*> 168.178.19.0/24 177.77.16.2

gei-0/5/0/2

Static

smartgroup47

Static

Verify that the result is as expected. Check routes in the level-1 area on R1.
narrow mode metric-type external, metric=10+64=74,
The routes will be reallocated to the level-2 area by default. After the route-map is
configured, the routes can only be allocated to the level-1 area.
R1(config)#show isis database level-1 detail process-id 44
Process ID:44
IS-IS Level-1 Link State Database:
LSPID

LSP Seq Num

LSP Checksum

LSP Holdtime

ATT/P/OL

R1.00-00*

0x6

0xd6dc

1142

0/0/0

NLPID:

0xcc

Area Address:

00

Ip Address:

55.1.1.1

Hostname:

R1

Metric: 10

IS neighbor R1.02

Metric: 10

IP-Internal 55.1.1.0 255.255.255.0

7-16
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration


LSPID

LSP Seq Num

LSP Checksum

LSP Holdtime

ATT/P/OL

R1.00-01*

0x8

0x9223

934

0/0/0

Metric: 74

IP-External 1.2.3.4 255.255.255.255

Metric: 74

IP-External 20.0.0.0 255.255.255.0

Metric: 74

IP-External 168.178.19.0 255.255.255.0

Hostname:

R1

On R2, check three ISIS route messages from R1.


R2(config)#show ip forwarding route isis-l1
IPv4 Routing Table:

Headers: Dest: Destination,


Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

status codes: *valid, >best


Dest

Gw

Interface

Owner

Pri Metric

*> 1.2.3.4/32

55.1.1.1

gei-0/3/0/5

ISIS-L1

115 84

*> 20.0.0.0/24

55.1.1.1

gei-0/3/0/5

ISIS-L1

115 84

*> 168.178.19.0/24

55.1.1.1

gei-0/3/0/5

ISIS-L1

115 84

7.2.3.3 Configuration Instance of the OSPF Routing Policy


Configuration Description
As shown in Figure 7-3, the R1 and R2 interfaces are in the OSPF area 1. R1 and R2
build OSPF neighbor relations successfully through R1/R2 interfaces. After configured
with three statis routes, R1 reallocates routing information by the route-map..
Figure 7-3 Configuration Instance of the OSPF Routing Policy

Configuration Approach
1.
2.
3.
4.

Build relations between R1 and R2.


Configure the route-map on R1.
Configure several static routes on R1.
R1 reallocates static routing information by the route-map.

7-17
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

Configuration Flow
Step 1: Set the same network segment address for R1 and R2 to build OSPF neighbor.
R1(config)#interface gei-0/1/0/3
R1(config-if-gei-0/1/0/3)#no shutdown
R1(config-if-gei-0/1/0/3)#ip address 55.1.1.1 255.255.255.0
R1(config-if-gei-0/1/0/3)#exit
R1(config)#router ospf 2
R1(config-ospf-2)#network 55.1.1.0 0.0.0.255 area 0.0.0.1
R1(config-ospf-2)#exit
R2(config)#interface gei-0/1/0/1
R2(config-if-gei-0/1/0/1)#no shutdown
R2(config-if-gei-0/1/0/1)#ip address 55.1.1.2 255.255.255.0
R2(config-if-gei-0/1/0/1)#exit
R2(config)#router ospf 2
R2(config-ospf-2)#network 55.1.1.0 0.0.0.255 area 0.0.0.1
R2(config-ospf-2)#exit

Step 2: Configure the route-map on R1.


R1(config)#route-map ff
R1(config-route-map)#match ip metric 0
R1(config-route-map)#set ip metric 50
R1(config-route-map)#set ip metric-type type-1
R1(config-route-map)#set ip tag 100
R1(config-route-map)#exit

Step 3: Configure several static routes on R1.


R1(config)#ip route 1.2.3.4 255.255.255.255 192.168.1.103
R1(config)#ip route 20.0.0.0 255.255.255.0 192.168.5.203
R1(config)#ip route 168.178.19.0 255.255.255.0 177.77.16.2

Step 4: R1 should carry the route-map when reallocating static routes to the routing
domain.
R1(config)#router ospf 2
R1(config-ospf-2)#redistribute static route-map ff
R1(config-ospf-2)#exit

Configuration Verification
Check configuration result on R1 and the static and OSPF routes on R1.
R1(config-route-map)#show route-map ff
[route-map ff] IP type: IPv4
route-map ff permit 10
match ip metric 0
set ip metric 50
set ip metric-type type-1

7-18
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration


set ip tag 100

R1(config)#show ip forwarding route static


IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

Status codes: *valid, >best


Dest

Gw

Interface

Owner

Pri Metric

*> 1.2.3.4/32

192.168.1.103

gei-0/1/0/3

Static

*> 20.0.0.0/24

192.168.5.203

gei-0/1/0/3

Static

smartgroup47

Static

*> 168.178.19.0/24 177.77.16.2

R1(config)#show running-config ospfv2


!<ospfv2>
network 10.0.0.0 0.0.0.255 area 0.0.0.1
redistribute static route-map ff
$
!</ospfv2>

R1(config)#show ip ospf database process 2

OSPF Router with ID (61.61.61.1) (Process ID 2)

Router Link States (Area 0.0.0.1)

Link ID

ADV Router

Age

Seq#

Checksum

Link count

61.61.61.1

61.61.61.1

138

0x80000003

0xa7a1

1.2.3.2

1.2.3.2

140

0x80000003

0x8526

Net Link States (Area 0.0.0.1)

Link ID

ADV Router

Age

Seq#

Checksum

55.1.1.1

61.61.61.1

138

0x80000001

0x394f

Type-5 AS External Link States

Link ID

ADV Router

Age

Seq#

Checksum

Tag

20.0.0.0

61.61.61.1

189

0x80000001

0xd7f9

100

1.2.3.4

61.61.61.1

189

0x80000001

0x6e6d

100

168.178.19.0

61.61.61.1

189

0x80000001

0x1a5d

100

7-19
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

Check OSPF route properties on R2.


R2(config-ospfv2)#show ip forwarding route ospf
IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

Status codes: *valid, >best


Dest
*> 1.2.3.4/32

Gw

Interface

Owner

Pri Metric

55.1.1.1

gei-0/1/0/1

OSPF

110 51

*> 20.0.0.0/24

55.1.1.1

gei-0/1/0/1

OSPF

110 51

*> 168.178.19.0/24

55.1.1.1

gei-0/1/0/1

OSPF

110 51

7.2.3.4 Configuration Instance of the BGP Routing Policy


Configuration Description
As shown in Figure 7-4, R1 and R2 have built EBGP neighbor relations, and R2 and R3
has built IBGP neighbor relations. R1 advertises the route to R2.
Configure route-map test 1 on R2, and this policy takes effect on the incoming data packet
of R2. Configure route-map test2 on R2, and this policy takes effect on the outgoing data
packet of R2.
Figure 7-4 Configuration Instance of the BGP Routing Policy

Configuration Approach
1. R1 and R2 have built EBGP neighbor relations, and R2 and R3 has built IBGP neighbor
relations.
2. R1 advertises BGP routes to R2, and R2 and R3 can learn these routes.
3. Configure ipv4-access-list 1, ipv4-access-list 2, route-map test1 and route-map test2
on R2.
4. Configure route-map test 1 on R2, and this policy takes effect on the incoming data
packet of R2. Configure route-map test2 on R2, and this policy takes effect on the
outgoing data packet of R2.

7-20
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration

l
l

Note:
The route-map can be used by incoming interface and outgoing interface. Other
attributes are effective except the attribute of next-hop.
The specific options for the BGP protocol in route-map include: set: community-list,
dampening, local-preference, origin, as-path, Match: as-path, community-list.

Configuration Flow
Step 1: configure the IP addresses of the direct interfaces between three routes to the
same value, and configure the EBGP neighbor.
Configure R1:
R1(config)#interface xgei-0/3/0/2
R1(config-if-xgei-0/3/0/2)#no shutdown
R1(config-if-xgei-0/3/0/2)#ip address 131.4.1.1 255.255.255.0
R1(config-if-xgei-0/3/0/2)#exit
R1(config)#router bgp 1011
R1(config-bgp)#neighbor 131.4.1.2 remote-as 200
R1(config-bgp)#exit

Configure R2:
R2(config)#interface xgei-0/3/0/1
R2(config-if-xgei-0/3/0/1)#no shutdown
R2(config-if-xgei-0/3/0/1)#ip address 131.4.1.2 255.255.255.0
R2(config-if-xgei-0/3/0/1)#exit
R2(config)#interface xgei-0/3/1/1
R2(config-if-xgei-0/3/1/1)#no shutdown
R2(config-if-xgei-0/3/1/1)#ip address 131.4.2.2 255.255.255.0
R2(config-if-xgei-0/3/1/1)#exit
R2(config)#router bgp 200
R2(config-bgp)#neighbor 131.4.1.1 remote-as 1011
R2(config-bgp)#neighbor 131.4.2.1 remote-as 200
R2(config-bgp)#exit

Configure R3:
R3(config)#interface xgei-0/3/1/2
R3(config-if-xgei-0/3/1/2)#no shutdown
R3(config-if-xgei-0/3/1/2)#ip address 131.4.2.1 255.255.255.0
R3(config-if-xgei-0/3/1/2)#exit
R3(config)#router bgp 200
R3(config-bgp)#neighbor 131.4.2.2 remote-as 200
R3(config-bgp)#exit

Step 2: R1 advertises 5 BGP routes to R2.


