Access Lists
An access list is a sequential collection of permit and deny conditions that you can use to filter inbound or outbound routes. You can use different kinds of access lists to filter routes based on either the prefix or the AS path.
Filtering Prefixes
To filter routes based on the prefix, you can do any of the following:
- Define an access list with the access-list or ipv6 access-list command, and apply the list to routes received from or passed to a neighbor with the neighbor distribute-list command.
- Define a prefix list with the ip prefix-list command, and apply the list to routes received from or passed to a neighbor with the neighbor prefix-list command.
- Define a prefix tree with the ip prefix-tree command, and apply the list to routes received from or passed to a neighbor with the neighbor prefix-tree command.
The router compares each route's prefix against the conditions in the list or tree, one-by-one. If the first match is for a permit condition, the route is accepted or passed. If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the address; that is, the last action of any list is an implicit deny condition for all routes. The implicit rule is displayed by show access-list and show config commands.
You cannot selectively place conditions in or remove conditions from an access list, prefix list, or prefix tree. You can insert a new condition only at the end of a list or tree.
Configuration Example 1
The following example shows how the implicit deny condition appears:
host1(config)#access-list 1 permit 10.10.10.1 0.0.0.255
host1(config)#access-list 2 permit 10.25.25.1 0.0.0.255
host1(config)#access-list 3 permit any any
host1(config)#show access-list
IP Access List 1:
permit ip 10.10.10.1 0.0.0.255 any
deny ip any any
IP Access List 2:
permit ip 10.25.25.1 0.0.0.255 any
deny ip any any
IP Access List 3:
permit ip any any
The implicit deny rule does not appear in the display for access list 3, because any prefix matches access list 3.
Configuration Example 2
The following example demonstrates how to use a route map and an access list to redistribute static routes to IS-IS.
- Configure three static routes.
- Configure an access list, fltra, that filters routes 20.20.20.0/24 and 20.20.21.0/24.
- Configure route map 1 to match access list fltra, and apply an internal metric type.
- Configure redistribution into IS-IS of the static routes with route map 1.
- Verify the effect of the redistribution (the two static routes matching the route map are redistributed as level 2 internal routes).
host1(config)#ip route 20.20.20.0 255.255.255.0 192.168.1.0
host1(config)#ip route 20.20.21.0 255.255.255.0 192.168.2.0
host1(config)#ip route 20.21.0.0 255.255.255.0 192.168.30.0
host1(config)#access-list fltra permit 20.20.0.0 0.0.255.255
host1(config)#route-map 1
host1(config-route-map)#match ip address fltra
host1(config-route-map)#set metric-type internal
host1(config)#router isis testnet
host1(config-router)#redistribute static route-map 1
host1#show isis database detail l2
IS-IS Level-2 Link State Database
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
0000.0000.6666.00-00 0x000002B7 0x3E1F 1198 0/0/0
Area Address: 47.0005.80FF.F800.0000.0001.0001
NLPID: 0xcc
IP Address: 192.168.1.105
Metric: 10 IS 0000.0000.6666.01
Metric: 10 IS 0000.0000.3333.00
Metric: 10 IS 0000.0000.7777.00
Metric: 30 IP 20.20.20.0 255.255.255.0
Metric: 30 IP 20.20.21.0 255.255.255.0
Configuration Example 3
The following example demonstrates how to use an access list to filter routes advertised to a BGP device. Consider the network structure in Figure 2.
The following commands configure router Boston to apply access list reject1 to routes inbound from router SanJose. Access list reject1 rejects routes matching 172.24.160.0/19.
host1(config)#router bgp 17
host1(config-router)#neighbor 10.5.5.4 remote-as 873
host1(config-router)#neighbor 10.5.5.4 distribute-list reject1 in
host1(config-router)#exit
host1(config)#access-list reject1 permit 172.24.48.0 0.0.255
host1(config)#access-list reject1 deny 172.24.160.0 0.0.0.255
host1(config)#access-list reject1 permit 172.24.24.0 0.0.0.255
Filtering AS Paths
You can use a filter list to filter incoming and outgoing routes based on the value of the AS-path attribute. Whenever a BGP route passes through an AS, BGP prepends its AS number to the AS-path attribute. The AS-path attribute is the list of ASs that a route has passed through to reach a destination.
To filter routes based on the AS path, define the access list with the ip as-path access-list command, and apply the list to routes received from or passed to a neighbor with the neighbor filter-list command. AS-path access lists use regular expressions to describe the AS path to be matched. A regular expression uses special characters—often referred to as metacharacters—to define a pattern that is compared with an input string. For a full discussion of regular expressions, with examples of how to use them, see Using Regular Expressions.
