Filtering Lists and Netflow Configuration

Introduction

There are many instances when you need to control the sending and receiving of route updates and packets. Prefix and access lists are filters that enable you to choose which updates or packets are permitted or denied. Filters can be:

• Updates accepted/rejected from or advertised to neighbors
  
  
• Packets allowed to access the server
  
  
• Inbound Packets forwarded across the fabric
  
  
• Outbound Packets forwarded across the fabric
  
  

Access lists consist of a list of addresses or address ranges and a statement as to whether access to or from that address is permitted or denied. Access lists apply to both route update and packet filtering.

There are two forms of access list: standard and extended. Standard access lists provide the ability to permit or deny traffic based upon a single or set of source or destination IP addresses. Standard access lists can be used for server inbound and outbound packets and route updates.

Extended access lists provide the ability to permit or deny traffic based upon a eight tuple set of attributes including both source and destination IP addresses, protocol, source and destination port, type of service, length of packet and fragmentation. Extended access lists can be used by all IP packet filtering but must be used for IP and IP encapsulated MPLS packets that traverse the fabric. Extended access lists provide for the assignment of a sample rate. Any sampled access list may be port mirrored to an interface or Netflow. Extended access lists can also be rate limited based upon the received bandwidth.

There are two commands available for access list creation: access-list or ip access-list command.

NOTE Only extended access-lists can be used to filter data traffic that traverses the fabric. Only standard access-lists are used for inbound and outbound server based filtering.

The attributes available to these commands are the same. The differences between the two commands are as follows:

• The access-list command allows for a single access list entry per command line. The ip access-list command enters a standard or extended access list configuration mode. Each line in the access list configuration mode is an additional access list entry.
  
  
• An access list configured using the access-list command is filtered at the server. An access list configured using the ip access-list command is filtered at the module. The module can handle much heavier loads than the server. Because of the loads involved, all IP packet filtering that traverses the fabric must be filtered using the ip access-list in extended mode.
  
  

Access lists are supported on POS, Giga-Bit Ethernet, Composite-link, Aggregate-link and VLAN interfaces.

Prefix lists are a more efficient access list in that they provide for the control of list sequencing and greater/less-than-or-equal-to ranging of the prefixes. Prefix lists apply to route update filtering.

Netflow is a means of collecting and exporting packet summaries to an external collector. Collected summaries can be used by applications that analyze the data on the collector and provide traffic usage statistic and profiling information. Netflow is supported for both IP and MPLS flows.

NOTE IPriori packet filtering supports both unicast and multicast ACL entries. Netflow supports both unicast and multicast traffic.

IP Prefix Lists

Prefix lists provide for the filtering of updates to and from a peer on the basis of network prefixes. Prefix lists are easier to use and more efficient than the access list. Like the access list it filters by permitting and denying updates based upon a specified prefix and mask. Prefix lists also provide for the association of a sequence number and prefix length range for a specified prefix and mask.

The sequence number determines the order of look up allowing the configuration of heavily used prefixes to be looked up earlier than lesser used prefixes. If a sequence number is not specified than a sequence is assigned with a value of the highest assigned sequence number plus 5. Sequence numbers can be assigned consecutively, but doing so eliminates the ability to add additional assignments within the consecutive range.

Range can be any mask length value up to 32 within a greater-than-or-equal-to and less-than-or-equal-to assignment. You can specify a greater-than-or-equal-to assignment with the high end defaulting to 32, you can specify a less-than-or-equal-to assignment with the low end defaulting to the beginning of the mask, or you can specify both boundaries.

Create, add members, and a description to a prefix list using the ip prefix-list command.

Display a prefix list using the show ip prefix-list command.

Example: The following example builds a prefix list named boston-ny and associates the Boston-NY_Priority description with it:

• The first list input names the prefix list boston-ny and permits prefix filtering of updates for 10.10.10.0/24. The sequence number defaults to 5 because it is the first entry and the sequence number is not specified in the command line. Prefixes permitted by this line would be values 10.10.10. 0 through 255.
  
  
• The second prefix list entry associates the description Boston-NY_Priority with the boston-ny list.
  
  
• The next prefix list entry permits prefix filtering of updates for 20.20.20.0/16 and assigns a sequence number of 6 to this prefix entry. Prefixes permitted by this line would be values 20.20.0 through 255.0 through 255.
  