7-21
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


R1(config)#router bgp 1011
R1(config-bgp)#network 7.7.7.0 255.255.255.0
R1(config-bgp)#network 8.8.8.0 255.255.255.0
R1(config-bgp)#network 9.9.9.0 255.255.255.0
R1(config-bgp)#network 7.7.8.0 255.255.255.0
R1(config-bgp)#network 7.7.9.0 255.255.255.0
R1(config-bgp)#exit

Step 3: Configure route-map test 1 and ACL list on R2.


R2(config)#ipv4-access-list 1
R2(config-ipv4-acl)#rule 1 permit 7.7.7.0 0.0.0.255
R2(config-ipv4-acl)#exit
R2(config)#ipv4-access-list 2
R2(config-ipv4-acl)#rule 1 permit 8.8.8.0 0.0.0.255
R2(config-ipv4-acl)#exit

R2(config)#route-map test1 permit 10


R2(config-route-map)#match ip address 1
R2(config-route-map)#match ip address 2
R2(config-route-map)#set local-preference 30000
R2(config-route-map)#exit
R2(config)#route-map test2 permit 10
R2(config-route-map)#match ip address 1
R2(config-route-map)#match ip metric 5
R2(config-route-map)#match as-path 1
R2(config-route-map)#match community-list 1
R2(config-route-map)#exit
R2(config)#route-map test2 permit 20
R2(config-route-map)#match ip address 2
R2(config-route-map)#set as-path prepend 2
R2(config-route-map)#set local-preference 200
R2(config-route-map)#set next-hop 10.1.1.0
R2(config-route-map)#set origin incomplete
R2(config-route-map)#exit

Step 4: Configure route-map test 1 on R2, and this policy takes effect on the incoming
data packet of R2. Configure route-map test2 on R2, and this policy takes effect on the
outgoing data packet of R2.
R2(config)#router bgp 200
R2(config-bgp)#neighbor 131.4.1.1 route-map test1 in
R2(config-bgp)#neighbor 131.4.2.1 route-map test2 out
R2(config-bgp)#neighbor 131.4.2.1 send-med
R2(config-bgp)#exit

7-22
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration

Configuration Verification
1. In step 2, after route advertisement, R2 and R3 can learn 5 routes.
R2(config)#show ip bgp route
Status codes: * valid, > best, i-internal, s-stale
Origin codes: i-IGP, e-EGP, ?-incomplete

Network

NextHop

*>

131.4.1.1

*>

7.7.7.0/24
7.7.8.0/24

Metric

LocPrf

RtPrf

Path

20

1011 i

131.4.1.1

20

1011 i

*>

7.7.9.0/24

131.4.1.1

20

1011 i

*>

8.8.8.0/24

131.4.1.1

20

1011 i

*>

9.9.9.0/24

131.4.1.1

20

1011 i

R3(config)#show ip bgp route


Status codes: * valid, > best, i-internal, s-stale
Origin codes: i-IGP, e-EGP, ?-incomplete

Network

NextHop

Metric

LocPrf

RtPrf

Path

*>i

7.7.7.0/24

131.4.1.1

100

200

1011 i

*>i

7.7.8.0/24

131.4.1.1

100

200

1011 i

*>i
*>i

7.7.9.0/24

131.4.1.1

100

200

1011 i

8.8.8.0/24

131.4.1.1

100

200

1011 i

*>i

9.9.9.0/24

131.4.1.1

100

200

1011 i

2. Step 4: After R2 is bound with routing policy, you can learn route 7.7.7.0/24 and
8.8.8.0/24 of the match item in route-map test1. You cannot learn the routes that
are unmatched.
3. If there are several match items in a routing policy, the relations between these items
are "and", as a result, you cannot match match route-map test2 permit 10, and the
route 7.7.7.0 will not advertised to R3.
4. After using the BGP routing policy:
R2(config)#show ip bgp summary
/*R2 learn two BGP routing items form R1.*/
Neighbor

Ver

As

131.4.1.1

131.4.2.1

MsgRcvd

MsgSend

Up/Down

1011 34

33

00:16:23

200

33

00:16:23

32

State/PfxRcd

R2(config)#show ip bgp route /*Two BGP routing items*/


Status codes: * valid, > best, i-internal, s-stale
Origin codes: i-IGP, e-EGP, ?-incomplete

LocPrf

RtPrf

Path

*>

7.7.7.0/24

Network

131.4.1.1

NextHop

Metric
0

30000

20

1011 i

*>

8.8.8.0/24

131.4.1.1

30000

20

1011 i

Detailed information of two BGP routes.


R2(config)#show ip bgp route network 7.7.7.0 mask 255.255.255.0

7-23
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


BGP routing table entry for 7.7.7.0/24
2d18h received from 131.4.1.1 (1.2.3.1)
origin i,nexthop 131.4.1.1,metric 0,localpref 30000,rtpref 20,best,
as path [1011]
as4 path
R2(config)#show ip bgp route network 8.8.8.0 mask 255.255.255.0
BGP routing table entry for 8.8.8.0/24
2d18h received from 131.4.1.1 (1.2.3.1)
origin i,nexthop 131.4.1.1,metric 0,localpref 30000,rtpref 20,best,
as path [1011]
as4 path
2d18h advertised to 131.4.2.1 (1.2.3.2)
origin ?,nexthop 10.1.1.0,metric 0,localpref 200,
as path [2 1011]
as4 path

7.2.3.5 Configuration Instance of the VRF Routing Policy


Configuration Description
The VRF routing policy configuration instance network is shown in Figure 7-5.
Figure 7-5 Configuration Instance of the VRF Routing Policy

1. In Figure 7-5, the basic L3VPN networking is established. PE1 and PE2 are in the
same AS. The MPIBGP neighbor is established.
2. vrf test1 is on PE1. The route 199.199.199.1/32 of the address generated by local
Loopback address and the direct route 198.198.198.0/24 interconnected to CE1 are
advertised.
3. vrf test1 is on PE2. The route 123.123.123.1/32 of the address generated by local
Loopback address and the direct route 182.182.182.0/24 interconnected to CE2 are
advertised.
4. The vrf test1 route tables on two PEs contain local and remote routes, such as
199.199.199.1/32, 198.198.198.0/24 and 123.123.123.1/32, 182.182.182.0/24.
5. The route-map routing policy is used on the vrf test1 of PE.
Perform the following policies on the incoming 123.123.123.1/32, 182.182.182.0/24
network segment routes: you can import 182.182.182.0/24 route from the vrf test1
neighbor.

7-24
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration

Perform the following policies on the outcoming 199.199.199.1/32, 198.198.198.0/24


network segments routes: you can advertise the 199.199.199.1/32 route to the vrf
test1 neighbor.
6. Verify the result of the routing policy after configuration.

Configuration Approach
1. Configure the basic L3VPN networking environment of CE1-PE1-PE2-CE2.
2. You can learn all routes in the configuration description of the private network route
table on two PEs.
3. Configure route-map on PE1, define characteristics of the route where the routing
policy will be performed. You an set these principles based on different properties in
route information, such as target address, router address of routing infotmation.
4. Configure the route-map used in VRF instance on PE1, which helps to importing and
exporting routes, and implements policies when receiving and importing route release.