The router compares each route's AS path with each condition in the access list. If the first match is for a permit condition, the route is accepted or passed. If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the route; that is, the last action of any list is an implicit deny condition for all routes.
You cannot selectively place conditions in or remove conditions from an AS-path access list. You can insert a new condition only at the end of an AS-path access list.
Configuration Example 1
Consider the network structure in Figure 3.
Suppose you want router London to behave in the following way:
- Accept routes originated in AS 621 only if they pass directly to router London.
- Accept routes originated in AS 11 only if they pass directly to router London.
- Forward routes from AS 282 to AS 435 only if they pass through either AS 621 or AS 11, but not both AS 621 and AS 11.
The following commands configure router London to apply filters based on AS path to routes received from router Berlin and router Paris and to routes forwarded to router Madrid.
host1(config)#router bgp 47
host1(config-router)#neighbor 10.2.9.2 remote-as 621
host1(config-router)#neighbor 10.2.9.2 filter-list 1 in
host1(config-router)#neighbor 10.2.8.2 remote-as 11
host1(config-router)#neighbor 10.2.8.2 filter-list 2 in
host1(config-router)#neighbor 10.2.7.2 remote-as 435
host1(config-router)#neighbor 10.2.7.2 filter-list 3 out
host1(config-router)#exit
host1(config)#ip as-pathaccess-list 1 deny ^11
host1(config)#ip as-pathaccess-list 1 permit .*
host1(config)#ip as-pathaccess-list 2 deny ^621
host1(config)#ip as-pathaccess-list 2 permit .*
host1(config)#ip as-pathaccess-list 3 deny [621 11]
host1(config)#ip as-pathaccess-list 3 permit .*
AS-path access list 1 is applied to routes that router London receives from router Paris. Router London rejects routes with the AS path 11 621 or 11 282 621.
AS-path access list 2 is applied to routes that router London receives from router Berlin. Router London rejects routes with the AS path 621 11 or 621 282 11.
Router London accepts routes with the AS path 282 11, 282 621, 282 621 11, or 282 11 621. However, it applies AS-path access list 3 to routes it forwards to router Madrid, and filters out routes with the AS path 282 621 11 or 282 11 621.
Using Access Lists in a Route Map
You can use a route map instead of the neighbor filter-list command to apply access lists for filtering routes.
Configuration Example 1
In Figure 4, a route map is used to determine the weight for routes learned by router Chicago.
Access list 1 permits any route whose AS-path attribute includes 32 or 837. This condition permits routes that originate in (or pass through from elsewhere) AS 32 or AS 837. When these routes are advertised through AS 451 and AS 17 to router Chicago, instance 1 of route map 1 matches such routes and sets their weight to 25, overriding the neighbor weight set for updates received from 10.2.2.4.
Access list 2 permits any route whose AS-path attribute indicates that it originates in AS 74. When these routes are advertised through AS 837 and AS 32 to router Chicago, instance 1 of route map 2 matches such routes and sets their weight to 175, overriding the neighbor weight set for updates received from 10.5.5.2.
The following example configures router Chicago:
host1(config)#router bgp 293
host1(config-router)#network 192.168.5.0 mask 255.255.255.0
host1(config-router)#neighbor 10.2.2.4 remote-as 17
host1(config-router)#neighbor 10.2.2.4 weight 150
host1(config-router)#neighbor 10.2.2.4 route-map 1 in
host1(config-router)#exit
host1(config-router)#neighbor 10.5.5.2 remote-as 32
host1(config-router)#neighbor 10.5.5.2 weight 50
host1(config-router)#neighbor 10.5.5.2 route-map 2 in
host1(config)#route-map 1 permit 1
host1(config-route-map)#match as-path 1
host1(config-route-map)#set weight 25
host1(config-route-map)#exit
host1(config)#ip as-pathaccess-list 1 permit [ 32 837 ]
host1(config)#route-map 2 permit 1
host1(config-route-map)#match as-path 2
host1(config-route-map)#set weight 175
host1(config-route-map)#exit
host1(config)#ip as-pathaccess-list 2 permit [ 74 ]
The result of this configuration is that router Chicago prefers routes learned through router Boston (weight 150) over routes learned through router NY (weight 50), except that:
- Router Chicago prefers routes learned via router NY that passed through AS 837 or AS 32 (weight 50) over the same routes learned via router Boston (weight 25 according to route map 1).
- Router Chicago prefers routes originating in AS 74 learned via router NY that passed through AS 837 and AS 32 (weight 175 according to route map 2) over the same routes learned via router Boston (weight 150).
access-list
- Use to define an IP access list to permit or deny routes based on the prefix.