  
• The next prefix list entry permits prefix filtering of updates for 30.30.0.0/16 for all prefixes of length greater-than-or-equal-to 25. The sequence number for this entry defaults to 11 because the previous highest listing is 6, and the command line does not specify a sequence number. Prefixes permitted by this line would be values 30.30.0.0 through 255
  
  
• The final prefix list entry permits prefix filtering of updates for 40.40.40.0/24 for all prefixes of lengths 24 and lengths greater-than-or-equal-to 26 and less-than-or-equal-to 30. The sequence number for this entry defaults to 16 because the previous highest listing is 11, and the command line does not specify a sequence number.
  
  
• The show ip prefix-list command in privileged mode, displays configuration details for this Avici router per configured list.
  
  

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip prefix-list boston-ny permit 10.10.10.0/24 router(config)#ip prefix-list boston-ny description Boston-NY_Priority router(config)#ip prefix-list boston-ny seq 6 permit 20.20.20.0/16 router(config)#ip prefix-list boston-ny permit 30.30.0.0/16 ge 25 router(config)#ip prefix-list boston-ny permit 40.40.40.0/24 ge 26 le 30 router(config)#end router#show ip prefix-list SEQUENCED IP prefix list boston-ny description Boston-NY_Priority seq 5 permit 10.10.10.0/24 seq 6 permit 20.20.20.0/16 seq 11          permit 30.30.0.0/16 ge 25 seq 16          permit 40.40.40.0/24 ge 26 le 30

Types of Access Lists

There are five types of access lists:

• Prefix based access lists enable you to control access by specifying which IP addresses are permitted or denied by network prefix number. Prefix based access lists are created using the access-list or ip access-list commands.
  
  
• As-path based access lists enable you to control access by specifying which Autonomous System (AS) paths to permit or deny. As-path based access lists are created using the ip as-path access-list command.
  
  
• Community based access lists enable you to control access by specifying which communities are permitted or denied. Community based access lists are created using the ip community-list command.
  
  
• Packet-based access lists, used for packet filtering, allow you to specify the types of inbound packets that can access the server, inbound IP or MPLS packets that can cross the fabric, outbound IP packets that can cross the fabric, or server sourced packets that can exit the router. Packet based access lists are created using either the access-list or ip access-list command. Inbound and outbound server packets can be filtered using the access-list command or the ip access-list command in both standard and extended mode. Inbound and outbound IP packets forwarded across the fabric and inbound IP encapsulated MPLS packets can be filtered using the ip access-list command in extended mode.
  
  
• QoS-based access-lists provide a second-stage packet lookup of specified QoS characteristics when a first-stage non-QoS access-list is present. The QoS based access-list can be applied without the first-stage access-list being present, and first-stage access-lists do not require a second-stage access-list be present. The ip access-list qos command provides:
  
  
  • An 8-tuple permit and deny for IP packets at the ingress interface.
    
    
  • An 8-tuple IP classification for QoS remarking.
    
    
  • A QoS based ACL for forwarding IP and MPLS packets across the fabric.
    
    

The first three forms of access lists are used to filter updates. The method you choose depends on your network configuration.

Both Packet-based and QoS-based access list are used to control packets. In extended mode the following attributes are available:

• Source/Destination Address
  
  
• Source/Destination Port
  
  
• TOS Byte
  
  
• Length
  
  
• Protocol
  
  
• Packet fragment
  
  

Additionally, Packet-based access lists support:

• Sample rate
  
  
• Rate limit of received bandwidth
  
  

Figure 6-1 displays an example of update filtering using access lists.

Figure 6-1. Access list

In Figure 6-1, an inbound access list on Router A is used to block updates about AS 200 from being accepted by AS 100. The access list can selectively block updates from a single host address, a range of addresses, a subnetwork, an entire network, or all updates sent by a peer.

PROCEDURE: Use the following steps to define and apply access lists:

Step 1 Define the access lists using the appropriate filtering command: access-list, ip access-list, ip as-path access-list, and ip community-list commands.

Step 2 If you are using a route map to apply an access list, define the route map using the route-map, match and set commands.

Step 3 If you are using the access list to apply route updates, use the neighbor distribute-list, neighbor filter-list or route-map commands.

