Access Lists

An access list is a sequential collection of permit and deny conditions that you can use to filter inbound or outbound routes. You can use different kinds of access lists to filter routes based on either the prefix or the AS path.

Filtering Prefixes

To filter routes based on the prefix, you can do any of the following:

• Define an access list with the access-list or ipv6 access-list command, and apply the list to routes received from or passed to a neighbor with the neighbor distribute-list command.
• Define a prefix list with the ip prefix-list command, and apply the list to routes received from or passed to a neighbor with the neighbor prefix-list command.
• Define a prefix tree with the ip prefix-tree command, and apply the list to routes received from or passed to a neighbor with the neighbor prefix-tree command.

The router compares each route's prefix against the conditions in the list or tree, one-by-one. If the first match is for a permit condition, the route is accepted or passed. If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the address; that is, the last action of any list is an implicit deny condition for all routes. The implicit rule is displayed by show access-list and show config commands.

You cannot selectively place conditions in or remove conditions from an access list, prefix list, or prefix tree. You can insert a new condition only at the end of a list or tree.

Configuration Example 1

The following example shows how the implicit deny condition appears:

The implicit deny rule does not appear in the display for access list 3, because any prefix matches access list 3.

Configuration Example 2

The following example demonstrates how to use a route map and an access list to redistribute static routes to IS-IS.

1. Configure three static routes.

   host1(config)#ip route 20.20.20.0 255.255.255.0 192.168.1.0

   host1(config)#ip route 20.20.21.0 255.255.255.0 192.168.2.0

   host1(config)#ip route 20.21.0.0 255.255.255.0 192.168.30.0

2. Configure an access list, fltra, that filters routes 20.20.20.0/24 and 20.20.21.0/24.

   host1(config)#access-list fltra permit 20.20.0.0 0.0.255.255

3. Configure route map 1 to match access list fltra, and apply an internal metric type.

   host1(config)#route-map 1

   host1(config-route-map)#match ip address fltra

   host1(config-route-map)#set metric-type internal

4. Configure redistribution into IS-IS of the static routes with route map 1.

   host1(config)#router isis testnet

   host1(config-router)#redistribute static route-map 1

5. Verify the effect of the redistribution (the two static routes matching the route map are redistributed as level 2 internal routes).

   host1#show isis database detail l2
   IS-IS Level-2 Link State Database
   LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL 
   0000.0000.6666.00-00 0x000002B7   0x3E1F 1198 0/0/0
     Area Address: 47.0005.80FF.F800.0000.0001.0001
     NLPID:       0xcc
     IP Address:  192.168.1.105
     Metric: 10 IS 0000.0000.6666.01
     Metric: 10 IS 0000.0000.3333.00
     Metric: 10 IS 0000.0000.7777.00 
   Metric: 30 IP 20.20.20.0 255.255.255.0
   Metric: 30 IP 20.20.21.0 255.255.255.0

Configuration Example 3

The following example demonstrates how to use an access list to filter routes advertised to a BGP device. Consider the network structure in Figure 2.

Figure 2: Filtering with Access Lists

The following commands configure router Boston to apply access list reject1 to routes inbound from router SanJose. Access list reject1 rejects routes matching 172.24.160.0/19.

Filtering AS Paths

You can use a filter list to filter incoming and outgoing routes based on the value of the AS-path attribute. Whenever a BGP route passes through an AS, BGP prepends its AS number to the AS-path attribute. The AS-path attribute is the list of ASs that a route has passed through to reach a destination.

To filter routes based on the AS path, define the access list with the ip as-path access-list command, and apply the list to routes received from or passed to a neighbor with the neighbor filter-list command. AS-path access lists use regular expressions to describe the AS path to be matched. A regular expression uses special characters—often referred to as metacharacters—to define a pattern that is compared with an input string. For a full discussion of regular expressions, with examples of how to use them, see Using Regular Expressions.

The router compares each route's AS path with each condition in the access list. If the first match is for a permit condition, the route is accepted or passed. If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the route; that is, the last action of any list is an implicit deny condition for all routes.

You cannot selectively place conditions in or remove conditions from an AS-path access list. You can insert a new condition only at the end of an AS-path access list.

Configuration Example 1

Consider the network structure in Figure 3.