- Each access list is a set of permit or deny conditions for routes based on matching a route's prefix.
- A zero in the wildcard mask means that the corresponding bit in the address must be exactly matched by the route. A one in the wildcard mask means that the corresponding bit in the address does not have to be matched by the route.
- Use the neighbor distribute-list command to apply the access list to routes received from or forwarded to a neighbor.
- Use the log keyword to log an Info event in the ipAccessList log whenever an access list rule is matched.
- Example
host1(config)#access-list bronze permit ip host any 228.0.0.0 0.0.0.255
default-information originate
- Use to enable RIP, OSPF, or BGP to advertise a default route (0.0.0.0/0) that exists in the IP routing table.
- If you specify the always option for OSPF, OSPF generates a default route, if it does not exist in the IP routing table and advertises it.
- Use to generate a default route to an IS-IS domain.
- Example
host1(config-router)#default-information originate
ip as-path access-list
- Use to define an AS-path access list to permit or deny routes based on the AS path.
- Each access list is a set of permit or deny conditions for routes based on matching a route's AS path to a regular expression. If the regular expression matches the representation of the AS path of the route as an ASCII string, the permit or deny condition applies. The AS path does not contain the local AS number.
- The AS path allows substring matching. For example, the regular expression 20 matches AS path = 20 and AS path = 100 200 300, because 20 is a substring of each path. To disable substring matching and constrain matching to only the specified attribute string, place the underscore (_) metacharacter on both sides of the string; for example, _20_.
- Use the neighbor filter-list command to apply the AS-path access list. You can apply access-list filters to inbound and outbound BGP routes. You can assign weights to routes matching the AS-path access list.
- Example
host1(config)#ip as-pathaccess-list 1 permit ^\(
ipv6 access-list
- Use to define an IPv6 access list to permit or deny routes based on the prefix.
- Each access list is a set of permit or deny conditions for routes based on matching a route's prefix.
- Use the neighbor distribute-list command to apply the access list to routes received from or forwarded to a neighbor.
- Use the log keyword to log an Info event in the ipAccessList log whenever an access list rule is matched.
- Example
host1(config)#ipv6 access-list bronze deny 1::1/16 any
neighbor distribute-list
- Use to filter routes to selected prefixes as specified in an access list. Distribute lists are applied only to external peers.
- Use the in keyword to apply the list to inbound routes (inbound policy). Use the out keyword to apply the list to outbound routes (outbound policy).
- Besides using distribute lists to filter BGP advertisements, you can do the following:
- Use AS-path filters with the ip as-path access-list and the neighbor filter-list commands
- Use route map filters with the route-map and the neighbor route-map commands
host1:vr1(config-router)#neighbor group1 distribute-list list1 in
neighbor filter-list
- Use to assign an AS-path access list to matching inbound or outbound routes.
- Use the in keyword to apply the list to inbound routes (inbound policy). Use the out keyword to apply the list to outbound routes (outbound policy).
- You can specify an optional weight value with the weight keyword to assign a relative importance to incoming routes that match the AS-path access list.
- Access list values can be in the range 0–65535.
- Example
host1:vr1(config-router)#neighbor group2 filter-list list2 out
neighbor prefix-list
- Use to assign an inbound or outbound prefix list.
- If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer.
- Use the in keyword to assign the prefix list to incoming routes (inbound policy)
- Use the out keyword to assign the prefix list to outgoing routes (outbound policy); you cannot configure a member of a peer group to override the inherited peer group characteristic for outbound policy
- Example
host1(config-router)#neighbor 192.168.1.158 prefix-list seoul19 in
neighbor prefix-tree
- Use to assign an inbound or outbound prefix tree.
- If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer.
- Use the in keyword to assign the prefix tree to incoming routes (inbound policy)
- Use the out keyword to assign the prefix tree to outgoing routes (outbound policy); you cannot configure a member of a peer group to override the inherited peer group characteristic for outbound policy
- Example
host1(config-router)#neighbor 192.168.1.158 prefix-tree newyork out
redistribute
host1(config)#router bgp 100
host1(config-router)#neighbor 192.56.10.2 remote-as 200
host1(config-router)#redistribute static
host1(config-router)#exit
host1(config)#ip route 155.30.0.0 0.0.255.255
Using Access Lists for PIM Join Filters
You can apply access lists to PIM sparse mode interfaces along with the ip pim join-filter or ipv6 pim join-filter command to use the access lists as PIM sparse mode join filters.