Step 4 If you are using access lists to apply packet filtering to an interface, use the ip access-group command in interface configuration mode.

An access list may be used by multiple BGP peers or route maps. Access lists can be applied to both inbound and outbound route updates.

Ordering Entries in an Access List

Each route update or packet is passed through the access list. When a route update or packet matches an entry in the access list, the decision to permit or deny is made, and no further rules are processed. Each route update or packet is processed by entries in the access list - in the order the entry appears in the access list. These behaviors make the order in which entries appear in an access list very important.

Example: For example, let's say that you want to permit access for all networks except network 10.5.10.0. The following example defines an access list named ISP2-nw that denies access to 10.5.10.0 and permits all other prefixes:

router(config)#access-list ISP2-nw deny 10.5.10.0 router(config)#access-list ISP2-nw permit any

A route update from network 10.5.1.0 matches the first entry in the access list, the route is denied, and processing ends.

However, if the order of entries in the access list are reversed:

router(config)#access-list ISP2-nw permit any router(config)#access-list ISP2-nw deny 10.5.10.0

A route update from any network matches the first entry in the access list, the route is permitted, and processing ends. The second entry in the access list is never applied to the route update, and the update from a network other than 10.5.10.0 is inadvertently permitted.

The order of entries in the access list is also important for performance reasons. Long access lists require computer resources. We recommend entries that have the greatest likelihood of being matched are listed before entries with the smallest likelihood of being matched. This order reduces the average time BGP spends processing each route as it passes through an access list.

CAUTION Be careful when creating and applying access lists on remote routers. For example, let us say that the telnet session you are using to configure a remote router is attached to network 10.10.10.0. If you specify an access list on the remote router that denies access to network 10.10.10.0, the access list blocks any further connection to your console.

Maintaining Access Lists

You cannot modify an existing access list in your configuration file. Instead, you must use the no option to delete the list and then retype the entire list. We recommend you keep your access lists in separate files that can be cut and pasted into your configuration file.

Prefix Based Access Lists

Both the ip access-list and access-list commands enable you to create prefix based access lists identified by numbers or alpha-numeric names. Names make it easier to remember how the access list operates.

The format for creating standard access lists using the access-list command is as follows:

access-list list-name {permit|deny} {prefix} prefix-dont-care-bits

The permit and deny keywords specify if routes that match the entry are advertised (outgoing updates) or accepted (inbound updates).

The prefix parameter is the IP address of the network or host. The router compares routes being tested to this value. Specify the prefix using one of the following formats:

• 32-bit IP address in dotted decimal format.
  
  
• keyword any to specify a prefix and prefix-dont-care-bits of 0.0.0.0 255.255.255.255
  
  
• keyword host followed by the host address in dotted decimal notation which specifies prefix-don't-care bits of 0.0.0.0
  
  

The prefix-dont-care-bits is the network mask applied to the prefix address. The format for the prefix-dont-care-bits is 32-bit IP address in dotted decimal notation.

The format of for creating either a standard or extended access list using the ip access-list is as follows:

ip access-list {standard|extended} name

The ip access-list command changes the command mode from router configuration mode to access list configuration mode; the access-list command does not.

In the following example, the access-list command creates a standard access list. The command is simply repeated using the same access list name (Boston_Inbound) to add new rules to the list. The access list allows access only for one system, one network and one subnet whose IP addresses appear in the list:

router(config)#access-list Boston_Inbound permit 10.5.1.121 0.0.0.255 router(config)#access-list Boston_Inbound permit 120.0.0.0 0.255.255.255 router(config)#access-list Boston_Inbound permit 128.20.0.0 0.0 255.255

In the following example, the ip access-list command creates the same standard access list as above. Notice that the command mode changes from router configuration mode to access list configuration mode and that the syntax for adding entries to the list is slightly different from the syntax for the access-list command:

router(config)# ip access-list standard Boston_Inbound router(config-std-nacl)#permit 10.5.1.121 0.0.0.255 router(config-std-nacl)#permit 120.0.0.0 0.255.255.255 router(config-std-nacl)#permit 128.20.0.0 0.0.255.255

If a route's IP address is not included in the list, that route is denied access. This implicit deny is appended to all access lists.

