Geosite/Geoip Configuration Guide

introduction introduction geosite/geoip is a routing and policy control feature based on geographical location by leveraging precise geolocation databases, it delivers intelligent, flexible, and efficient traffic management solutions utilizing global ip address allocation information and domain name geolocation data, geosite/geoip enables fine grained control over network traffic the advantages of geosite/geoip include accurate geographical location identification, flexible traffic policy configuration, efficient database query mechanisms, and robust access control capabilities compared to traditional ip range based control methods, geosite/geoip offers greater precision, enhanced flexibility, easier maintenance, and more granular network management capabilities geosite/geoip configuration geosite/geoip configuration loading dat file loading dat file operation command description enter the system configuration view configure terminal load the geosite dat file geosite load {default|string} the device will initially load the default dat file, and when an update is needed, string the full path of the file containing the latest geosite dat file load geoip dat file geoip load {default|string} the device will initially load the default dat file, and when an update is needed, string the full path of the file containing the latest geoip dat file perform geosite/geoip query perform geosite/geoip query operation command description enter the system configuration view configure terminal query geosite based on domain geosite lookup string string ：fill in the domain name to be queried, and all country codes corresponding to the domain name will be displayed query geoip based on ip geoip lookup a b c d a b c d \ fill in the ip address that needs to be queried, and the country code corresponding to the ip will be displayed configure acl based geosite/geoip configure acl based geosite/geoip operation command description enter the system configuration view configure terminal enter acl configuration view access list {l3|l3v6} \<string> {ingress|egress} enter acl configuration view configure the geosite field that needs to be matched geosite \<string> string：the country code corresponding to the geosite that needs to be matched configure the geoip field that needs to be matched geoip \<string> string：the country code corresponding to the geoip that needs to be matched configuring pbr based geosite/geoip configuring pbr based geosite/geoip operation command description enter the system configuration view configure terminal create a policy route and enter the policy route view pbr map \<name> seq \<number> name：specify policy name nubmer： configure the geosite field that needs to be matched geosite \<string> string：strategy id, with a value range of 1 700 the smaller the number, the higher the priority configure the geoip field that needs to be matched geoip \<string> string：the country code corresponding to the geoip that needs to be matched display and maintenance display and maintenance operation command display the currently loaded geosite dat information show geosite summary display the currently loaded geoip dat information show geoip summary example of geosite/geoip configuration example of geosite/geoip configuration network requirements the enterprise network requires the device to enforce geographic location based traffic restrictions, such as blocking access to all services located in the us this can be achieved by configuring acl rules with geosite/geoip to block all traffic meeting either of the following conditions from being forwarded through the specified public network port (ethernet2 in the diagram) 1\ packets containing domains whose geosite country code is us 2\ packets without domain information but whose destination ip's geoip country code corresponds to us procedure sonic(config)# access list l3 test egress sonic(config l3 acl test)# rule 1 geoip us packet action deny sonic(config l3 acl test)# rule 2 geosite us packet action deny sonic(config l3 acl test)# exit sonic(config)# interface ethernet 2 sonic(config if 2)# acl test