Suppose you want router London to behave in the following way:

• Accept routes originated in AS 621 only if they pass directly to router London.
• Accept routes originated in AS 11 only if they pass directly to router London.
• Forward routes from AS 282 to AS 435 only if they pass through either AS 621 or AS 11, but not both AS 621 and AS 11.

  Figure 3: Filtering with AS-Path Access Lists

  

The following commands configure router London to apply filters based on AS path to routes received from router Berlin and router Paris and to routes forwarded to router Madrid.

AS-path access list 1 is applied to routes that router London receives from router Paris. Router London rejects routes with the AS path 11 621 or 11 282 621.

AS-path access list 2 is applied to routes that router London receives from router Berlin. Router London rejects routes with the AS path 621 11 or 621 282 11.

Router London accepts routes with the AS path 282 11, 282 621, 282 621 11, or 282 11 621. However, it applies AS-path access list 3 to routes it forwards to router Madrid, and filters out routes with the AS path 282 621 11 or 282 11 621.

Using Access Lists in a Route Map

You can use a route map instead of the neighbor filter-list command to apply access lists for filtering routes.

Configuration Example 1

In Figure 4, a route map is used to determine the weight for routes learned by router Chicago.

Figure 4: Route Map Filtering

Access list 1 permits any route whose AS-path attribute includes 32 or 837. This condition permits routes that originate in (or pass through from elsewhere) AS 32 or AS 837. When these routes are advertised through AS 451 and AS 17 to router Chicago, instance 1 of route map 1 matches such routes and sets their weight to 25, overriding the neighbor weight set for updates received from 10.2.2.4.

Access list 2 permits any route whose AS-path attribute indicates that it originates in AS 74. When these routes are advertised through AS 837 and AS 32 to router Chicago, instance 1 of route map 2 matches such routes and sets their weight to 175, overriding the neighbor weight set for updates received from 10.5.5.2.

The following example configures router Chicago:

The result of this configuration is that router Chicago prefers routes learned through router Boston (weight 150) over routes learned through router NY (weight 50), except that:

• Router Chicago prefers routes learned via router NY that passed through AS 837 or AS 32 (weight 50) over the same routes learned via router Boston (weight 25 according to route map 1).
• Router Chicago prefers routes originating in AS 74 learned via router NY that passed through AS 837 and AS 32 (weight 175 according to route map 2) over the same routes learned via router Boston (weight 150).

access-list

• Use to define an IP access list to permit or deny routes based on the prefix.
• Each access list is a set of permit or deny conditions for routes based on matching a route's prefix.
• A zero in the wildcard mask means that the corresponding bit in the address must be exactly matched by the route. A one in the wildcard mask means that the corresponding bit in the address does not have to be matched by the route.
• Use the neighbor distribute-list command to apply the access list to routes received from or forwarded to a neighbor.
• Use the log keyword to log an Info event in the ipAccessList log whenever an access list rule is matched.
• Example

  host1(config)#access-list bronze permit ip host any 228.0.0.0 0.0.0.255

• Use the no version to delete an IP access list (no other options specified), the specified entry in the access list, or the log for the specified access list or entry (by specifying the log keyword).
• See access-list.

default-information originate

• Use to enable RIP, OSPF, or BGP to advertise a default route (0.0.0.0/0) that exists in the IP routing table.
• If you specify the always option for OSPF, OSPF generates a default route, if it does not exist in the IP routing table and advertises it.
• Use to generate a default route to an IS-IS domain.
• Example

  host1(config-router)#default-information originate

• Use the no version to disable advertisement of the default route.
• See default-information originate.

ip as-path access-list

• Use to define an AS-path access list to permit or deny routes based on the AS path.
• Each access list is a set of permit or deny conditions for routes based on matching a route's AS path to a regular expression. If the regular expression matches the representation of the AS path of the route as an ASCII string, the permit or deny condition applies. The AS path does not contain the local AS number.
• The AS path allows substring matching. For example, the regular expression 20 matches AS path = 20 and AS path = 100 200 300, because 20 is a substring of each path. To disable substring matching and constrain matching to only the specified attribute string, place the underscore (_) metacharacter on both sides of the string; for example, _20_.
• Use the neighbor filter-list command to apply the AS-path access list. You can apply access-list filters to inbound and outbound BGP routes. You can assign weights to routes matching the AS-path access list.
• Example

  host1(config)#ip as-path access-list 1 permit ^\(
  

• Use the no version to remove the AS-path access list; all entries that belong to this list are removed.
• See ip as-path access-list.