The first example should really look like:

router(config)#access-list Boston_Inbound permit 10.5.1.121 0.0.0.255 router(config)#access-list Boston_Inbound permit 120.0.0.0 0.255.255.255 router(config)#access-list Boston_Inbound permit 128.20.0.0 0.0 255.255 router(config)#access-list Boston_Inbound deny any

Prefix based access lists are applied to route updates using the neighbor distribute-list and route-map commands.

Standard vs. Extended Prefix Based Access Lists

There are two basic types of prefix based access lists: standard and extended. Standard access lists control routing based on the route's prefix. Extended access lists control routing based on the route's prefix and mask.

You can use the access-list and the ip access-list commands to create both extended and standard access lists. The format for creating an extended access list using the ip access-list command is the same as the format for creating a standard access list except that the extended instead of the standard parameter is used.

The format for creating an extended access list using the access-list command is as follows:

access-list list-name {permit|deny} ip prefix prefix-dont-care-bits mask mask-dont-care-bits

The three additional parameters are:

• The ip parameter indicates that this is an extended access list.
  
  
• The mask variable is the IP address of network or host to which packet is being sent (destination address). Specify the address using one of the following formats:
  
  
  • A 32-bit IP address in dotted decimal format.
    
    
  • Keyword any to specify a prefix and prefix dont-care-bits of 0.0.0.0 255.255.255.255.
    
    
  • keyword host followed by the host address in dotted decimal notation to specify prefix don't-care-bits of 0.0.0.0
    
    
• The mask-dont-care-bits parameter is the network mask applied to the mask address. The format for the mask-dont-care bits is 32-bit IP address in dotted decimal notation.
  
  

For example, in the following extended access list:

access-list SP1_12 permit ip 172.5.1.121 0.0.0.255 10.0.0.0 0.255.255.255 access-list SP1_12 permit ip 172.5.1.122 0.0.0.255 10.10.5.0 0.0.0.255

The first line permits routes with an address of 172.5.1.121 and a mask of 10.0.0.0.

The second line permits routes with an address of 172.5.1.122 and a mask 10.10.5.0/24.

Use the host keyword when the network mask for either the source or destination address is 0.0.0.0. The keyword is added before the address.

access-list SP1_12 permit ip 172.5.1.121 0.0.0.0 10.12.14.16 0.0.0.0

The above example can also be written as:

access-list SP1_12 permit ip host 172.5.1.121 host 10.12.14.16

Similarly, use the any keyword when the prefix/mask for filtered networks is 0.0.0.0 255.255.255.255.

access-list SP1_12 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

The above example can also be written as:

access-list SP1_12 permit ip any any

Applying Prefix Based Access Lists Using Distribute-List

Access lists by themselves do not change routing behavior. Access lists must be "applied" to route updates to take effect. You must use the neighbor distribute-list command to apply prefix based access lists to connections between neighbors or peer groups.

Let's say that you wanted to accept only a few routes advertised by a specific neighbor. In Figure 6-2, Router A advertises all the routes it knows to Router B.

Figure 6-2. Applying an Access List

An inbound access list on Router B accepts only some of the routes advertised by Router A. In the configuration below:

• The access-list commands create an access list named chicago_inbound to permit routes from 1 host and 2 network prefixes.
  
  
• On Router B, the neighbor distribute-list command applies the access list chicago_inbound to updates coming from neighbor 121.80.100.4.
  
  

router(config)#access-list chicago_inbound permit 10.5.1.121 0.0.0.255 router(config)#access-list chicago_inbound permit 128.20.0.0 0.0 255.255 router(config)#access-list chicago_inbound permit 120.0.0.0 0.255.255.255 router(config)#access-list chicago_inbound deny any

Configuration for Router B:

router#router bgp 101 router(config-router)#network 121.80.0.0 router(config-router)#neighbor 121.80.100.4 remote-as 101 router(config-router)#neighbor 121.80.100.4 distribute-list chicago_inbound in

Only those routes permitted by access list chicago_inbound are accepted from neighbor 121.80.100.4. All other routes are denied.

NOTE If you specify a distribute list with a specific peer, you override any existing distribute list defined for a peer group that includes that peer.

If you use the neighbor distribute-list command more than once specifying the same peer or peer group, only the last access list specified is applied.

If you use the neighbor distribute-list command to apply an access list that does not exist, all routes from that neighbor are permitted.

