ROUTE-POLICY 策略路由规则详解在工程中经常遇到route-policy用于策略路由的情况，下面就对route-polic和ACL间的匹配规则详解如下：一、试验环境A(E0/0)--192.168.1.0--(E0/0)B(S0/0)--10.0.0.0--(S0/0)C(E0/0)--192.168.2.0--(E0/0)D拓扑说明：AB之间的网段为192.168.1.0 。

AB分别通过E0/0口互联。

CD之间的网段为192.168.2.0 。

CD分别通过E0/0口互联。

BC之间分别通过S0/0 中间通过帧中继交换机互联,共配置3个子接口，DLCI分别是100 200 300（两端相同）。

二、测试结论：未做任何策略#interface Ethernet0/0ip address 192.168.1.1 255.255.255.0=在路由器A Tracert路由结果如下：<AR2810-A>dis clock08:48:03 UTC Fri 11/28/2008<AR2810-A>tracert -m 5 -a 192.168.1.2 192.168.2.2traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packetPress CTRL_C to break1 192.168.1.1 3 ms 1 ms2 ms2 10.0.0.10 19 ms 18 ms 19 ms3 192.168.2.2 20 ms 21 ms 20 ms由此可得出未做route-policy的时候，是按照全局路由表中的路由条目转发数据流的。

1、permit+permit#interface Ethernet0/0ip address 192.168.1.1 255.255.255.0ip policy route-policy t1#acl number 3000rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255acl number 3001rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255#route-policy t1 permit node 10 (生效)if-match acl 3000apply ip-address next-hop 10.0.0.2route-policy t1 permit node 20apply ip-address next-hop 10.0.0.6在路由器A Tracert路由结果如下：<AR2810-A>dis clock08:50:33 UTC Fri 11/28/2008<AR2810-A>tracert -m 5 -a 192.168.1.2 192.168.2.2traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packetPress CTRL_C to break1 192.168.1.12 ms 2 ms 1 ms2 10.0.0.2 20 ms 20 ms 22 ms3 192.168.2.2 19 ms 20 ms 19 ms由此结果可得出此时数据流匹配了规则node 10 。

也就是route-policy permit对于和ACL permit规则匹配的数据流执行node 10中的匹配规则。

2、permit+deny！！！（不工作）#interface Ethernet0/0ip address 192.168.1.1 255.255.255.0ip policy route-policy t2#acl number 3000rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255acl number 3001rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255#route-policy t2 permit node 10if-match acl 3001apply local-preference 2300route-policy t2 permit node 20 （生效）apply ip-address next-hop 10.0.0.6在路由器A Tracert路由结果如下：<AR2810-A>dis clock08:53:00 UTC Fri 11/28/2008<AR2810-A>tracert -m 5 -a 192.168.1.2 192.168.2.2traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packetPress CTRL_C to break1 192.168.1.12 ms 2 ms 4 ms2 10.0.0.6 19 ms 19 ms 20 ms3 192.168.2.2 20 ms 20 ms 20 ms由此结果的得出route-policy 的permit 对于和ACL DENY 规则相匹配的数据流，不执行node 10 中的策略，而是继续匹配下面的规则。

3、deny+permit（不工作）#interface Ethernet0/0ip address 192.168.1.1 255.255.255.0ip policy route-policy t3#acl number 3000rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255acl number 3001rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255#route-policy t3 deny node 10if-match acl 3000apply ip-address next-hop 10.0.0.2route-policy t3 permit node 20apply ip-address next-hop 10.0.0.6在路由器A Tracert路由结果如下：<AR2810-A>dis clock08:54:42 UTC Fri 11/28/2008<AR2810-A>tracert -m 5 -a 192.168.1.2 192.168.2.2traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packetPress CTRL_C to break1 192.168.1.12 ms 2 ms 1 ms2 10.0.0.10 19 ms 18 ms 19 ms3 192.168.2.2 20 ms 20 ms 22 ms由此结果可得出，route-policy 的deny 对于和ACL permit规则相匹配的数据流直接进行DENY ,并且不再匹配后续的规则，而是转入了系统全局路由表执行常规的路由策略。

