Press Ctrl/Cmd + P to print
or save as PDF

[Technical Insights] Comparison of Route-Map Applications and Considerations in Redistribution and Policy-Routing

一、deny 语句的核心区别  I. The core differences of the deny statement

🔁 重分发 (Redistribute)
🔁重分发 (Redistribute)
route-map 中的 deny 语句如果匹配:
If the deny statement in the route-map matches:
→ 匹配的路由条目不被重分发(彻底阻止注入)
→ Matching route entries will not be redistributed (completely preventing injection).

🎯 策略路由 (PBR)  🎯 Policy Routing (PBR)
route-map 中的 deny 语句如果匹配:
If the deny statement in the route-map matches:
→ 不再做策略路由,而是交由正常路由表转发(“放手”行为)
→ Instead of policy-based routing , forwarding is handled by the normal routing table (a “hands-off” behavior).

二、默认的 deny all 规则
II. The default “deny all” rule

route-map 与 access-list 一样,末尾都有隐含的 deny all
Like access-list, route-maps also implicitly end with “deny all”.
→ 未匹配任何 permit 的流量/路由,最终都会被拒绝或转入普通转发
→ Traffic/routes that do not match any permits will eventually be rejected or redirected to normal forwarding.

三、route-map 语句号的注意事项

1. 自动编号规则  1. Automatic numbering rules
编辑时如不注明 permit xx,第一句默认为 permit 10
If no permit xx is specified when editing, the first line will default to permit 10.

  2.   route-map cracker
  3.     match ip address 101
  4.     set ip next-hop 211.81.157.1
  5.   route-map cracker
  6.     match interface f0/0
  7.     set metric 100

复制代码  Copy code

等效于:  Equivalent to:

  2.   route-map cracker permit 10
  3.     match ip ad 101
  4.     set ip next-hop 211.81.157.1
  5.   route-map cracker permit 20
  6.     match int f0/0
  7.     set metric 100

复制代码  Copy code

2. 删除条目的陷阱(极易犯错)  2. The pitfalls of deleting entries (easily mistaken)
❌ 错误: no route-map cracker      → 删除整个 route-map
✅ 正确: no route-map cracker 20   → 仅删除第20条
‘Correct: no route-map cracker 20 → Delete only route 20′

四、match 语句的逻辑关系  IV. Logical Relationships in the MATCH Statement

◆ 同一语句下的多个 match → “与”关系(必须同时满足)
◆ Multiple `match` statements within the same clause: AND operation (both conditions must be met simultaneously)

  2.   route-map cracker permit 10
  3.     match ip address 101
  4.     match ip length 1500
  5.     set ip next-hop 211.81.157.1

复制代码  Copy code

→ 只有同时匹配地址包大小才执行 set
→ The `set` command is executed only if both the address and packet size are matched.

◆ 不同语句之间 → “或”关系(顺序匹配,命中即退出)
◆ OR relationship between different statements (sequential matching, exits upon matching)

  2.   route-map cracker permit 10
  3.     match ip address 101
  4.     set ip next-hop 211.81.157.1
  5.   route-map cracker permit 20
  6.     match ip address 102
  7.     set ip next-hop 211.81.157.2
  8.   route-map cracker permit 30

复制代码  Copy code

→ 按顺序匹配,一旦命中某条就跳出  → Match in sequence, exit once a match is found.

五、策略路由(Policy Routing)详解

【铁律:策略路由只能用在路由器的入接口上】  [Ironclad rule: Policy-based routing can only be used on the router’s ingress interfaces]

配置示例:  Configuration example:

  2.   route-map cracker
  3.     match ip address 10
  4.     set ip next-hop 172.16.1.1
  5.   route-map cracker
  6.     match ip address 20
  7.     set ip next-hop 172.16.1.2
  9.   access-list 10 permit 172.16.6.0 0.0.0.255
  10.   access-list 20 permit 172.16.7.0 0.0.0.255
  12.   int s0/0
  13.    ip policy route-map cracker

复制代码  Copy code

效果说明:  Effect description:
✅ 6网段 → 转发至 172.16.1.1
☐6 network segment → Forwarded to 172.16.1.1
✅ 7网段 → 转发至 172.16.1.2
7 network segment → Forwarded to 172.16.1.2
⚠️ 8网段(无匹配) → 交给正常路由表转发(通常负载分担)
ﺍ8 network segment (no match) → Handed over to normal routing table for forwarding (usually load balancing)

策略路由的扩展应用:
• 匹配包大小:小包走低时延链路,大包走高带宽(保护语音)
• Matching packet size: Small packets use low-latency links, large packets use high-bandwidth links (to protect voice).
• 匹配协议类型:HTTP、FTP、Telnet、BT 区别对待
• Matching protocol types: HTTP, FTP, Telnet, BT will be treated differently.
• 匹配七层特征:如特定网址走高带宽链路
• Matching seven layers of features: such as specific URLs using high-bandwidth links

六、route-map 在重分发中的应用  VI. Application of route-map in redistribution

典型场景:精确控制哪些路由可以被分发进目标协议

示例1(拒绝特定网段):

  2.   route-map cracker deny 10
  3.     match ip address 10
  4.   route-map cracker permit 20
  6.   access-list 10 permit 10.1.0.0 0.0.255.255
  8.   router ospf 1
  9.     redistribute rip metric 100 subnets route-map cracker

复制代码

→ 效果:10.1.0.0/16 不会被重分发进 OSPF
→ Result: Version 10.1.0.0/16 will not be redistributed into OSPF.

示例2(只放行特定路由):

  2.   route-map cuijian permit 20
  3.     match ip address 20
  5.   access-list 20 permit 172.16.0.0 0.0.255.255

复制代码

→ 由于末尾隐含 deny all,仅 172.16.0.0/16 被重分发
→ Due to the implicit “deny all” at the end, only 172.16.0.0/16 was redistributed.

七、核心区别一览表  VII. Summary of Key Differences

对比维度   重分发 (Redistribute)   策略路由 (PBR)  
deny 语句行为   拒绝匹配的路由条目注入目标协议   匹配流量不再做PBR,转正常路由表转发  
set 动作影响   修改路由属性(metric、tag、type)   改变数据包转发行为(下一跳、出接口)  
调用位置   路由进程下 redistribute … route-map   接口下 ip policy route-map
影响范围   影响路由表注入,间接影响转发   直接控制数据包转发路径  
典型用途   过滤/修改重分布路由、防环   源地址选路、链路负载分担  

八、生产环境避坑指南  VIII. Guidelines for Avoiding Pitfalls in the Production Environment

⚠️ 语句号管理: 删除特定条目时务必加上序号,否则整张 route-map 会被清除
• Statement number management: Always include a sequence number when deleting a specific entry; otherwise, the entire route map will be deleted.
⚠️ 隐含 deny: 未匹配 permit 的路由/流量最终都会被拒绝或走普通转发
Implicit deny: Routes/traffic that do not match the permit will ultimately be rejected or routed via normal forwarding.
⚠️ PBR 仅入向生效: 不要在出接口调用策略路由,不会生效
PBR only applies to inbound traffic: Do not call policy routing on outbound interfaces, as it will not take effect.
⚠️ ACL 默认 deny: route-map 引用的 ACL 也默认拒绝,注意双倍过滤风险
ACLs default to deny: ACLs referenced by route-maps also default to denying; be aware of the risk of double filtering.