To configure PIM join filters:
- Create the various access list services you want to use with the PIM join filter command.
host1(config)#! create bronze service
host1(config)#! - restrict SSM channels to 232.0.1/24 only
host1(config)#access-list bronze permit ip host any 228.0.0.0 0.0.0.255
host1(config)#access-list bronze permit ip host 1.1.1.1 232.0.1.0 0.0.0.255
host1(config)#access-list bronze permit ip host 2.2.2.2 232.0.1.0 0.0.0.255
host1(config)#
host1(config)#! create silver service
host1(config)#! - bronze service + new channels 232.0.2/24
host1(config)#access-list silver permit ip host any 228.0.0.0 0.0.0.255
host1(config)#access-list silver permit ip host 1.1.1.1 232.0.1.0 0.0.0.255
host1(config)#access-list silver permit ip host 2.2.2.2 232.0.1.0 0.0.0.255
host1(config)#access-list silver permit ip host 1.1.1.1 232.0.2.0 0.0.0.255
host1(config)#access-list silver permit ip host 2.2.2.2 232.0.2.0 0.0.0.255
host1(config)#
host1(config)#! create gold service
host1(config)#! - silver service + new channels 232.0.3/24
host1(config)#access-list gold permit ip host any 228.0.0.0 0.0.0.255
host1(config)#access-list gold permit ip host 1.1.1.1 232.0.1.0 0.0.0.255
host1(config)#access-list gold permit ip host 2.2.2.2 232.0.1.0 0.0.0.255
host1(config)#access-list gold permit ip host 1.1.1.1 232.0.2.0 0.0.0.255
host1(config)#access-list gold permit ip host 2.2.2.2 232.0.2.0 0.0.0.255
host1(config)#access-list gold permit ip host 1.1.1.1 232.0.3.0 0.0.0.255
host1(config)#access-list gold permit ip host 2.2.2.2 232.0.3.0 0.0.0.255
For additional information about how to create access lists, see Access Lists.
- Enable IP multicast routing.
- Enable PIM source-specific multicast router.
- Identify the default PIM join filter.
- Enable PIM sparse mode on a subinterface.
host1(config)#ip multicast-routing
host1(config)#ip pim ssm
host1(config)#ip pim join-filter bronze
host1(config)#interface atm 3/0.101
host1(config-if)#ip address 101.0.0.1 255.255.255.255
host1(config-if)#ip pim sparse-mode
This interface (and any other PIM interface to which you do not specifically assign an access list filter) uses the default (bronze) join filter.
- Enable PIM sparse mode on another subinterface and assign the silver join filter.
- Enable PIM sparse mode on another subinterface and assign the gold join filter.
host1(config-if)#interface atm 3/0.102
host1(config-if)#ip address 102.0.0.1 255.255.255.255
host1(config-if)#ip pim sparse-mode
host1(config-if)#ip pim join-filter silver
host1(config-if)#interface atm 3/0.103
host1(config-if)#ip address 103.0.0.1 255.255.255.255
host1(config-if)#ip pim sparse-mode
host1(config-if)#ip pim join-filter gold
For information about the ip pim join-filter command, see JUNOSe Multicast Routing Configuration Guide, Chapter 7, Configuring PIM for IPv4 Multicast. For information about the ipv6 pim join-filter command, see JUNOSe Multicast Routing Configuration Guide, Chapter 12, Configuring PIM for IPv6 Multicast.
Clearing Access List Counters
Use the clear access-list or clear ipv6 access-list commands to clear access list counters.
clear access-list
- Use to clear all access list counters or access list counters in the specified access list.
- Example 1
host1#clear access-list list1
host1#clear ipv6 access-list list2
Creating Table Maps
For static routes and access routes, you can configure and apply a table map that filters routes before an access list adds them to the routing table. For static routes, you can use the ip static-route table-map or ipv6 static-route table-map command. For access routes, you can use the ip access-route table-map or ipv6 access-route table-map command.
Use these commands when triggering on the policy values listed in Table 4.
For example, you can configure an access list and route map to filter, based on IP address, any routes that appear in the routing table:
host1(config)#ip access-route table-map just10net
host1(config)#access-list permit10 permit 10.0.0.0 0.255.255.255
host1(config)#access-list permit10 deny any
host1(config)#route-map just10net
host1(config-route-map)#match ip address permit10
Using the same name for both the table map and the route map creates an association specifying (in this case) that only IP addresses that match the access list criterion appear in the routing table.
ip access-route table-map
host1(config)#ip access-route table-map just10net
host1(config)#ipv6 access-route table-map map2
ip static-route table-map
host1(config)#ip static-route table-map map3
host1(config)#ipv6 static-route table-map map4