4、deny+deny （双重deny=不作为）#interface Ethernet0/0ip address 192.168.1.1 255.255.255.0ip policy route-policy t4#acl number 3000rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255acl number 3001rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255#route-policy t4 deny node 10if-match acl 3001apply local-preference 2300route-policy t4 permit node 20 （生效）apply ip-address next-hop 10.0.0.6在路由器A Tracert路由结果如下：<AR2810-A>tracert -m 5 -a 192.168.1.2 192.168.2.2traceroute to 192.168.2.2(192.168.2.2) 5 hops max,40 bytes packetPress CTRL_C to break1 192.168.1.1 3 ms2 ms 2 ms2 10.0.0.6 19 ms 18 ms 22 ms3 192.168.2.2 20 ms 21 ms 19 ms有此结果可得出：route-policy deny 对于和ACL deny 规则相匹配的数据流，不会执行node 10的规则，但是会继续匹配下面的规则。

三、总结策略路由规则如下：1、对于和ACL的匹配和常规的ACL匹配规则完全一致，没有什么不同。

2、对于策略路由来说router-policy 尽管也有缺省DENY的规则，但是被DENY的数据流不会丢弃，只是不进行策略路由而已。

（对于路由策略则不一样）。

附件1：相关版本和配置信息：路由器A:<AR2810-A> dis verHuawei Versatile Routing Platform SoftwareVRP software, Version 3.40, Release 0201P29Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.Without the owner's prior written consent, no decompilingnor reverse-engineering shall be allowed.Quidway AR28-10 uptime is 0 week, 0 day, 1 hour, 39 minutesLast reboot 2008/11/28 07:22:50System returned to ROM By <Reboot> Command.CPU type: PowerPC 8241 200MHz128M bytes SDRAM Memory32M bytes Flash MemoryPCB Version:4.0Logic Version:1.0BootROM Version:9.23[SLOT 0] AUX (Hardware)4.0, (Driver)1.0, (CPLD)1.0[SLOT 0] 1FE (Hardware)4.0, (Driver)1.0, (CPLD)1.0[SLOT 0] WAN (Hardware)4.0, (Driver)1.0, (CPLD)1.0[SLOT 3] 1SA (Hardware)1.0, (Driver)1.0, (CPLD)2.0<AR2810-A>vrbdRouting Platform SoftwareVersion AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), REL EASE SOFTWARECompiled Oct 22 2008 18:24:10 by jiahua<AR2810-A>dis cu<AR2810-A>dis current-configuration#sysname AR2810-A#interface Ethernet0/0ip address 192.168.1.2 255.255.255.0#ip route-static 0.0.0.0 0.0.0.0 192.168.1.1 preference 60路由器B：[AR2810-B]dis versionHuawei Versatile Routing Platform SoftwareVRP software, Version 3.40, Release 0201P29Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.Without the owner's prior written consent, no decompilingnor reverse-engineering shall be allowed.Quidway AR28-10 uptime is 0 week, 0 day, 0 hour, 53 minutesLast reboot 2021/08/22 03:19:36System returned to ROM By <Reboot> Command.CPU type: PowerPC 8241 200MHz128M bytes SDRAM Memory32M bytes Flash MemoryPCB Version:4.0Logic Version:1.0BootROM Version:9.23[SLOT 0] AUX (Hardware)4.0, (Driver)1.0, (CPLD)1.0[SLOT 0] 1FE (Hardware)4.0, (Driver)1.0, (CPLD)1.0[SLOT 0] WAN (Hardware)4.0, (Driver)1.0, (CPLD)1.0[SLOT 3] 1SA (Hardware)1.0, (Driver)1.0, (CPLD)2.0[AR2810-B]vrbdRouting Platform SoftwareVersion AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), REL EASE SOFTWARECompiled Oct 22 2008 18:24:10 by jiahua[AR2810-B]dis current-configuration#sysname AR2810-B#acl number 3000rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 acl number 3001rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 #interface Ethernet0/0ip address 192.168.1.1 255.255.255.0ip policy route-policy t4#interface