Manuals / Enterasys Networks / Computer Equipment / Network Router

Enterasys Networks X-PeditionTM Access Control Lists, Filter Lists, Community Lists, Route Maps

Models: X-PeditionTM

1 466
Download 466 pages 52.77 Kb
Page 160
Image 160

Overview

Access Control Lists

Access Control Lists (ACLs) are filters which permit or deny access to one or more IP addresses. ACLs generally apply to both route updates and packet filtering but with BGP, route update filtering is emphasized. Prefix-basedACLs control access by specifying which IP addresses are permitted or denied via the network prefix number.

The XSR filters BGP advertisements as follows:

with AS-path filters using the ip as-pathaccess-listand neighbor filter-listcommands.

with ACLs using the neighbor distribute-list {access-list} {in out} command.

Routing data the XSR learns or advertises can be filtered by controlling BGP routing updates through ACLs applied to the updates.

Note: Distribute-list filters are applied to network numbers, not AS paths.

Filter Lists

As-path filter lists control access by specifying which AS paths to permit or deny. They are configured with the ip as-pathaccess-list <ACL#> {permit deny} as-regular- expression command. To further filter BGP paths by neighbor, use the neighbor filter-listaccess-list-number {in out} command.

Community Lists

Community lists control access by specifying which communities are permitted or denied. Community-based ACLs are configured with the ip community-listcommand.

Route Maps

Route maps act with BGP to control and modify routing data and define the conditions by which routes are redistributed between routing domains. Route maps are similar to ACLs in that they both have rules for matching packets and when matches are found, act to permit or deny the packet. Route maps are flexible and powerful in that they not only match, permit and deny, they also change route attributes.

The XSR performs a match on AS-path, community, and network numbers for both incoming and outgoing updates with the match as-path, match community-list, and match ip address commands, respectively. You add a route map to in/outbound routes with the neighbor {ip-

address peer-group-name} route-map <route-map#> {in out} command.

Refer to “BGP Community with Route Maps Examples” on page 6-26for route-map examples. Each route map includes sets of instructions that include:

A permit or deny statement

A sequence number

An optional match clause

An optional set clause

Route maps used with BGP can perform the following:

• Apply a weight to a specific route with set weight

6-12 Configuring the Border Gateway Protocol

Page 159 Page 161
Page 160
Image 160
Enterasys Networks X-PeditionTM manual Access Control Lists, Filter Lists, Community Lists, Route Maps
Page 159 Page 161