Configuration Flow
1. Configure basic L3VPN networking on PE1 and PE2.
Configure PE1:
PE1(config)#ip vrf test1
PE1(config-vrf-test1)#rd 10:10
PE1(config-vrf-test1)#route-target both 10:10
PE1(config-vrf-test1)#address-family ipv4
PE1(config-vrf-test1-af-ipv4)#exit
PE1(config-vrf-test1)#exit

PE1(config)#interface loopback30
PE1(config-if-loopback30)#ip vrf forwarding test1
PE1(config-if-loopback30)#ip add 199.199.199.1 255.255.255.255
PE1(config-if-loopback30)#exit
PE1(config)#interface gei-0/3/0/2
PE1(config-if-gei-0/3/0/2)#no shutdown
PE1(config-if-gei-0/3/0/2)#exit
PE1(config)#interface gei-0/3/0/2.10
PE1(config-if-gei-0/3/0/2.10)#ip vrf forwarding test1
PE1(config-if-gei-0/3/0/2.10)#ip add 198.198.198.1 255.255.255.0
PE1(config-if-gei-0/3/0/2.10)#exit

PE1(config)#vlan-configuration
PE1(config-vlan)#interface gei-0/3/0/2.10
PE1(config-subvlan-if-gei-0/3/0/2.10)#encapsulation-dot1q 10
PE1(config-subvlan-if-gei-0/3/0/2.10)#exit
PE1(config-vlan)#exit

7-25
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


PE1(config)#interface loopback1
PE1(config-if-loopback1)#ip address 1.2.3.80 255.255.255.255
PE1(config-if-loopback1)#exit

PE1(config)#router bgp 200


PE1(config-bgp)#neighbor 1.2.3.82 remote-as 200
PE1(config-bgp)#neighbor 1.2.3.82 update-source loopback1
PE1(config-bgp)#address-family vpnv4
PE1(config-bgp-af)#neighbor 1.2.3.82 activate
PE1(config-bgp-af)#exit
PE1(config-bgp)#address-family ipv4 vrf test1
PE1(config-bgp-af)#redistribute address
PE1(config-bgp-af)#redistribute connected
PE1(config-bgp-af)#exit
PE1(config-bgp)#exit

Configure PE2:
PE2(config)#ip vrf test1
PE2(config-vrf-test1)#rd 10:10
PE2(config-vrf-test1)#route-target both 10:10
PE2(config-vrf-test1)#address-family ipv4
PE2(config-vrf-test1-af-ipv4)#exit
PE2(config-vrf-test1)#exit

PE2(config)#interface loopback10
PE2(config-if-loopback10)#ip vrf forwarding test1
PE2(config-if-loopback10)#ip add 123.123.123.1 255.255.255.255
PE2(config-if-loopback10)#exit
PE2(config)#interface gei-0/1/0/2
PE2(config-if-gei-0/1/0/2)#no shutdown
PE2(config-if-gei-0/1/0/2)#exit
PE2(config)#interface gei-0/1/0/2.10
PE2(config-if-gei-0/1/0/2.10)#ip vrf forwarding test1
PE2(config-if-gei-0/1/0/2.10)#ip add 182.182.182.1 255.255.255.0
PE2(config-if-gei-0/1/0/2.10)#exit

PE2(config)#vlan-configuration
PE2(config-vlan)#interface gei-0/1/0/2.10
PE2(config-subvlan-if-gei-0/1/0/2.10)#encapsulation-dot1q 10
PE2(config-subvlan-if-gei-0/1/0/2.10)#exit
PE2(config-vlan)#exit

PE2(config)#interface loopback1
PE2(config-if-loopback1)#ip add 1.2.3.82 255.255.255.255
PE2(config-if-loopback1)#exit

7-26
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration

PE2(config)#router bgp 200


PE2(config-bgp)#neighbor 1.2.3.80 remote-as 200
PE2(config-bgp)#neighbor 1.2.3.80 update-source loopback1
PE2(config-bgp)#address-family vpnv4
PE2(config-bgp-af)#neighbor 1.2.3.80 activate
PE2(config-bgp-af)#exit
PE2(config-bgp)#address-family ipv4 vrf test1
PE2(config-bgp-af)#redistribute address
PE2(config-bgp-af)#redistribute connected
PE2(config-bgp-af)#exit
PE2(config-bgp)#exit

2. Check VRF routes on PE1 and PE2.


The following content is shown on PE1:
PE1(config)#show ip forwarding route vrf test1
IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

Status codes: *valid, >best


Dest

Gw

Interface

Owner

Pri Metric

*> 123.123.123.1/32

1.2.3.82

posgroup2

BGP

200 0

*> 182.182.182.0/24

1.2.3.82

posgroup2

BGP

200 0

*> 182.182.182.1/32

1.2.3.82

posgroup2

BGP

200 0

*> 198.198.198.0/24

198.198.198.1

gei-0/3/0/2.10

Direct

*> 198.198.198.1/32

198.198.198.1

gei-0/3/0/2.10

Address

*> 199.199.199.1/32

199.199.199.1

loopback30

Address

The following content is shown on PE2:


PE2(config)#show ip forwarding route vrf test1
IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

Status codes: *valid, >best


Gw

Interface

Owner

Pri Metric

*> 123.123.123.1/32

Dest

123.123.123.1

loopback10

Address

*> 182.182.182.0/24

182.182.182.1

gei-0/1/0/2.10

Direct

7-27
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


*> 182.182.182.1/32

182.182.182.1

gei-0/1/0/2.10

Address

*> 198.198.198.0/24

1.2.3.80

posgroup2

BGP

200 0

*> 198.198.198.1/32

1.2.3.80

posgroup2

BGP

200 0

*> 199.199.199.1/32

1.2.3.80

posgroup2

BGP

200 0

3. Configure route-map on PE1, and the route-map is used in VRF.


Configure the route-map test 1 to restrict route advertisement in exporting direction.
PE1(config)#ip prefix-list test1 seq 5 permit 199.199.199.1 32
PE1(config)#route-map test1
PE1(config-route-map)#match ip address prefix-list test1
PE1(config-route-map)#exit

Configure the route-map test 2 to restrict route advertisement in importing direction.


PE1(config)#ip prefix-list test2 seq 5 permit 182.182.182.0 24 ge 32
PE1(config)#route-map test2
PE1(config-route-map)#match ip address prefix-list test2
PE1(config-route-map)#exit

Use route-amp in vrf test1.


PE1(config)#ip vrf test1
PE1(config-vrf)#address ipv4
PE1(config-vrf-af)#export map test1
PE1(config-vrf-af)#import map test2
PE1(config-vrf-af)#exit
PE1(config-vrf)#exit

4. Apply the route-map to the VRF on PE1.


Configure the route-map test2 to limit the route notify from the import direction.
PE1(config)#ip prefix-list test2 seq 5 permit 182.182.182.0 24 ge 32
PE1(config)#route-map test2
PE1(config-route-map)#match ip address prefix-list test2
PE1(config-route-map)#exit

Apply the route-map to vrf test1.


PE1(config)#ip vrf test1
PE1(config-vrf-test1)#address-family ipv4
PE1(config-vrf-test1-af-ipv4)#export map test1
PE1(config-vrf-test1-af-ipv4)#import map test2
PE1(config-vrf-test1-af-ipv4)#exit
PE1(config-vrf-test1)#exit

Configuration Verification
If the configuration is successful, after running the show running-config command, the
following information is displayed:
PE1#show running-config bgp
! <route-bgp>

7-28
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration


router bgp 200
neighbor 1.2.3.82 remote-as 200
neighbor 1.2.3.82 activate
neighbor 1.2.3.82 update-source loopback1
address-family ipv4 vrf test1
redistribute address
redistribute connected
$
address-family ipv4 multicast
$
address-family l2vpn vpls
$
address-family vpnv4
neighbor 1.2.3.82 activate
$

$
! </route-bgp>

PE1#show running-config vrf | begin test1


ip vrf test1
rd 10:10
route-target import 10:10
route-target export 10:10
address-family ipv4
import map test2
export map test1
$
$
! </VRF>

PE1#show route-map test1


[route-map test1] IP type: IPv4
route-map test1 permit 10
match ip address prefix-list test1
PE1#show route-map test2
[route-map test2] IP type: IPv4
route-map test2 permit 10
match ip address prefix-list test2
PE1#show ip prefix-list test1
ip prefix-list test1 :
seq 5 permit 199.199.199.1 32
PE1#show ip prefix-list test2
ip prefix-list test2 :
seq 5 permit 182.182.182.0 24 ge 32

7-29
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

In the exporting direction, the vrf test1 route table before performing the VRF routing policy
is:
PE1(config)#show ip forwarding route vrf test1
IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

Status codes: *valid, >best


Dest

Gw

Interface

Owner

Pri Metric

*> 123.123.123.1/32

1.2.3.82

posgroup2

BGP

200 0

*> 182.182.182.0/24

1.2.3.82

posgroup2

BGP

200 0

*> 182.182.182.1/32

1.2.3.82

posgroup2

BGP

200 0

*> 198.198.198.0/24

198.198.198.1

gei-0/3/0/2.10

Direct

*> 198.198.198.1/32

198.198.198.1

gei-0/3/0/2.10

Address

*> 199.199.199.1/32

199.199.199.1

loopback30

Address

Changes to:
PE1(config)#show ip forwarding route vrf test1
IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

Status codes: *valid, >best


Dest

Gw

Interface

Owner

Pri Metric

*> 182.182.182.1/32

1.2.3.82

posgroup2

BGP

200 0

*> 198.198.198.0/24

198.198.198.1

gei-0/3/0/2.10

Direct

*> 198.198.198.1/32

198.198.198.1

gei-0/3/0/2.10

Address

*> 199.199.199.1/32

199.199.199.1

loopback30

Address

In the importing direction, two routes advertised by opposite PE2 are filtered out.
*> 123.123.123.1/32