ipv6 access-list

• Use to define an IPv6 access list to permit or deny routes based on the prefix.
• Each access list is a set of permit or deny conditions for routes based on matching a route's prefix.
• Use the neighbor distribute-list command to apply the access list to routes received from or forwarded to a neighbor.
• Use the log keyword to log an Info event in the ipAccessList log whenever an access list rule is matched.
• Example

  host1(config)#ipv6 access-list bronze deny 1::1/16 any
  

• Use the no version to delete an IPv6 access list (no other options specified), the specified entry in the access list, or the log for the specified access list or entry (by specifying the log keyword).
• See ipv6 access-list.

neighbor distribute-list

• Use to filter routes to selected prefixes as specified in an access list. Distribute lists are applied only to external peers.
• Use the in keyword to apply the list to inbound routes (inbound policy). Use the out keyword to apply the list to outbound routes (outbound policy).
• Besides using distribute lists to filter BGP advertisements, you can do the following:
  • Use AS-path filters with the ip as-path access-list and the neighbor filter-list commands
  • Use route map filters with the route-map and the neighbor route-map commands
• Example

  host1:vr1(config-router)#neighbor group1 distribute-list list1 in

• Use the no version to disassociate the access list from a neighbor.
• See neighbor distribute-list.

neighbor filter-list

• Use to assign an AS-path access list to matching inbound or outbound routes.
• Use the in keyword to apply the list to inbound routes (inbound policy). Use the out keyword to apply the list to outbound routes (outbound policy).
• You can specify an optional weight value with the weight keyword to assign a relative importance to incoming routes that match the AS-path access list.
• Access list values can be in the range 0–65535.
• Example

  host1:vr1(config-router)#neighbor group2 filter-list list2 out

• Use the no version to disassociate the access list from a neighbor.
• See neighbor filter-list.

neighbor prefix-list

• Use to assign an inbound or outbound prefix list.
• If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer.
• Use the in keyword to assign the prefix list to incoming routes (inbound policy)
• Use the out keyword to assign the prefix list to outgoing routes (outbound policy); you cannot configure a member of a peer group to override the inherited peer group characteristic for outbound policy
• Example

  host1(config-router)#neighbor 192.168.1.158 prefix-list seoul19 in

• Use the no version to remove the prefix list.
• See neighbor prefix-list.

neighbor prefix-tree

• Use to assign an inbound or outbound prefix tree.
• If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer.
• Use the in keyword to assign the prefix tree to incoming routes (inbound policy)
• Use the out keyword to assign the prefix tree to outgoing routes (outbound policy); you cannot configure a member of a peer group to override the inherited peer group characteristic for outbound policy
• Example

  host1(config-router)#neighbor 192.168.1.158 prefix-tree newyork out

• Use the no version to remove the prefix tree.
• See neighbor prefix-tree.

redistribute

• Use to redistribute routes from one routing domain to another routing domain.
• Example

  host1(config)#router bgp 100

  host1(config-router)#neighbor 192.56.10.2 remote-as 200

  host1(config-router)#redistribute static

  host1(config-router)#exit

  host1(config)#ip route 155.30.0.0 0.0.255.255

• Use the no version to end redistribution of information.
• See redistribute.

Using Access Lists for PIM Join Filters

You can apply access lists to PIM sparse mode interfaces along with the ip pim join-filter or ipv6 pim join-filter command to use the access lists as PIM sparse mode join filters.

To configure PIM join filters:

