Access control lists, Filter lists, Community lists – Enterasys Networks Security Router X-PeditionTM User Manual

Overview

6-12 Configuring the Border Gateway Protocol

Access Control Lists

Access Control Lists (ACLs) are filters which permit or deny access to one or more IP addresses.
ACLs generally apply to both route updates and packet filtering but with BGP, route update
filtering is emphasized. Prefix-based ACLs control access by specifying which IP addresses are
permitted or denied via the network prefix number.

The XSR filters BGP advertisements as follows:

•

with AS-path filters using the

ip as-path access-list

and

neighbor filter-list

commands.

•

with ACLs using the

neighbor distribute-list {access-list} {in | out}

command.

Routing data the XSR learns or advertises can be filtered by controlling BGP routing updates
through ACLs applied to the updates.

Filter Lists

As-path filter lists control access by specifying which AS paths to permit or deny. They are
configured with the

ip as-path access-list <ACL#>

{permit | deny} as-regular-

expression

command. To further filter BGP paths by neighbor, use the

neighbor filter-list

access-list-number {in | out}

command.

Community Lists

Community lists control access by specifying which communities are permitted or denied.
Community-based ACLs are configured with the

ip community-list

command.

Route Maps

Route maps act with BGP to control and modify routing data and define the conditions by which
routes are redistributed between routing domains. Route maps are similar to ACLs in that they
both have rules for matching packets and when matches are found, act to permit or deny the
packet. Route maps are flexible and powerful in that they not only match, permit and deny, they
also change route attributes.

The XSR performs a match on AS-path, community, and network numbers for both incoming and
outgoing updates with the

match as-path

,

match community-list

, and

match ip address

commands, respectively. You add a route map to in/outbound routes with the

neighbor {ip-

address | peer-group-name} route-map <route-map#> {in | out}

command.

Refer to

“BGP Community with Route Maps Examples”

on page 6-26 for route-map examples.

Each route map includes sets of instructions that include:

•

A permit or deny statement

•

A sequence number

•

An optional match clause

•

An optional set clause

Route maps used with BGP can perform the following:

•

Apply a weight to a specific route with

set weight

Note: Distribute-list filters are applied to network numbers, not AS paths.