1.2.3.82

posgroup2

BGP

200 0

*> 182.182.182.0/24

1.2.3.82

posgroup2

BGP

200 0

Specify the matched ip prefix-list test2 seq 5 permit 182.182.182.0 24 ge 32 route in route-map
test 2.
*> 182.182.182.1/32

1.2.3.82

posgroup2

BGP

200 0

The routing policy test 1 is used in the exporting direction on PE. The vrf test1 route table
on PE2 is:
7-30
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration


PE2(config)#show ip forwarding route vrf test1
IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

Status codes: *valid, >best


Dest

Gw

Interface

Owner

Pri Metric

*> 123.123.123.1/32

123.123.123.1

loopback10

Address

*> 182.182.182.0/24

182.182.182.1

gei-0/1/0/2.10

Direct

*> 182.182.182.1/32

182.182.182.1

gei-0/1/0/2.10

Address

*> 198.198.198.0/24

1.2.3.80

posgroup2

BGP

200 0

*> 198.198.198.1/32

1.2.3.80

posgroup2

BGP

200 0

*> 199.199.199.1/32

1.2.3.80

posgroup2

BGP

200 0

Change to:
PE2(config)#show ip forwarding route vrf test1
IPv4 Routing Table:
Headers: Dest: Destination,
Codes

Gw: Gateway,

Pri: Priority;

: BROADC: Broadcast, USER-I: User-ipaddr, USER-S: User-special,


MULTIC: Multicast, USER-N: User-network, DHCP-D: DHCP-DFT,
ASBR-V: ASBR-VPN, STAT-V: Static-VRF, DHCP-S: DHCP-static,
GW-FWD: PS-BUSI, NAT64: Stateless-NAT64, LDP-A: LDP-area,
GW-UE: PS-USER, P-VRF: Per-VRF-label, TE: RSVP-TE;

Status codes: *valid, >best


Dest

Gw

Interface

Owner

Pri Metric

*> 123.123.123.1/32

123.123.123.1

loopback10

Address

*> 182.182.182.0/24

182.182.182.1

gei-0/1/0/2.10

Direct

*> 182.182.182.1/32

182.182.182.1

gei-0/1/0/2.10

Address

*> 199.199.199.1/32

1.2.3.80

posgroup2

BGP

200 0

As seen from above, only one route is learned from remote 1.2.3.80.
*> 199.199.199.1/32

1.2.3.80

posgroup2

BGP

200 0

Above configures the match condition ip prefix-list test1 seq 5 permit 199.199.199.1 32
defined in route-map test1.
Two unmatched items will be filtered out, including:
*> 198.198.198.0/24

1.2.3.80

posgroup2

BGP

200 0

*> 198.198.198.1/32

1.2.3.80

posgroup2

BGP

200 0

7-31
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

7.3 Policy Routing Configuration


7.3.1 Policy Routing Overview
Policy Routing Introduction
Conventionally, a router obtains the next hop by searching in routing table according to
destination address, and then it forwards messages. Routing table entry is specified
statically by the network administrator or generated dynamically by routing protocol
through routing algorithm.
Compared with the traditional routing, policy routing is more powerful and more flexible.
With policy routing, the network administrator can select the forwarding path according to
destination address, message application (TCP/UDP port number) or source IP address.
In message forwarding control, policy routing is more powerful than conventional routing.
Policy routing can implement traffic engineering to a certain extent, thus making traffic of
different service quality or different service data (such as voice and File Transfer Protocol
(FTP)) go through different paths. The user has higher and higher requirements for network
performance. Therefore, it is necessary to select different packet forwarding paths based
on the differences of services or user categories.
On ZXR10 M6000-S, network administrator can define different route-maps by using the
match and set clauses, and apply the route-map to the interfaces which receive messages,
thus to realize path selection.
Each route-map has a series of sequences. Each sequence contains many match and set
clauses.
l
l

The match clause defines conditions for matching. When the received packets match
the conditions, perform policy routing.
The set clause defines the actions to be performed when the conditions are matched.

When a packet fails to meet the match conditions of a sequence, it will continue to match
the next sequence.

Policy Routing Work Flow


When a router receives a packet, it judges whether bind policy routing to egress interface
at first. If there is no binding, the route searches in routing table according to destination
address, and then forwards the packet. If policy routing is bound to the egress interface
already, the router processes the packet according to the sequences of route-map. The
detailed steps are listed below,
1. At first, the router uses the received packet to match the ACL configured in the first
sequence. If the matching fails, the router continues to use the packet to match to the
ACL configured in the next sequence. The rest can be done in the same manner. If
the matching succeeds, the router can obtain the attribute of the sequence.

7-32
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration

2. When the attribute of the sequence is deny, the packet will be forwarded in normal
route. If the attribute is permit, the router will forwards the packet according to the set
item of the sequence.
3. If the set ip path interface parameter exists, send the message to the set next-hop.
4. The router estimates whether a valid set ip next-hop (direct next-hop) exists. For
multiple set ip next-hop items, the router selects the first valid next-hop according to
configuration sequence. If the valid set ip next-hop item exists, the router forwards the
packet to the specified next-hop.
5. If there is no the configuration of set ip next-hop or valid set ip next-hop, the router
needs to check whether a valid egress interface exists (The egress is existing, and it
is in UP state). For multiple set interface items exist, the router selects the first valid
egress interface according to configuration sequence. If the egress interface exists,
the router forwards the packet from the egress interface directly. Otherwise, It forwards
the packet in normal route.
6. For a normal route, if the router finds the corresponding route in forwarding table, it
forwards the packet according to the route. Otherwise, if system does not set default
route, the router will discard the packet.
If the next hop of policy routing is the indirect-connected IP address, the policy routing still
can be valid as long as the next hop can be decided by searching in local routing table, as
shown in Figure 7-6. The next hop address of policy routing is set as 200.1.1.2 on R1.
Figure 7-6 Next Hop of an Indirect-Connected IP Address

The ip next hop of policy routing can be set as IP address of ISP2 on R1, and it will take
effect immediately once there is a route from R1 to ISP2. If R1 has a route pointing to
ISP2 and the next-hop of the route is R2, then the traffic coming from ISP1 which meets
the matching rules of the policy routing will be sent to R2 after the policy routing is bound
to gei-0/2/1/2 on R1. If the traffic does not meet the matching rules of the policy routing, it
will be discarded.

7.3.2 Configuring Policy Routing


This procedure describes how to configure a policy routing.

7-33
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

Steps
1. Configure basic attributes for a policy routing.
Step

Command

Function

ZXR10(config)#route-map <route-map-name>[per

Creates a route-map to be used

mit | deny][<sequence-number>]

for policy routing and enters route


map configuration mode.

ZXR10(config-route-map)#match ip address

Configures match criteria in route

*(<access-list-name>)

map configuration mode and


performs policy routing on the
packets which match the ACL list.
The ACL can be either standard
or extended.

ZXR10(config-route-map)#set ip next-hop

This routes data packet to the

<ip-address>[track <sqa-name>]

specified next hop when policy


routing is available for data
packets. At most 10 IP addresses
can be set.

ZXR10(config-route-map)#set ip path interface

When a data packet can be

<interface-name> next-hop <ip-address>

forwarded by a policy, forwards


the data packet to the specific
Ethernet outgoing interface or the
next-hop. The outgoing interface
and next-hop are mutually
exclusive.

ZXR10(config-route-map)#set interface

This routes data packets to the

*(<interface-name>)

specified interface when policy

ZXR10(config-route-map)#set ip precedence

routing is available for data


Configures the IP tos parameter.
packets.
Configures the IP precedence

<precedence-value>

parameter.

ZXR10(config)#ip policy interface < interface-name>

Configures fast forwarding based

route-map < route-map-name>

on policy routing.

ZXR10(config-route-map)#set ip tos <tos-value>

<map-tag>: Name of the route map, the length is 1-31 characters.


permit: If the route map meets matching conditions, then redistribution or policy route
is permitted.
deny: If the route map meets matching conditions, then redistribution or policy route is
denied.
<sequence-number>: Sequence number, the range is 0-65535.
2. Configure a VRF policy route.
7-34
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration

Step

Command

Function

ZXR10(config)#route-map <route-map-nam

Creates a route-map to be used for policy

e>[permit | deny][<sequence-number>]

route and enters route map configuration


mode.

ZXR10(config-route-map)#set vrf

Sets VRF name. When data packets

<vrf-name>

meet a matching item of the policy map


to be used for policy routing, use set vrf
command to route data packets to the
specified vpnid.

ZXR10(config-route-map)#set vrf

Sets the next-hop address of the specified

<vrf-name> ip next-hop <ip-address>[track

VRF.

<sqa-name>]
4

ZXR10(config-route-map)#set global

Routes datagram packets on the access


side of the VRF in a private network to a
link of a normal egress interface.

ZXR10(config-route-map)#set global [ip

Routes datagram packets on the access

next-hop <ip-address>]

side of the VRF in a specified private


network to one next-hop path of a public
network.

