- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

151

152

153

154

155

156

157

158

159

160

Overview

6-12 Configuring the Border Gateway Protocol

Access Control Lists

Access Control Lists (ACLs) are filters which permit or deny access to one or more IP addresses.

ACLs generally apply to both route updates and packet filtering but with BGP, route update

filtering is emphasized. Prefix-based ACLs control access by specifying which IP addresses are

permitted or denied via the network prefix number.

The XSR filters BGP advertisements as follows:

• with AS-path filters using the

ip as-path access-list and neighbor filter-list

commands.

• with ACLs using the

neighbor distribute-list {access-list} {in | out} command.

Routing data the XSR learns or advertises can be filtered by controlling BGP routing updates

through ACLs applied to the updates.

Filter Lists

As-path filter lists control access by specifying which AS paths to permit or deny. They are

configured with the

ip as-path access-list <ACL#> {permit | deny} as-regular-

expression

command. To further filter BGP paths by neighbor, use the neighbor filter-list

access-list-number {in | out}

command.

Community Lists

Community lists control access by specifying which communities are permitted or denied.

Community-based ACLs are configured with the

ip community-list command.

Route Maps

Route maps act with BGP to control and modify routing data and define the conditions by which

routes are redistributed between routing domains. Route maps are similar to ACLs in that they

both have rules for matching packets and when matches are found, act to permit or deny the

packet. Route maps are flexible and powerful in that they not only match, permit and deny, they

also change route attributes.

The XSR performs a match on AS-path, community, and network numbers for both incoming and

outgoing updates with the

match as-path, match community-list, and match ip address

commands, respectively. You add a route map to in/outbound routes with the

neighbor {ip-

address | peer-group-name} route-map <route-map#> {in | out}

command.

Refer to “BGP Community with Route Maps Examples” on page 6-26 for route-map examples.

Each route map includes sets of instructions that include:

• A permit or deny statement

• A sequence number

• An optional match clause

• An optional set clause

Route maps used with BGP can perform the following:

• Apply a weight to a specific route with

set weight

Note: Distribute-list filters are applied to network numbers, not AS paths.