routeprotocol.com

BGP Access Control Lists

Access Control Lists, ACLs, are traditionally used for a basic filtering of network packets going through as routers interface. Access Control Lists can also be used for providing classification for a number of other router features such as identifying particular networks in a routing protocol like BGP.

An ACL consists of Access Control Entries, ACEs. They are entries that identify the network, ports, and the action to be taken against that network. The evaluation of these access control entries begin at the top of the access control list and work their way down until a matching entry is found. At the bottom of every access control list is a hidden ‘deny all’ access control entry.

Access control lists are separated into two categories, standard access control lists and extended control lists.

Standard Access Control Lists

Standard access control lists match rules based only on the source network.

Standard access control lists are defined with a numbered entry between 1 to 99, or 1300 to 1999, or a named ACL.

A standard access control list can be defined using the command ip access-list standard followed by the relevant ACL number or name.

Extended Access Control Lists

Extended access control lists match rules based on the source network, destination network, packet protocol, network port or a combination of these attributes

Extended access control lists use a numbered entry between 100 to 199, 2000 to 2699 or a named ACL.

An extended standard access control list can be defined using the command ip access-list extended followed by the relevant ACL number or a chosen name.

ACL Use With Interior Routing Protocols

Access control lists can be used with routing protocols and their network selection. The source fields of the access control list are used to identify the network, and the destination fields identify the smallest prefix length in the network range.

Examples

permit ip any any – Permits all networks

permit ip host 192.168.0.0 host 255.255.0.0 – Permits all networks in the 192.168.0.0/16 range

permit ip host 192.168.0.0 host 255.255.255.0 – Permits all networks in the 192.168.0.0/24 range

permit ip host 192.168.0.1 – Permits only the host address 192.168.0.1

ACL Use With Border Gateway Protocol

Access control list behaviour acts differently with BGP over the IGP routing protocols. The source field will match the network portion of the route, and the destination field will match the network mask.

Examples

permit ip 192.168.0.0 0.0.0.0 255.255.0.0 0.0.0.0 – Matches only the 192.168.0.0/16 network

permit ip 192.168.0.0 0.0.255.0 255.255.255.0 0.0.0.0 - Matches any 192.168.X.0 network with a prefix length of /24 (or subnet mask of 255.255.255.0)

permit ip 192.168.0.0 0.0.255.255 25.5255.255.0 0.0.0.255 – Matches any 192.168.X.X network with a /24 to /32 prefix length

permit ip 192.168.0.0 0.0.255.255 255.255.255.128 0.0.0.127 – Matches any 192.168.X.X network with a /25 to /32 prefix length


by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.