Serial0/0link-protocol fr#interface Serial0/0.100fr dlci 100ip address 10.0.0.1 255.255.255.252#interface Serial0/0.200fr dlci 200ip address 10.0.0.5 255.255.255.252#interface Serial0/0.300fr dlci 300ip address 10.0.0.9 255.255.255.252#route-policy t1 permit node 10if-match acl 3000apply ip-address next-hop 10.0.0.2route-policy t1 permit node 20apply ip-address next-hop 10.0.0.6route-policy t2 permit node 10if-match acl 3001apply local-preference 2300route-policy t2 permit node 20apply ip-address next-hop 10.0.0.6route-policy t3 deny node 10if-match acl 3000apply ip-address next-hop 10.0.0.2route-policy t3 permit node 20apply ip-address next-hop 10.0.0.6route-policy t4 deny node 10if-match acl 3001apply local-preference 2300route-policy t4 permit node 20apply ip-address next-hop 10.0.0.6#ip route-static 192.168.2.0 255.255.255.0 10.0.0.10 preference 60路由器C：[AR2810-C]dis verHuawei Versatile Routing Platform SoftwareVRP software, Version 3.40, Release 0201P29Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.Without the owner's prior written consent, no decompilingnor reverse-engineering shall be allowed.Quidway AR28-10 uptime is 0 week, 0 day, 2 hours, 59 minutesLast reboot 2000/10/11 00:54:49System returned to ROM By <Reboot> Command.CPU type: PowerPC 8241 200MHz128M bytes SDRAM Memory32M bytes Flash MemoryPCB Version:4.0Logic Version:1.0BootROM Version:9.23[SLOT 0] AUX (Hardware)4.0, (Driver)1.0, (CPLD)1.0[SLOT 0] 1FE (Hardware)4.0, (Driver)1.0, (CPLD)1.0[SLOT 0] WAN (Hardware)4.0, (Driver)1.0, (CPLD)1.0[AR2810-C]vrbdRouting Platform SoftwareVersion AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), REL EASE SOFTWARECompiled Oct 22 2008 18:24:10 by jiahua[AR2810-C]dis cu#sysname AR2810-C#interface Ethernet0/0ip address 192.168.2.1 255.255.255.0#interface Serial0/0clock DTECLK1link-protocol fr#interface Serial0/0.100fr dlci 100ip address 10.0.0.2 255.255.255.252#interface Serial0/0.200fr dlci 200ip address 10.0.0.6 255.255.255.252#interface Serial0/0.300fr dlci 300ip address 10.0.0.10 255.255.255.252#ip route-static 192.168.1.0 255.255.255.0 10.0.0.9 preference 60路由器D：<AR2810-D>dis verHuawei Versatile Routing Platform SoftwareVRP software, Version 3.40, Release 0201P29Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.Without the owner's prior written consent, no decompilingnor reverse-engineering shall be allowed.Quidway AR28-10 uptime is 0 week, 0 day, 3 hours, 0 minuteLast reboot 2000/10/11 01:00:09System returned to ROM By <Reboot> Command.CPU type: PowerPC 8241 200MHz128M bytes SDRAM Memory32M bytes Flash MemoryPCB Version:1.0Logic Version:1.0BootROM Version:9.23[SLOT 0] AUX (Hardware)1.0, (Driver)1.0, (CPLD)1.0[SLOT 0] 1FE (Hardware)1.0, (Driver)1.0, (CPLD)1.0[SLOT 0] WAN (Hardware)1.0, (Driver)1.0, (CPLD)1.0<AR2810-D>vrbdRouting Platform SoftwareVersion AR28-10 8040V300R003B04D040SP73 (COMWAREV300R002B62D014), REL EASE SOFTWARECompiled Oct 22 2008 18:24:10 by jiahua<AR2810-D>dis cu#sysname AR2810-D#interface Ethernet0/0ip address 192.168.2.2 255.255.255.0#ip route-static 0.0.0.0 0.0.0.0 192.168.2.1 preference 60。