Access Lists
An access list is a sequential collection of permit and deny conditions that you can use to filter inbound or outbound routes. You can use different kinds of access lists to filter routes based on either the prefix or the AS path.
Filtering Prefixes
To filter routes based on the prefix, you can do any of the following:
- Define an access list with the access list command, and apply the list to routes received from or passed to a neighbor with the neighbor distribute-list command
- Define a prefix list with the ip prefix-list command, and apply the list to routes received from or passed to a neighbor with the neighbor prefix-list command
- Define a prefix tree with the ip prefix-tree command, and apply the list to routes received from or passed to a neighbor with the neighbor prefix-tree command
The router compares each route's prefix against the conditions in the list or tree one by one. If the first match is for a permit condition, the route is accepted or passed. If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the address; that is, the last action of any list is an implicit deny condition for all routes. The implicit rule is displayed by show access-list and show config commands.
You cannot selectively place conditions in or remove conditions from an access list, prefix list, or prefix tree. You can insert a new condition only at the end of a list or tree.
Example 1
The following example shows the how the implicit deny condition is displayed.
host1(config)#access-list 1 permit 10.10.10.1 0.0.0.255
host1(config)#access-list 2 permit 10.25.25.1 0.0.0.255
host1(config)#access-list 3 permit any any
host1(config)#show access-list
IP Access List 1:
permit ip 10.10.10.1 0.0.0.255 any
deny ip any any
IP Access List 2:
permit ip 10.25.25.1 0.0.0.255 any
deny ip any any
IP Access List 3:
permit ip any any
Note that the implicit deny rule does not appear in the display for access list 3, because any prefix will match access list 3.
Example 2
The following example demonstrates how to use a route map and an access list to redistribute static routes to IS-IS.
host1(config)#ip route 20.20.20.0 255.255.255.0 192.168.1.0
host1(config)#ip route 20.20.21.0 255.255.255.0 192.168.2.0
host1(config)#ip route 20.21.0.0 255.255.255.0 192.168.30.0
host1(config)#access-list fltra permit 20.20.0.0 0.0.255.255
host1(config)#route-map 1
host1(config-route-map)#match ip address fltra
host1(config-route-map)#set metric-type internal
host1(config)#router isis testnet
host1(config-router)#redistribute static route-map 1
- Verify the effect of the redistribution (the two static routes matching the route map are redistributed as level 2 internal routes).
host1#show isis database detail l2
IS-IS Level-2 Link State Database
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
0000.0000.6666.00-00 0x000002B7 0x3E1F 1198 0/0/0
Area Address: 47.0005.80FF.F800.0000.0001.0001
NLPID: 0xcc
IP Address: 192.168.1.105
Metric: 10 IS 0000.0000.6666.01
Metric: 10 IS 0000.0000.3333.00
Metric: 10 IS 0000.0000.7777.00
Metric: 30 IP 20.20.20.0 255.255.255.0
Metric: 30 IP 20.20.21.0 255.255.255.0
Example 3
The following example demonstrates how to use an access list to filter routes advertised to a BGP speaker. Consider the network structure in Figure 1-2.
The following commands configure router Boston to apply access list reject1 to routes inbound from router SanJose. Access list reject1 rejects routes matching 172.24.160.0/19.
host1(config)#router bgp 17
host1(config-router)#neighbor 10.5.5.4 remote-as 873
host1(config-router)#neighbor 10.5.5.4 distribute-list reject1 in
host1(config-router)#exit
host1(config)#access-list reject1 permit 172.24.48.0 0.0.255
host1(config)#access-list reject1 deny 172.24.160.0 0.0.0.255
host1(config)#access-list reject1 permit 172.24.24.0 0.0.0.255
Filtering AS Paths
You can use a filter list to filter incoming and outgoing routes based on the value of the AS-path attribute. Whenever a BGP route passes through an AS, BGP prepends its AS number to the AS-path attribute. The AS-path attribute is the list of ASs that a route has passed through to reach a destination.