3. Verify the configurations.


Command

Function

ZXR10#show route-map<route-map-name>

Displays the information of route-map.

ZXR10#show running-config pbr

Displays the pbr binding information on


interface.

End of Steps

7.3.3 Policy Routing Configuration Examples


7.3.3.1 Policy Routing Configuration Instance One
Configuration Description
As shown in Figure 7-7, the router (ZXR10) connects the users of two subnets through
different interfaces. Two ISP egresses are available, and the users select different
egresses according to their IP addresses. The users belonging to the subnet 10.10.0.0/24
uses ISP1 egress and other users belonging to the subnet 11.11.0.0/24 uses ISP2 egress.

7-35
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

Figure 7-7 Policy Routing Configuration Instance One

Configuration Flow
1.
2.
3.
4.

Configure IP addresses of interfaces.


Create ACL to define the traffic to be controlled.
Create route-map, associate ACL and define actions.
Associate route-map to the corresponding interfaces.

Configuration Command
Configuration on ZXR10
ZXR10(config)#interface gei-0/1/1/1
ZXR10(config-if-gei-0/1/1/1)#no shutdown
ZXR10(config-if-gei-0/1/1/1)#description To User1
ZXR10(config-if-gei-0/1/1/1)#ip address 10.10.0.254 255.255.255.0
ZXR10(config-if-gei-0/1/1/1)#exit

ZXR10(config)#show running-config-interface gei-0/1/1/1


!< Interface>
interface gei-0/1/1/1
no shutdown
description To User1
ip address 10.10.0.254 255.255.255.0
$
!</Interface>

ZXR10(config)#interface gei-0/1/1/2
ZXR10(config-if-gei-0/1/1/2)#no shutdown
ZXR10(config-if-gei-0/1/1/2)#description To User2
ZXR10(config-if-gei-0/1/1/2)#ip address 11.11.0.254 255.255.255.0
ZXR10(config-if-gei-0/1/1/2)#exit

ZXR10(config)#show running-config-interface gei-0/1/1/2


!<Interface>

7-36
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration


interface gei-0/1/1/2
no shutdown
description To User2
ip address 11.11.0.254 255.255.255.0
$
!</Interface>

ZXR10(config)#interface gei-0/2/1/1
ZXR10(config-if-gei-0/2/1/1)#no shutdown
ZXR10(config-if-gei-0/2/1/1)#description To ISP1
ZXR10(config-if-gei-0/2/1/1)#ip address 100.1.1.2 255.255.255.252
ZXR10(config-if-gei-0/2/1/1)#exit

ZXR10(config)#show running-config-interface gei-0/2/1/1


!<Interface>
interface gei-0/2/1/1
no shutdown
description To ISP1
ip address 100.1.1.2 255.255.255.252
$
!</Interface>

ZXR10(config)#interface gei-0/2/1/2
ZXR10(config-if-gei-0/2/1/2)#no shutdown
ZXR10(config-if-gei-0/2/1/2)#description To ISP2
ZXR10(config-if-gei-0/2/1/2)#ip address

200.1.1.2 255.255.255.252

ZXR10(config-if-gei-0/2/1/2)#exit

ZXR10(config)#show running-config-interface gei-0/2/1/2


!<Interface>
interface gei-0/2/1/2
no shutdown
description To ISP2
ip address 200.1.1.2 255.255.255.252
$
!</Interface>

ZXR10(config)#ip route 0.0.0.0 0.0.0.0 100.1.1.1


ZXR10(config)#ipv4-access-list 10
ZXR10(config-ipv4-acl)#rule 1 permit 10.10.0.0 0.0.0.255
ZXR10(config-ipv4-acl)#exit

ZXR10(config)#show ipv4-access-lists name 10


ipv4-access-list 10
1/1 (showed/total)

7-37
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


1 permit 10.10.0.0 0.0.0.255

ZXR10(config)#ipv4-access-list 20
ZXR10(config-ipv4-acl)#rule 1 permit 11.11.0.0 0.0.0.255
ZXR10(config-ipv4-acl)#exit
ZXR10(config)#show ipv4-access-lists name 20
ipv4-access-list 20
1/1 (showed/total)
1 permit 11.11.0.0 0.0.0.255

/*Forwarding the message that matching with the ACL 10 to 100.1.1.1.*/


ZXR10(config)#route-map source-ip permit 10
ZXR10(config-route-map)#match ip address 10
ZXR10(config-route-map)#set ip next-hop 100.1.1.1
ZXR10(config-route-map)#exit

/*Forwarding the message that matching with the ACL 20 to 200.1.1.1.*/


ZXR10(config)#route-map source-ip permit 20
ZXR10(config-route-map)#match ip address 20
ZXR10(config-route-map)#set ip next-hop 200.1.1.1
ZXR10(config-route-map)#exit

/*Binding the route-map source-ip to an interface.*/


ZXR10(config)#ip policy interface gei-0/1/1/1 route-map source-ip

ZXR10(config)#show running-config pbr


!<pbr>
ip policy interface gei-0/1/1/1 route-map source-ip
!</pbr>

/*Binding the route-map source-i to an interface.*/


ZXR10(config)#ip policy interface gei-0/1/1/2 route-map source-ip

ZXR10(config)#show running-config pbr


!<pbr>
ip policy interface gei-0/1/1/2 route-map source-ip
!</pbr>

In this example, there are three conditions.


1. When ISP1 and ISP2 egresses run properly, user service of 10.10.0.0/24 uses ISP1
egress and users services of 11.11.0.0./24 uses ISP2 egress.
2. When ISP1 egress runs properly but ISP2 egress runs improperly, user services
of both subnetworks uses ISP1 egress. At this time, user service of subnetwork
11.11.0.0/24 uses default route.

7-38
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration

3. When ISP1 egress runs improperly and ISP2 egress runs properly, user service of
the subnetwork 11.11.0.0/24 are normal, but that if the subnetwork 10.10.0.0/24 is
interrupted.

Configuration Verification
The configuration of the route-map is shown below.
ZXR10(config)#show route-map source-ip
[route-map source-ip] IP type: IPv4
route-map source-ip permit 10
match ip address 10
set ip next-hop 100.1.1.1
route-map source-ip permit 20
match ip address 20
set ip next-hop 200.1.1.1

7.3.3.2 Policy Routing Configuration Instance Two


Configuration Description
As shown in Figure 7-8, users of different subnetworks are accessed through the same
interface of router, modify the configuration of policy routing.
Figure 7-8 Policy Routing Configuration Instance Two

Configuration Flow
1.
2.
3.
4.

Configure IP addresses of interfaces.


Create ACL to define the traffic to be controlled.
Create route-map, associate ACL and define actions.
Associate route-map to the corresponding interfaces.

Configuration Command
Configuration on ZXR10:
ZXR10(config)#interface gei-0/1/1/1

7-39
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


ZXR10(config-if-gei-0/1/1/1)#no shutdown
ZXR10(config-if-gei-0/1/1/1)#description To User
ZXR10(config-if-gei-0/1/1/1)#ip address 192.168.1.1 255.255.255.252
ZXR10(config-if-gei-0/1/1/1)#exit
ZXR10(config)#show running-config-interface gei-0/1/1/1
!<Interface>
interface gei-0/1/1/1
no shutdown
description To User
ip address 192.168.1.1 255.255.255.252
$
!</Interface>

ZXR10(config)#interface gei-0/2/1/1
ZXR10(config-if-gei-0/2/1/1)#no shutdown
ZXR10(config-if-gei-0/2/1/1)#description To ISP1
ZXR10(config-if-gei-0/2/1/1)#ip address 100.1.1.2 255.255.255.252
ZXR10(config-if-gei-0/2/1/1)#exit
ZXR10(config)#show running-config-interface gei-0/2/1/1
!</Interface>
Interface gei-0/2/1/1
no shutdown
description To ISP1
ip address 100.1.1.2 255.255.255.252
$
!</Interface>
ZXR10(config)#interface gei-0/2/1/2
ZXR10(config-if-gei-0/2/1/2)#no shutdown
ZXR10(config-if-gei-0/2/1/2)#description To ISP2
ZXR10(config-if-gei-0/2/1/2)#ip address 200.1.1.2 255.255.255.252
ZXR10(config-if-gei-0/2/1/2)#exit
ZXR10(config)#show running-config-interface gei-0/2/1/2
!</Interface>
Interface gei-0/2/1/2
no shutdown
description To ISP2
ip address 200.1.1.2 255.255.255.252
$
!</Interface>

ZXR10(config)#ip route 10.10.0.0 255.255.255.0 192.168.1.2


ZXR10(config)#ip route 11.11.0.0 255.255.255.0 192.168.1.2

Configure route-map.
/* This configures an ACL to be used in a route-map.*/

7-40
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration


ZXR10(config)#ipv4-access-list 10
ZXR10(config-ipv4-acl)#rule 1 permit 10.10.0.0 0.0.0.255
ZXR10(config-ipv4-acl)#exit

ZXR10(config)#show ipv4-access-lists name 10


ipv4-access-list 10
1/1 (showed/total)
1 permit 10.10.0.0 0.0.0.255

ZXR10(config)#ipv4-access-list 20
ZXR10(config-ipv4-acl)#rule 1 permit 11.11.0.0 0.0.0.255
ZXR10(config-ipv4-acl)#exit
ZXR10(config)#show ipv4-access-lists name 20

ipv4-access-list 10
1/1 (showed/total)
1 permit 11.11.0.0 0.0.0.255

/*This configures the information of a route-map.


