Access Control Lists; Filter Lists; Community Lists; Route Maps - Enterasys Security Router X-PeditionTM User Manual

Overview

Access Control Lists

Access Control Lists (ACLs) are filters which permit or deny access to one or more IP addresses.
ACLs generally apply to both route updates and packet filtering but with BGP, route update
filtering is emphasized. Prefix-based ACLs control access by specifying which IP addresses are
permitted or denied via the network prefix number.
The XSR filters BGP advertisements as follows:
• with AS-path filters using the
commands.
• with ACLs using the
Routing data the XSR learns or advertises can be filtered by controlling BGP routing updates
through ACLs applied to the updates.

Filter Lists

As-path filter lists control access by specifying which AS paths to permit or deny. They are
configured with the
expression
access-list-number {in | out}

Community Lists

Community lists control access by specifying which communities are permitted or denied.
Community-based ACLs are configured with the

Route Maps

Route maps act with BGP to control and modify routing data and define the conditions by which
routes are redistributed between routing domains. Route maps are similar to ACLs in that they
both have rules for matching packets and when matches are found, act to permit or deny the
packet. Route maps are flexible and powerful in that they not only match, permit and deny, they
also change route attributes.
The XSR performs a match on AS-path, community, and network numbers for both incoming and
outgoing updates with the
commands, respectively. You add a route map to in/outbound routes with the
address | peer-group-name} route-map <route-map#> {in | out}
Refer to
Each route map includes sets of instructions that include:
• A permit or deny statement
• A sequence number
• An optional match clause
• An optional set clause
Route maps used with BGP can perform the following:
• Apply a weight to a specific route with
6-12 Configuring the Border Gateway Protocol
neighbor distribute-list {access-list} {in | out}
Note: Distribute-list filters are applied to network numbers, not AS paths.
ip as-path access-list <ACL#> {permit | deny} as-regular-
command. To further filter BGP paths by neighbor, use the
match as-path
"BGP Community with Route Maps Examples"
ip as-path access-list
command.
ip community-list
, match community-list
on page 6-26 for route-map examples.
set weight
neighbor filter-list
and
neighbor filter-list
command.
, and match ip address
neighbor {ip-
command.
command.