1. Create the various access list services you want to use with the PIM join filter command.

   host1(config)#! create bronze service

   host1(config)#! - restrict SSM channels to 232.0.1/24 only

   host1(config)#access-list bronze permit ip host any 228.0.0.0 0.0.0.255

   host1(config)#access-list bronze permit ip host 1.1.1.1 232.0.1.0 0.0.0.255

   host1(config)#access-list bronze permit ip host 2.2.2.2 232.0.1.0 0.0.0.255

   host1(config)#

   host1(config)#! create silver service

   host1(config)#! - bronze service + new channels 232.0.2/24

   host1(config)#access-list silver permit ip host any 228.0.0.0 0.0.0.255

   host1(config)#access-list silver permit ip host 1.1.1.1 232.0.1.0 0.0.0.255

   host1(config)#access-list silver permit ip host 2.2.2.2 232.0.1.0 0.0.0.255

   host1(config)#access-list silver permit ip host 1.1.1.1 232.0.2.0 0.0.0.255

   host1(config)#access-list silver permit ip host 2.2.2.2 232.0.2.0 0.0.0.255

   host1(config)#

   host1(config)#! create gold service

   host1(config)#! - silver service + new channels 232.0.3/24

   host1(config)#access-list gold permit ip host any 228.0.0.0 0.0.0.255

   host1(config)#access-list gold permit ip host 1.1.1.1 232.0.1.0 0.0.0.255

   host1(config)#access-list gold permit ip host 2.2.2.2 232.0.1.0 0.0.0.255

   host1(config)#access-list gold permit ip host 1.1.1.1 232.0.2.0 0.0.0.255

   host1(config)#access-list gold permit ip host 2.2.2.2 232.0.2.0 0.0.0.255

   host1(config)#access-list gold permit ip host 1.1.1.1 232.0.3.0 0.0.0.255

   host1(config)#access-list gold permit ip host 2.2.2.2 232.0.3.0 0.0.0.255

   For additional information about how to create access lists, see Access Lists .

2. Enable IP multicast routing.

   host1(config)#ip multicast-routing

3. Enable PIM source-specific multicast router.

   host1(config)#ip pim ssm

4. Identify the default PIM join filter.

   host1(config)#ip pim join-filter bronze

5. Enable PIM sparse mode on a subinterface.

   host1(config)#interface atm 3/0.101

   host1(config-if)#ip address 101.0.0.1 255.255.255.255

   host1(config-if)#ip pim sparse-mode

   This interface (and any other PIM interface to which you do not specifically assign an access list filter) uses the default (bronze) join filter.

6. Enable PIM sparse mode on another subinterface and assign the silver join filter.

   host1(config-if)#interface atm 3/0.102

   host1(config-if)#ip address 102.0.0.1 255.255.255.255

   host1(config-if)#ip pim sparse-mode

   host1(config-if)#ip pim join-filter silver

7. Enable PIM sparse mode on another subinterface and assign the gold join filter.

   host1(config-if)#interface atm 3/0.103

   host1(config-if)#ip address 103.0.0.1 255.255.255.255

   host1(config-if)#ip pim sparse-mode

   host1(config-if)#ip pim join-filter gold

For information about the ip pim join-filter command, see Configuring PIM for IPv4 Multicast in JUNOSe Multicast Routing Configuration Guide. For information about the ipv6 pim join-filter command, see Configuring PIM for IPv6 Multicast in JUNOSe Multicast Routing Configuration Guide.

Clearing Access List Counters

Use the clear access-list or clear ipv6 access-list commands to clear access list counters.

clear access-list

clear ipv6 access-list

• Use to clear all access list counters or access list counters in the specified access list.
• Example 1

  host1#clear access-list list1

• Example 2

  host1#clear ipv6 access-list list2

• There is no no version.
• See clear access-list.
• See clear ipv6 access-list.

Creating Table Maps

For static routes and access routes, you can configure and apply a table map that filters routes before an access list adds them to the routing table. For static routes, you can use the ip static-route table-map or ipv6 static-route table-map command. For access routes, you can use the ip access-route table-map or ipv6 access-route table-map command.

Use these commands when triggering on the policy values listed in Table 4.

Table 4: Match and Set Policy Values

For example, you can configure an access list and route map to filter, based on IP address, any routes that appear in the routing table:

Using the same name for both the table map and the route map creates an association specifying (in this case) that only IP addresses that match the access list criterion appear in the routing table.

ip access-route table-map

ipv6 access-route table-map

• Use to filter access routes before an access list adds them to the routing table.
• Example 1

  host1(config)#ip access-route table-map just10net

• Example 2

  host1(config)#ipv6 access-route table-map map2

• Use the no version to delete the table map.
• See ip access-route table-map.
• See ipv6 access-route table-map.

ip static-route table-map

ipv6 static-route table-map

• Use to filter static routes before adding them to the routing table.
• Example 1

  host1(config)#ip static-route table-map map3

• Example 2

  host1(config)#ipv6 static-route table-map map4

• Use the no version to delete the table map.
• See ip static-route table-map.
• See ipv6 static-route table-map.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.