The sequence number is 10 and 20.*/
ZXR10(config)#route-map source-ip permit 10
ZXR10(config-route-map)#match ip address 10

/* This forwards the packets matching ACL 10 to 100.1.1.1,


and configures 200.1.1.1 as a backup egress.*/
ZXR10(config-route-map)#set ip next-hop 100.1.1.1 200.1.1.1
ZXR10(config-route-map)#exit
ZXR10(config)#route-map source-ip permit 20
ZXR10(config-route-map)#match ip address 20

/* This forwards the packets matching ACL 20 to 200.1.1.1


and configures 100.1.1.1 as a backup egress.*/
ZXR10(config-route-map)#set ip next-hop 200.1.1.1 100.1.1.1
ZXR10(config-route-map)#exit

Apply the route-map to an interface.


/*This binds route-map source-ip to an interface.*/
ZXR10(config)#ip policy interface gei-0/1/1/1 route-map source-ip
ZXR10(config)#show running-config pbr
!<pbr>
ip policy interface gei-0/1/1/1 route-map source-ip
!</pbr>

In this example, the two ISP egresses are backup for each other. There are two conditions.

7-41
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

1. When ISP1 and ISP2 egresses run properly, user service of 10.10.0.0/24 uses ISP1
egress and users services of 11.11.0.0./24 uses ISP2 egress.
2. When one egress has fault, the user service will uses backup egress. Therefore, the
service will not be interrupted as long as the two egresses do not have fault at the
same time.

Configuration Verification
The configuration of the route-map is shown below.
ZXR10(config)#show route-map source-ip
[route-map source-ip] IP type: IPv4
route-map source-ip permit 10
match ip address 10
set ip next-hop 100.1.1.1 200.1.1.1
route-map source-ip permit 20
match ip address 20
set ip next-hop 200.1.1.1 100.1.1.1

7.3.3.3 Policy Routing Configuration Instance Three


Configuration Description
As shown in Figure 7-9, users of different subnetworks are accessed through the same
interface of router. Use remote VRF policy routing to realize that the users of vpn1 access
to the network of vpn2.
Figure 7-9 Remote VRF Policy Routing Configuration Instance

Configuration Command:
Configuration on PE1:
/*Configure an interface*/
PE1(config)#interface loopback1
PE1(config-if-loopback1)#ip address 1.2.3.30 255.255.255.255
PE1(config-if-loopback1)#exit

7-42
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration

PE1(config)#show running-config-interface loopback1


!<Interface>
interface loopback1
ip address 1.2.3.30 255.255.255.255
!
!</Interface>
PE1(config)#ip vrf vpn1

PE1(config-vrf-vpn1)#rd 1:1
PE1(config-vrf-vpn1)#route-target both 1:1
PE1(config-vrf-vpn1)#address-family ipv4
PE1(config-vrf-vpn1-af-ipv4)#exit
PE1(config-vrf-vpn1)#exit
PE1(config)#ip vrf vpn2
PE1(config-vrf-vpn2)#rd
PE1(config-vrf-vpn2)#rd 1:2
PE1(config-vrf-vpn2)#route-target both 1:2
PE1(config-vrf-vpn1)# address-family ipv4
PE1(config-vrf-vpn1-af-ipv4)#exit
PE1(config-vrf-vpn1)#exit

PE1(config)#interface gei-0/6/0/1
PE1(config-if-gei-0/6/0/1)#no shutdown
PE1(config-if-gei-0/6/0/1)#description to vpn1
PE1(config-if-gei-0/6/0/1)#ip vrf forwarding vpn1
PE1(config-if-gei-0/6/0/1)#ip address 30.1.1.1 255.255.255.0
PE1(config-if-gei-0/6/0/1)#exit

PE1(config)#show running-config-interface gei-0/6/0/1


!<Interface>
interface gei-0/6/0/1
no shutdown
description to vpn1
ip vrf forwarding vpn1
ip address 30.1.1.1 255.255.255.0
$
!</Interface>

PE1(config)#interface gei-0/1/0/1
PE1(config-if-gei-0/1/0/1)#no shutdown
PE1(config-if-gei-0/1/0/1)#description to vpn2
PE1(config-if-gei-0/1/0/1)#ip vrf forwarding vpn2
PE1(config-if-gei-0/1/0/1)#ip address 40.1.1.1 255.255.255.0
PE1(config-if-gei-0/1/0/1)#exit

7-43
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

PE1(config)#show running-config-interface gei-0/1/0/1


!<Interface>
interface gei-0/1/0/1
no shutdown
description to vpn2
ip vrf forwarding vpn2
ip address 40.1.1.1 255.255.255.0
$
!</Interface>
PE1(config)#interface gei-0/6/0/2
PE1(config-if-gei-0/6/0/2)#no shutdown
PE1(config-if-gei-0/6/0/2)#ip address 20.1.1.1 255.255.255.0
PE1(config-if-gei-0/6/0/2)#exit
PE1(config)#show running-config-interface gei-0/6/0/2
!<Interface>
interface gei-0/6/0/2
no shutdown
ip address 20.1.1.1 255.255.255.0
$
!</Interface>
PE1(config)#show ip vrf brief
* Being deleted
Name

Default RD Protocol

Interfaces

vpn1

1:1

ipv4

gei-0/6/0/1

vpn2

1:2

ipv4

gei-0/1/0/1

mng

< not set >

mng1

/*Configure OSPF*/
PE1(config)#router ospf 1 vrf vpn1
PE1(config-ospf-1)#network 30.1.1.0 0.0.0.255 area 0.0.0.0
PE1(config-ospf-1)#exit
PE1(config)#router ospf 2 vrf vpn2
PE1(config-ospf-2)#network 40.1.1.0 0.0.0.255 area 0.0.0.0
PE1(config-ospf-2)#exit
PE1(config)#router ospf 3
PE1(config-ospf-3)#network 1.2.3.30 0.0.0.0 area 0.0.0.0
PE1(config-ospf-3)#network 20.1.1.0 0.0.0.255 area 0.0.0.0
PE1(config-ospf-3)#exit

PE1(config)#show running-config ospfv2


!<ospfv2>
router ospf 1 vrf vpn1
network 30.1.1.0 0.0.0.255 area 0.0.0.0
$

7-44
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration


router ospf 2 vrf vpn2
network 40.1.1.0 0.0.0.255 area 0.0.0.0
$
router ospf 3
network 1.2.3.30 0.0.0.0 area 0.0.0.0
network 20.1.1.0 0.0.0.255 area 0.0.0.0
$
!</ospfv2>

PE1(config)#show ip ospf neighbor

OSPF Router with ID (30.1.1.1) (Process ID 1)

Neighbor ID

Pri State

30.1.1.2

DeadTime

FULL/DROTHER 00:00:33

Address

Interface

30.1.1.2

gei-0/6/0/1

OSPF Router with ID (40.1.1.1) (Process ID 2)

Neighbor ID

Pri State

40.1.1.2

DeadTime

FULL/DROTHER 00:00:33

Address

Interface

40.1.1.2

gei-0/1/0/1

OSPF Router with ID (1.2.3.30) (Process ID 3)

Neighbor ID

Pri State

DeadTime

Address

Interface

1.2.3.29

00:00:36

20.1.1.2

gei-0/6/0/2

FULL/BDR

/*Configure BGP*/
PE1(config)#router bgp 1
PE1(config-bgp)#neighbor 1.2.3.29 remote-as 2
PE1(config-bgp)#neighbor 1.2.3.29 ebgp-multihop ttl 8
PE1(config-bgp)#neighbor 1.2.3.29 update-source loopback1
PE1(config-bgp)#address-family vpnv4
PE1(config-bgp-af)#neighbor 1.2.3.29 activate
PE1(config-bgp-af)#exit
PE1(config-bgp)#address-family ipv4 vrf vpn1
PE1(config-bgp-af)#redistribute ospf-int 1
PE1(config-bgp-af)#redistribute ospf-ext 1
PE1(config-bgp-af)#exit
PE1(config-bgp)#address-family ipv4 vrf vpn2
PE1(config-bgp-af)#redistribute ospf-int 2
PE1(config-bgp-af)#redistribute ospf-ext 2
PE1(config-bgp-af)#exit
PE1(config)#show running-config bgp
!<route-bgp>
router bgp 1