To filter routes based on the AS path, define the access list with the ip as-path access-list command, and apply the list to routes received from or passed to a neighbor with the neighbor filter-list command. AS-path access lists use regular expressions to describe the AS path to be matched. A regular expression uses special characters—often referred to as metacharacters—to define a pattern that is compared with an input string. For a full discussion of regular expressions, with examples on how to use them, see Using Regular Expressions later in this chapter.
The router compares each route's AS path against each condition in the access list. If the first match is for a permit condition, the route is accepted or passed. If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the route; that is, the last action of any list is an implicit deny condition for all routes.
You cannot selectively place conditions in or remove conditions from an AS-path access list. You can insert a new condition only at the end of an AS-path access list.
Example 1
Consider the network structure in Figure 1-3.
Suppose you want router London to behave in the following way:
- Accept routes originated in AS 621 only if they pass directly to router London.
- Accept routes originated in AS 11 only if they pass directly to router London.
- Forward routes from AS 282 to AS 435 only if they pass through either AS 621 or AS 11, but not both AS 621 and AS 11.
The following commands configure router London to apply filters based on AS path to routes received from router Berlin and router Paris and to routes forwarded to router Madrid.
host1(config)#router bgp 47
host1(config-router)#neighbor 10.2.9.2 remote-as 621
host1(config-router)#neighbor 10.2.9.2 filter-list 1 in
host1(config-router)#neighbor 10.2.8.2 remote-as 11
host1(config-router)#neighbor 10.2.8.2 filter-list 2 in
host1(config-router)#neighbor 10.2.7.2 remote-as 435
host1(config-router)#neighbor 10.2.7.2 filter-list 3 out
host1(config-router)#exit
host1(config)#ip as-path access-list 1 deny ^11
host1(config)#ip as-path access-list 1 permit .*
host1(config)#ip as-path access-list 2 deny ^621
host1(config)#ip as-path access-list 2 permit .*
host1(config)#ip as-path access-list 3 deny [621 11]
host1(config)#ip as-path access-list 3 permit .*
AS-path access list 1 is applied to routes that router London receives from router Paris. Router London rejects routes with the AS path 11 621 or 11 282 621.
AS-path access list 2 is applied to routes that router London receives from router Berlin. Router London rejects routes with the AS path 621 11 or 621 282 11.
Router London accepts routes with the AS path 282 11, 282 621, 282 621 11, or 282 11 621. However, it applies AS-path access-list 3 to routes it forwards to router Madrid, and filters out routes with the AS path 282 621 11 or 282 11 621.
Using Access Lists in a Route Map
You can use a route map instead of the neighbor filter-list command to apply access lists for filtering routes. In Figure 1-4, a route map is used to determine the weight for routes learned by router Chicago.
Access list 1 permits any route whose AS-path attribute includes 32 or 837. This condition permits routes that originate in (or pass through from elsewhere) AS 32 or AS 837. When these routes are advertised through AS 451 and AS 17 to router Chicago, instance 1 of route map 1 matches such routes and sets their weight to 25, overriding the neighbor weight set for updates received from 10.2.2.4.
Access list 2 permits any route whose AS-path attribute indicates that it originates in AS 74. When these routes are advertised through AS 837 and AS 32 to router Chicago, instance 1 of route map 2 matches such routes and sets their weight to 175, overriding the neighbor weight set for updates received from 10.5.5.2.
host1(config)#router bgp 293
host1(config-router)#network 192.168.5.0 mask 255.255.255.0
host1(config-router)#neighbor 10.2.2.4 remote-as 17
host1(config-router)#neighbor 10.2.2.4 weight 150
host1(config-router)#neighbor 10.2.2.4 route-map 1 in
host1(config-router)#exit
host1(config-router)#neighbor 10.5.5.2 remote-as 32
host1(config-router)#neighbor 10.5.5.2 weight 50
host1(config-router)#neighbor 10.5.5.2 route-map 2 in
host1(config)#route-map 1 permit 1
host1(config-route-map)#match as-path 1
host1(config-route-map)#set weight 25
host1(config-route-map)#exit
host1(config)#ip as-path access-list 1 permit [ 32 837 ]
host1(config)#route-map 2 permit 1
host1(config-route-map)#match as-path 2
host1(config-route-map)#set weight 175
host1(config-route-map)#exit
host1(config)#ip as-path access-list 2 permit [ 74 ]
The result of this configuration is that router Chicago prefers routes learned via router Boston (weight 150) over routes learned through router NY (weight 50), except that:
- Router Chicago prefers routes learned via router NY that passed through AS 837 or AS 32 (weight 50) over the same routes learned via router Boston (weight 25 per route map 1).
