1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
*********
Filtering
*********
FRR provides many very flexible filtering features. Filtering is used
for both input and output of the routing information. Once filtering is
defined, it can be applied in any direction.
IP Access List
==============
.. clicmd:: access-list NAME [seq (1-4294967295)] <permit|deny> <A.B.C.D/M [exact-match]|any>
seq
seq `number` can be set either automatically or manually. In the
case that sequential numbers are set manually, the user may pick any
number less than 4294967295. In the case that sequential number are set
automatically, the sequential number will increase by a unit of five (5)
per list. If a list with no specified sequential number is created
after a list with a specified sequential number, the list will
automatically pick the next multiple of five (5) as the list number.
For example, if a list with number 2 already exists and a new list with
no specified number is created, the next list will be numbered 5. If
lists 2 and 7 already exist and a new list with no specified number is
created, the new list will be numbered 10.
Basic filtering is done by `access-list` as shown in the
following example.
.. code-block:: frr
access-list filter deny 10.0.0.0/9
access-list filter permit 10.0.0.0/8
access-list filter seq 13 permit 10.0.0.0/7
.. clicmd:: access-list NAME [seq (1-4294967295)] <deny|permit> ip <A.B.C.D A.B.C.D|host A.B.C.D|any> <A.B.C.D A.B.C.D|host A.B.C.D|any>
The extended access-list syntax enables filtering on both source and destination
IP addresses (or source and group, if used for multicast boundaries). The
source address is first in order in the command.
If providing a mask, note that the access-lists use wildcard masks (inverse
matching logic of subnet masks). If specifying ``host``, only the single address
given will be matched.
A basic example is as follows:
.. code-block:: frr
access-list filter seq 5 permit ip host 10.0.20.2 232.1.1.0 0.0.0.128
access-list filter seq 10 deny ip 10.0.20.0 0.0.0.255 232.1.1.0 0.0.0.255
access-list filter seq 15 permit ip any any
.. note ::
If an access-list is specified but no match is found, the default verdict
is deny.
.. clicmd:: show <ip|ipv6> access-list [json]
Display all IPv4 or IPv6 access lists.
If the ``json`` option is specified, output is displayed in JSON format.
.. clicmd:: show <ip|ipv6> access-list WORD [json]
Display the specified IPv4 or IPv6 access list.
If the ``json`` option is specified, output is displayed in JSON format.
IP Prefix List
==============
*ip prefix-list* provides the most powerful prefix based
filtering mechanism. In addition to *access-list* functionality,
*ip prefix-list* has prefix length range specification and
sequential number specification. You can add or delete prefix based
filters to arbitrary points of prefix-list using sequential number specification.
If no ip prefix-list is specified, it acts as permit. If *ip prefix-list*
is defined, and no match is found, default deny is applied.
.. clicmd:: ip prefix-list NAME (permit|deny) PREFIX [le LEN] [ge LEN]
.. clicmd:: ip prefix-list NAME seq NUMBER (permit|deny) PREFIX [le LEN] [ge LEN]
You can create *ip prefix-list* using above commands.
seq
seq `number` can be set either automatically or manually. In the
case that sequential numbers are set manually, the user may pick any
number less than 4294967295. In the case that sequential number are set
automatically, the sequential number will increase by a unit of five (5)
per list. If a list with no specified sequential number is created
after a list with a specified sequential number, the list will
automatically pick the next multiple of five (5) as the list number.
For example, if a list with number 2 already exists and a new list with
no specified number is created, the next list will be numbered 5. If
lists 2 and 7 already exist and a new list with no specified number is
created, the new list will be numbered 10.
le
Specifies prefix length. The prefix list will be applied if the prefix
length is less than or equal to the le prefix length.
ge
Specifies prefix length. The prefix list will be applied if the prefix
length is greater than or equal to the ge prefix length.
Less than or equal to prefix numbers and greater than or equal to
prefix numbers can be used together. The order of the le and ge
commands does not matter.
If a prefix list with a different sequential number but with the exact
same rules as a previous list is created, an error will result.
However, in the case that the sequential number and the rules are
exactly similar, no error will result.
If a list with the same sequential number as a previous list is created,
the new list will overwrite the old list.
Matching of IP Prefix is performed from the smaller sequential number to the
larger. The matching will stop once any rule has been applied.
In the case of no le or ge command, the prefix length must match exactly the
length specified in the prefix list.
.. _ip-prefix-list-description:
ip prefix-list description
--------------------------
.. clicmd:: ip prefix-list NAME description DESC
Descriptions may be added to prefix lists. This command adds a
description to the prefix list.
.. _showing-ip-prefix-list:
Showing ip prefix-list
----------------------
.. clicmd:: show ip prefix-list [json]
Display all IP prefix lists.
If the ``json`` option is specified, output is displayed in JSON format.
.. clicmd:: show ip prefix-list NAME [json]
Show IP prefix list can be used with a prefix list name.
If the ``json`` option is specified, output is displayed in JSON format.
.. clicmd:: show ip prefix-list NAME seq NUM [json]
Show IP prefix list can be used with a prefix list name and sequential
number.
If the ``json`` option is specified, output is displayed in JSON format.
.. clicmd:: show ip prefix-list NAME A.B.C.D/M
If the command longer is used, all prefix lists with prefix lengths equal to
or longer than the specified length will be displayed. If the command first
match is used, the first prefix length match will be displayed.
.. clicmd:: show ip prefix-list NAME A.B.C.D/M longer
.. clicmd:: show ip prefix-list NAME A.B.C.D/M first-match
.. clicmd:: show ip prefix-list summary [json]
.. clicmd:: show ip prefix-list summary NAME [json]
.. clicmd:: show ip prefix-list detail [json]
.. clicmd:: show ip prefix-list detail NAME [json]
.. clicmd:: debug prefix-list NAME match <A.B.C.D/M|X:X::X:X/M> [address-mode]
Execute the prefix list matching code for the specified list and prefix.
Shows which entry matched, if any. (``address-mode`` is used for
PIM RP lookups and skips prefix length checks.)
The return value from this command is success only if the prefix-list
result is to permit the prefix, so the command can be used in scripting.
Clear counter of ip prefix-list
-------------------------------
.. clicmd:: clear ip prefix-list [NAME [A.B.C.D/M]]
Clears the counters of all IP prefix lists. Clear IP Prefix List can be used
with a specified NAME or NAME and prefix.
|
