Geosite/Geoip Configuration Guide

GeoSite/GeoIP is a routing and policy control feature based on geographical location. By leveraging precise geolocation databases, it delivers intelligent, flexible, and efficient traffic management solutions. Utilizing global IP address allocation information and domain name geolocation data, GeoSite/GeoIP enables fine-grained control over network traffic.

The advantages of GeoSite/GeoIP include accurate geographical location identification, flexible traffic policy configuration, efficient database query mechanisms, and robust access control capabilities. Compared to traditional IP range-based control methods, GeoSite/GeoIP offers greater precision, enhanced flexibility, easier maintenance, and more granular network management capabilities.

Geosite/Geoip Configuration

Loading dat file

Operation	Command	Description
Enter the system configuration view	configure terminal
Load the geosite.dat file	geosite load {default|string}	The device will initially load the default dat file, and when an update is needed, string the full path of the file containing the latest geosite.dat file
Load geoip.dat file	geoip load {default|string}	The device will initially load the default dat file, and when an update is needed, string the full path of the file containing the latest geoip.dat file

Perform Geosite/Geoip Query

Operation	Command	Description
Enter the system configuration view	configure terminal
Query geosite based on domain	geosite lookup string	string：Fill in the domain name to be queried, and all country codes corresponding to the domain name will be displayed
Query geoIP based on IP	geoip lookup A.B.C.D	A.B.C.D:Fill* in the IP address that needs to be queried, and the country code corresponding to the IP will be displayed*

Configure ACL based geosite/geoip

Operation	Command	Description
Enter the system configuration view	configure terminal
Enter ACL configuration view	access-list {L3|L3V6} {ingress|egress}	Enter ACL configuration view
Configure the geosite field that needs to be matched	geosite	String：The country code corresponding to the geosite that needs to be matched
Configure the geoIP field that needs to be matched	geoip	string：The country code corresponding to the geoIP that needs to be matched

Configuring PBR based Geosite/Geoip

Operation	Command	Description
Enter the system configuration view	configure terminal
Create a policy route and enter the policy route view	pbr-map seq	name：Specify policy name nubmer：
Configure the geosite field that needs to be matched	geosite	string：Strategy ID, with a value range of 1-700. The smaller the number, the higher the priority
Configure the geoIP field that needs to be matched	geoip	string：The country code corresponding to the geoIP that needs to be matched

Display and Maintenance

Operation	Command
Display the currently loaded geosite.dat information	show geosite summary
Display the currently loaded geoip.dat information	show geoip summary

Example of Geosite/Geoip Configuration

Network Requirements

The enterprise network requires the device to enforce geographic location-based traffic restrictions, such as blocking access to all services located in the US. This can be achieved by configuring ACL rules with GeoSite/GeoIP to block all traffic meeting either of the following conditions from being forwarded through the specified public network port (Ethernet2 in the diagram):

1. Packets containing domains whose GeoSite country code is US.

2. Packets without domain information but whose destination IP’s GeoIP country code corresponds to US.

Procedure

sonic(config)# access-list L3 test egress
sonic(config-L3-acl-test)# rule 1 geoip US packet-action deny
sonic(config-L3-acl-test)# rule 2 geosite US packet-action deny
sonic(config-L3-acl-test)# exit
sonic(config)# interface ethernet 2
sonic(config-if-2)# acl test