- Router Chicago prefers routes originating in AS 74 learned via router NY that passed through AS 837 and AS 32 (weight 175 per route map 2) over the same routes learned via router Boston (weight 150).
access-list
- Use to define an IP access list to permit or deny routes based on the prefix.
- Each access list is a set of permit or deny conditions for routes based on matching a route's prefix.
- A zero in the wildcard mask means that the corresponding bit in the address must be exactly matched by the route. A one in the wildcard mask means that the corresponding bit in the address does not have to be matched by the route.
- Use the neighbor distribute-list command to apply the access list to routes received from or forwarded to a neighbor.
- Use the log keyword to log an Info event in the ipAccessList log whenever an access-list rule is matched.
- Use the no version to delete an IP access list (no other options specified), the specified entry in the access list, or the log for the specified access list or entry (by specifying the log keyword).
default-information originate
- Use to enable RIP, OSPF, or BGP to advertise a default route (0.0.0.0/0) that exists in the IP routing table.
- If you specify the always option for OSPF, OSPF generates a default route if it does not exist in the IP routing table and advertises it.
- Use to generate a default route into an IS-IS domain.
- Example
host1(config-router)#default-information originate
ip as-path access-list
- Use to define an AS-path access list to permit or deny routes based on the AS path.
- Each access list is a set of permit or deny conditions for routes based on matching a route's AS path to a regular expression. If the regular expression matches the representation of the AS path of the route as an ASCII string, then the permit or deny condition applies. The AS path does not contain the local AS number.
- The AS path allows substring matching. For example, the regular expression 20 matches AS path = 20 and AS path = 100 200 300, because 20 is a substring of each path. To disable substring matching and constrain matching to only the specified attribute string, place the underscore (_) metacharacter on both sides of the string; for example _20_.
- Use the neighbor filter-list command to apply the AS-path access list. You can apply access list filters to inbound and outbound BGP routes. You can assign weights to routes matching the AS-path access list.
- Use the no version to remove the AS-path access list; all entries belonging to this list are removed.
neighbor distribute-list
- Use to filter routes to selected prefixes as specified in an access list. Distribute lists are applied only to external peers.
- Use the in keyword to apply the list to inbound routes (inbound policy). Use the out keyword to apply the list to outbound routes (outbound policy).
- Using distribute lists is one of several ways to filter BGP advertisements. Other methods are to:
- Use AS path filters with the ip as-path access-list and the neighbor filter-list commands
- Use route map filters with the route-map and the neighbor route-map commands
neighbor filter-list
- Use to assign an AS-path access list to matching inbound or outbound routes.
- Use the in keyword to apply the list to inbound routes (inbound policy). Use the out keyword to apply the list to outbound routes (outbound policy).
- You can specify an optional weight value with the weight keyword to assign a relative importance to incoming routes matching the AS-path access list.
- Access list values can range from 0-65535.
- Use the no version to disassociate the access list from a neighbor.
neighbor prefix-list
- Use to assign an inbound or outbound prefix list.
- If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer.
- Example
host1(config-router)#neighbor 192.168.1.158 prefix-list seoul19 in
neighbor prefix-tree
- Use to assign an inbound or outbound prefix tree.
- If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer.
- Example
host1(config-router)#neighbor 192.168.1.158 prefix-tree newyork out
redistribute
host1(config)#router bgp 100
host1(config-router)#neighbor 192.56.10.2 remote-as 200
host1(config-router)#redistribute static
host1(config-router)#exit
host1(config)#ip route 155.30.0.0 0.0.255.255