7-45
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


neighbor 1.2.3.29 remote-as 2
neighbor 1.2.3.29 activate
neighbor 1.2.3.29 ebgp-multihop ttl 8
neighbor 1.2.3.29 update-source loopback1
address-family ipv4 vrf vpn1
redistribute ospf-int
redistribute ospf-ext
redistribute connected
$
address-family ipv4 vrf vpn2
redistribute ospf-int
redistribute ospf-ext
$
address-family vpnv4
neighbor 1.2.3.29 activate
$
!</route-bgp>
PE1(config)#show bgp vpnv4 unicast summary
Neighbor

Ver

As

MsgRcvd

MsgSend

Up/Down(s)

State/PfxRcd

1.2.3.29

180

187

01:32:00

/*Configure LDP*/
PE1(config)#mpls ldp instance 1
PE1(config-ldp-1)#interface gei-0/6/0/2
PE1(config-ldp-1-if-gei-0/6/0/2)#exit
PE1(config-ldp-1)#router-id loopback1 force
PE1(config-ldp-1)#exit
PE1(config)#show running-config ldp
!<LDP>
mpls ldp instance 1
router-id loopback1 force
interface gei-0/6/0/2
$
!</LDP>
PE1(config)#show mpls ldp neighbor instance 1
Peer LDP Ident: 1.2.3.29:0; Local LDP Ident 1.2.3.30:0
TCP connection: 1.2.3.29.646 - 1.2.3.30.1028
state: Oper; Msgs sent/rcvd: 113/135; Downstream
Up Time: 01:25:38
LDP discovery sources:
gei-0/6/0/2; Src IP addr: 20.1.1.2
Addresses bound to peer LDP Ident:
1.2.3.29

20.1.1.2

130.131.132.29

Configuration on PE2:

7-46
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration


/*Configure an interface*/
PE2(config)#interface loopback1
PE2(config-if-loopback1)#ip address 1.2.3.29 255.255.255.255
PE2(config-if-loopback1)#exit

PE2(config)#show running-config-interface loopback1


!<Interface>
interface loopback1
ip address 1.2.3.29 255.255.255.255
$
!</Interface>

PE2(config)#ip vrf vpn1


PE2(config-vrf-vpn1)#rd 1:1
PE2(config-vrf-vpn1)#route-target both 1:1
PE2(config-vrf-vpn1)#address-family ipv4
PE2(config-vrf-vpn1-af-ipv4)#exit
PE2(config-vrf-vpn1)#exit
PE2(config)#ip vrf vpn2
PE2(config-vrf-vpn2)#rd
PE2(config-vrf-vpn2)#rd 1:2
PE2(config-vrf-vpn2)#route-target both 1:2
PE2(config-vrf-vpn2)#address-family ipv4
PE2(config-vrf-vpn2-af-ipv4)#exit
PE2(config-vrf-vpn2)#exit
PE2(config)#interface gei-0/1/0/4
PE2(config-if-gei-0/1/0/4)#no shutdown
PE2(config-if-gei-0/1/0/4)#ip address 20.1.1.2 255.255.255.0
PE2(config-if-gei-0/1/0/4)#exit

PE2(config)#show running-config-interface gei-0/1/0/4


!<Interface>
interface gei-0/1/0/4
no shutdown
ip address 20.1.1.2 255.255.255.0
$
!</Interface>

PE2(config)#interface gei-0/1/0/5
PE2(config-if-gei-0/1/0/5)#no shutdown
PE2(config-if-gei-0/1/0/5)#description to vpn1
PE2(config-if-gei-0/1/0/5)#ip vrf forwarding vpn1
PE2(config-if-gei-0/1/0/5)#ip address 10.1.1.1 255.255.255.0
PE2(config-if-gei-0/1/0/5)#exit

7-47
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


PE2(config)#show running-config-interface gei-0/1/0/5
!<Interface>
interface gei-0/1/0/5
no shutdown
description to vpn1
ip vrf forwarding vpn1
ip address 10.1.1.1 255.255.255.0
$
!</Interface>

PE2(config)#show ip vrf brief


* Being deleted
Name

Default RD

vpn1

1:1

vpn2

1:2

mng

< not set >

Protocol
ipv4

Interfaces
gei-0/1/0/5

mng1

/*Configure OSPF*/
PE2(config)#router ospf 16
PE2(config-ospf-16)#network 1.2.3.29 0.0.0.0 area 0.0.0.0
PE2(config-ospf-16)#network 20.1.1.0 0.0.0.255 area 0.0.0.0
PE2(config-ospf-16)#exit

PE2(config)#show running-config ospfv2


!<ospfv2>
router ospf 16
network 1.2.3.29 0.0.0.0 area 0.0.0.0
network 20.1.1.0 0.0.0.255 area 0.0.0.0
$
!</ospfv2>

PE2(config)#show ip ospf neighbor


OSPF Router with ID (1.2.3.29) (Process ID 16)
Neighbor ID

Pri State

DeadTime

Address

Interface

1.2.3.30

00:00:32

20.1.1.1

gei-0/1/0/4

FULL/DR

/*Configure BGP*/
PE2(config)#router bgp 2
PE2(config-bgp)#neighbor 1.2.3.30 remote-as 1
PE2(config-bgp)#neighbor 1.2.3.30 ebgp-multihop ttl 8
PE2(config-bgp)#neighbor 1.2.3.30 update-source loopback1
PE2(config-bgp)#address-family vpnv4
PE2(config-bgp-af)#neighbor 1.2.3.30 activate
PE2(config-bgp-af)#exit
PE2(config-bgp)#address-family ipv4 vrf vpn1

7-48
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration


PE2(config-bgp-af)#redistribute ospf-int 16
PE2(config-bgp-af)#redistribute ospf-ext 16
PE2(config-bgp-af)#exit
PE2(config-bgp)#exit

PE2(config)#show running-config bgp


!<route-bgp>
router bgp 2
neighbor 1.2.3.30 remote-as 1
neighbor 1.2.3.30 activate
neighbor 1.2.3.30 ebgp-multihop ttl 8
neighbor 1.2.3.30 update-source loopback1
address-family ipv4 vrf vpn1
redistribute ospf-int
redistribute ospf-ext
$
address-family vpnv4
neighbor 1.2.3.30 activate
$
!</route-bgp>

PE2(config)#show bgp vpnv4 unicast summary


Neighbor

Ver

As

MsgRcvd

MsgSend

Up/Down(s)

State/PfxRcd

1.2.3.30

255

246

02:06:06

22

/*Configure LDP*/
PE2(config)#mpls ldp instance 1
PE2(config-ldp-1)#interface gei-0/1/0/4
PE2(config-ldp-1-if- gei-0/1/0/4)#exit
PE2(config-ldp-1)#router-id loopback1 force
PE2(config-ldp-1)#exit

PE2(config)#show running-config ldp


!<LDP>
mpls ldp instance 1
router-id loopback1 force
interface gei-0/1/0/4
$
!</LDP>

PE2(config)#show mpls ldp neighbor instance 1


Peer LDP Ident: 1.2.3.30:0; Local LDP Ident 1.2.3.29:0
TCP connection: 1.2.3.30.1028 - 1.2.3.29.646
state: Oper; Msgs sent/rcvd: 188/151; Downstream
Up Time: 01:58:43

7-49
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)


LDP discovery sources:
gei-0/1/0/4; Src IP addr: 20.1.1.1
Addresses bound to peer LDP Ident:
1.2.3.30

158.1.1.1

17.1.1.1

50.1.1.1

158.158.158.158
12.1.1.2

123.12.23.2

20.1.1.1

70.1.1.1

Configure a route-map on PE2.


