ACLs Applied to a Filter Policy
About Filter Policy
Filter policy can use ACL, IP-prefix and route-policy to filter routes during importing or exporting routes.
Take OSPF as an example. As shown in the following figure. There are three routes to 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24 on RTA.
If you do not want to advertise the routes to 10.1.1.0/24 and 10.1.2.0/24 on RTB, you can configure the following commands.
[RTB] acl 2000 [RTB-acl2000] rule 5 deny source 10.1.1.0 0.0.0.255 [RTB-acl2000] rule 10 deny source 10.1.2.0 0.0.0.255 [RTB-acl2000] rule 15 permit source any [RTB] ospf 100 [RTB-ospf-100] filter-policy acl 2000 export
Matching Principle of ACLs Applied to a Filter-policy
ACL Rule Matching Result | Processing Result of Filter-policy |
---|---|
Route matches PERMIT rule | The route is imported or advertised |
Route matches DENY rule | The route is not imported or advertised |
There are rules in the ACL but no rule is matched | The route is not imported or advertised |
The ACL does not exist | All routes are imported or advertised |
The ACL exists but there is no rule in the ACL | All routes are not imported or advertised |
If Unsupported ACL Filter Option Applied to Filter-policy
Only numbered basic ACL (rule ID ranges from 2000 to 2999) or named ACL (rule ID ranges from 42768 to 75535) can apply to filter-policy.
The numbered basic ACL and named ACL applied to filter-policy support only two matching options, source-address and the time-range, and do not support other options (such as destination-address, vpn-instance).
If the unsupported matching option is configured for filter-policy, the matching result of the option is "permit".
Example1
In the following configurations, the result is, all static routes are advertised to BGP peer.
acl name example number 42768 rule 5 deny ip destination 10.1.0.0 0.0.0.255 # bgp 100 ipv4-family unicast filter-policy acl-name example export #
Example2
In the following configurations, the result is, only the static route 20.1.0.0/24 can be advertised to BGP peer. The "destination 10.1.0.0 0.0.0.255" does not take effect.
acl name example number 42768 rule 5 permit ip source 20.1.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 # bgp 100 ipv4-family unicast filter-policy acl-name example export #
Example3
In the following configurations, the result is, all routes to 10.1.0.0/24 cannot be advertised to all BGP VPNv4 peers, no matter the L3VPNs the denied routes belong to. The "vpn-instance vpnb" does not take effect.
acl number 2000 rule 5 deny ip source 10.1.0.0 0.0.0.255 vpn-instance vpnb rule 10 permit # route-policy policy1 permit node 10 if-match acl example # bgp 100 ipv4-family vpnv4 filter-policy 2000 export #
What is "Route Matches ACL Rule" in Filter-policy?
In filter-policy, if the route is in the network segment range defined by the source address and its wildcard mask of the ACL rule, the route is considered to match the ACL rule.
For example, in the following configurations, the routes 10.1.1.0/24, 10.1.1.0/25, 10.1.1.0/30 is in the segment range of 10.1.1.0/24. Therefore, these routes are considered to match the ACL rule. The route 10.1.1.0/16 is considered to mismatch the ACL rule since it is outside of the segment range of 10.1.1.0/24.
acl number 2000 rule 1 permit source 10.1.1.0 0.0.0.255 rule 99 deny any