/*Configure ACL in a route-map*/
PE2(config)#ipv4-access-list 2
PE2(config-ipv4-acl)#rule 1 permit 10.1.1.2 0.0.0.0
PE2(config-ipv4-acl)#exit

PE2(config)#show ipv4-access-lists name 2


ipv4-access-list 2
1/1 (showed/total)
1 permit 10.1.1.2 0.0.0.0

/*Configure a route-map*/
PE2(config)#route-map test
PE2(config-route-map)#match ip address 2
PE2(config-route-map)#set vrf vpn2
PE2(config-route-map)#exit

PE2(config)#show route-map test


[route-map test] IP type: IPv4
route-map test permit 10
match ip address 2
set vrf vpn2

/*Apply the route-map to gei-0/1/0/5 on PE2*/


PE2(config)#ip policy interface gei-0/1/0/5 route-map test

PE2(config)#show running-config pbr


!< pbr>
ip policy interface gei-0/1/0/5 route-map test
!</pbr>

Configuration Verification
After neighborhood is established between PE1 and PE2, check the routes of VPN1, as
shown below.
PE2(config)#show ip protocol routing vrf vpn1
Codes: OSPF-3D = ospf-type3-discard, OSPF-5D = ospf-type5-discard, TE = rsvpte,
OSPF-7D = ospf-type7-discard, USER-I = user-ipaddr, RIP-D = rip-discard,

7-50
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration


OSPF-E = ospf-ext, ASBR-V = asbr-vpn, GW-FWD = ps-busi, GW-UE = ps-user,
BGP-AD = bgp-aggr-discard, BGP-CE = bgp-confed-ext, NAT64 = sl-nat64-v4,
USER-N = user-network, USER-S = user-special, DHCP-S = dhcp-static,
DHCP-D = dhcp-dft
status codes: *valid, >best, s-stale
Dest

NextHop

Intag

Outtag

RtPrf

Protocol

*>

10.1.1.0/24

10.1.1.1

163845

notag

connected

*>

10.1.1.1/32

10.1.1.1

163844

notag

connected

*>

15.15.15.0/24

1.2.3.30

163914

163975

20

bgp-ext

*>

15.15.16.0/24

1.2.3.30

163913

163974

20

bgp-ext

*>

15.15.17.0/24

1.2.3.30

163912

163973

20

bgp-ext

*>

15.15.18.0/24

1.2.3.30

163911

163972

20

bgp-ext

*>

15.15.19.0/24

1.2.3.30

163910

163971

20

bgp-ext

*>

15.15.20.0/24

1.2.3.30

163909

163970

20

bgp-ext

*>

15.15.21.0/24

1.2.3.30

163908

163969

20

bgp-ext

*>

15.15.22.0/24

1.2.3.30

163907

163968

20

bgp-ext

*>

15.15.23.0/24

1.2.3.30

163906

163967

20

bgp-ext

*>

15.15.24.0/24

1.2.3.30

163905

163966

20

bgp-ext

*>

30.1.1.0/24

1.2.3.30

163903

163962

20

bgp-ext

*>

30.1.1.2/32

1.2.3.30

163904

163965

20

bgp-ext

Check the routes of VPN2, as shown below.


PE2(config)#show ip protocol routing vrf vpn2
Codes: OSPF-3D = ospf-type3-discard, OSPF-5D = ospf-type5-discard, TE = rsvpte,
OSPF-7D = ospf-type7-discard, USER-I = user-ipaddr, RIP-D = rip-discard,
OSPF-E = ospf-ext, ASBR-V = asbr-vpn, GW-FWD = ps-busi, GW-UE = ps-user,
BGP-AD = bgp-aggr-discard, BGP-CE = bgp-confed-ext, NAT64 = sl-nat64-v4,
USER-N = user-network, USER-S = user-special, DHCP-S = dhcp-static,
DHCP-D = dhcp-dft
status codes: *valid, >best, s-stale
NextHop

Intag

RtPrf

Protocol

*>

14.14.14.0/24

Dest

1.2.3.30

163926

163993

Outtag

20

bgp-ext

*>

14.14.15.0/24

1.2.3.30

163925

163992

20

bgp-ext

*>

14.14.16.0/24

1.2.3.30

163934

164001

20

bgp-ext

*>

14.14.17.0/24

1.2.3.30

163933

164000

20

bgp-ext

*>

14.14.18.0/24

1.2.3.30

163932

163999

20

bgp-ext

*>

14.14.19.0/24

1.2.3.30

163931

163998

20

bgp-ext

*>

14.14.20.0/24

1.2.3.30

163930

163997

20

bgp-ext

*>

14.14.21.0/24

1.2.3.30

163929

163996

20

bgp-ext

*>

14.14.22.0/24

1.2.3.30

163928

163995

20

bgp-ext

*>

14.14.23.0/24

1.2.3.30

163927

163994

20

bgp-ext

In this example, if a part of users of VPN1 on PE1 want to access VPN2 network,
configure match item of route-map, configure the users by ACL rule and configure set
item of route-map. Note that a private network route needs to exist on PE1.

7-51
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

For example, the users of 10.1.1.2 want to access 14.14.14.0/24 network segment, but
they belong to vpn1 and 14.14.14.0 belongs to vpn2. Run the show ip protocol routing
vrf vpn2 command to view the route of 14.14.14.0 network segment. Realize it by using
remote VRF policy routing, configure the set vrf vpn2 command.

7.3.3.4 Policy Routing Configuration Instance Two


Configuration Description
The OSPF route is established between R1 and R2. Bind the PBR to the interface that
establishes the OSPF route, and configure the set parameter of the pbr to set interface
null1 to check whether the OSPF route is established properly, seeFigure 7-10.
Figure 7-10 Policy Routing Configuration Instance Two

Configuration Flow
1.
2.
3.
4.

Configure the interface address.


Establish the OSPF route.
Create a route-map.
Relate the route-map to the corresponding interface.

Configuration Commands
Run the following commands on R1:
/*Configuring an interface.*/
R1(config)#interface gei-0/2/0/8
R1(config-if-gei-0/2/0/8)#no shutdown
R1(config-if-gei-0/2/0/8)#ip address 110.1.8.1 255.255.255.0
R1(config-if-gei-0/2/0/8)#exit

/*Configuring the OSPF.*/


R1(config)#router ospf 1
R1(config-ospf-1)#network 110.1.8.0 0.0.0.255 area 0.0.0.0
R1(config-ospf-1)#exit

/*Creating a route-map. */
R1(config)#route-map null
R1(config-route-map)#set interface null1
R1(config-route-map)#exit

/*Relating the route-map to the corresponding interface.*/

7-52
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 ROUTE-MAP Policy Configuration


R1(config)#ip policy interface gei-0/2/0/8 route-map null

Run the following commands on R2:


/*Configuring an interface.*/
R2(config)#interface gei-0/1/0/4
R2(config-if-gei-0/1/0/4)#no shutdown
R2(config-if-gei-0/1/0/4)#ip address 110.1.8.2 255.255.255.0
R2(config-if-gei-0/1/0/4)#exit

/*Configuring the OSPF.*/


R2(config)#router ospf 1
R2(config-ospf-1)#network 110.1.8.0 0.0.0.255 area 0.0.0.0
R2(config-ospf-1)#exit

Configuration Verification
The set parameter of the policy route is set to set interface null1. If the pbr takes effect, all
packets from the gei-0/2/0/8 interface are discarded. When the link of the OSPF route is
established properly, it means that the policy route does not take effect.

7-53
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

This page intentionally left blank.

7-54
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Figures
Figure 2-1 AAA Configuration Instance Topology ...................................................... 2-5
Figure 4-1 Time-Range Configuration Instance ......................................................... 4-8
Figure 4-2 SQA Calling a Time-Range .................................................................... 4-10
Figure 5-1 ACL Configuration Instance Topology ...................................................... 5-5
Figure 6-1 Prefix-List Called by IP Multicast .............................................................. 6-5
Figure 6-2 Prefix-List Called by BGP......................................................................... 6-9
Figure 7-1 Configuration Instance of the RIP Reallocation Routing Policy ............... 7-11
Figure 7-2 Configuration Instance of an ISIS Routing Policy ................................... 7-14
Figure 7-3 Configuration Instance of the OSPF Routing Policy ............................... 7-17
Figure 7-4 Configuration Instance of the BGP Routing Policy.................................. 7-20
Figure 7-5 Configuration Instance of the VRF Routing Policy .................................. 7-24
Figure 7-6 Next Hop of an Indirect-Connected IP Address ...................................... 7-33
Figure 7-7 Policy Routing Configuration Instance One ............................................ 7-36
Figure 7-8 Policy Routing Configuration Instance Two ............................................ 7-39
Figure 7-9 Remote VRF Policy Routing Configuration Instance .............................. 7-42
Figure 7-10 Policy Routing Configuration Instance Two .......................................... 7-52

I
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Figures

This page intentionally left blank.

II
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

Glossary
AAA
- Authentication, Authorization and Accounting
ABR
- Area Border Router
ACL
- Access Control List
BGP
- Border Gateway Protocol
BSR
- Bootstrap Router
C/S
- Client/Server
DSCP
- Differentiated Services Code Point
FTP
- File Transfer Protocol
ICMP
- Internet Control Message Protocol
IGMP
- Internet Group Management Protocol
IGP
- Interior Gateway Protocol
IP
- Internet Protocol
IS-IS
- Intermediate System-to-Intermediate System
LSA
- Link State Advertisement
OSPF
- Open Shortest Path First
PIM-SM
- Protocol Independent Multicast - Sparse Mode
RADIUS
- Remote Authentication Dial In User Service
III
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential

ZXR10 M6000-S Configuration Guide (Policy Template)

RP
- Rendezvous Point
SP
- Service Provider
TACACS+
- Terminal Access Controller Access-Control System Plus
TCP
- Transmission Control Protocol
ToS
- Type of Service
UDP
- User Datagram Protocol
URPF
- Unicast Reverse Path Forwarding

IV
SJ-20140731105308-017|2014-10-20 (R1.0)

ZTE Proprietary and Confidential