Applying Prefix Based Access Lists Using Route Maps

Route maps consist of a list of match and set commands. The match commands specify match criteria for identifying routes and the set commands specify the action taken if the match criteria are met.

During route processing, if a match is found, the route is processed according to the conditions defined by the set commands.

If a match criterion is met, and permit is on, then the route is processed as defined by the set commands and route-map processing is complete. If a match criterion are met, and deny is on, then the route is not advertised and route-map processing is complete.

You can use route maps to apply prefix based access lists to control how routes are advertised.

Using our first example:

router(config)#access-list Boston_Inbound permit 10.5.1.121 0.0.0.255 router(config)#access-list Boston_Inbound permit 128.20.0.0 0.0 255.255 router(config)#access-list Boston_Inbound permit 120.0.0.0 0.255.255.255 router(config)#access-list Boston_Inbound deny any

You can define a route map to apply the rules in access list Boston_Inbound to updates sent or received from a neighbor or peer group.

In the following example:

• The route-map command creates a route map named test.
  
  
• The match ip-address command specifies that only routes that pass the access list named Boston_Inbound are permitted.
  
  

router(config)#route-map test permit 10 router(config-route-map)#match ip address Boston_Inbound

Route maps may refer to multiple access lists:

router(config)#route-map test permit 10 router(config-route-map)#match ip address Boston_Inbound router(config-route-map)#match ip address NY_In

Routes that appear in either access list are matched and modified by the accompanying set commands. The following syntax for referring to more than one access list in a route map is also valid:

router(config)#route-map test permit 10 router(config-route-map)#match ip address Boston_Inbound NY_In

The order in which multiple access lists are referenced is not significant.

Route maps are applied to routing updates using the neighbor route-map command.

router(config)#router bgp 100 router(config-router)#network 170.100.0.0. router(config-router)#neighbor 125.181.1.5 remote-as 171 router(config-router)#neighbor 125.181.1.5 route-map test in

Inbound route updates from neighbor 125.181.1.5 that match entries in access lists Boston_Inbound and NY_In are processed according to any set commands in route map test. Route updates without a matching entry in the access list are not accepted.

Configuring Prefix-lists for Match IP Address

The match ip address command supports specifying a prefix-list using the prefix-list keyword followed by the prefix-list name. If the prefix-list keyword is not specified, the command expects an access-list name only.

Example: In the following example:

• The ip prefix-list command creates a prefix-list named boston-ny
  
  
• The route-map command creates a route map named boston and specifies a sequence number 1.
  
  
• The match ip address command adds a match clause to the route map to match routes permitted by prefix-list boston-ny.
  
  

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip prefix-list boston-ny permit 10.10.10.0/24 router(config)#ip prefix-list boston-ny description Boston-NY_Priority router(config)#ip prefix-list boston-ny seq 6 permit 20.20.20.0/16 router(config)#ip prefix-list boston-ny permit 30.30.0.0/16 ge 25 router(config)#ip prefix-list boston-ny permit 40.40.40.0/24 ge 26 le 30 router(config)#route-map boston permit 1 router(config-route-map)#match ip address prefix-list boston-ny router(config-route-map)#end router#show route-map route-map boston, permit, sequence 1 Match clauses: ip address prefix-lists: boston-ny Set clauses: route#

AS-Path Access Lists

When a route update passes through an AS, that AS's number is prepended to the update. The AS path (as-path) is this list of ASs that the route has passed through to reach a destination. AS-path access lists enable you to control routing updates based on values in the as-path.

If you want to control route updates passing to or from an AS, filtering based on as-path is more efficient than filtering by IP address.

Figure 6-3. AS Path Filtering

In Figure 6-3, an access list prevents routes updates from AS 500 from being forwarded to AS 300.

As-path based access lists behave in the same way as prefix based access lists. As-path access lists are created using the ip as-path access-list command and applied using the neighbor filter-list or route-map commands.

Example: The following example creates an as-path access list named 'sfco_inbound' to permit only those routes that include paths that originate from or pass through ASs 234 and 345:

router(config)#ip as-path access-list sfco_inbound permit _234_ router(config)#ip as-path access-list sfco_inbound permit _345_ router(config)#ip as-path access-list sfco_inbound deny any

About Regular Expressions

In the example above, the notations _234_ and _345_ are 'regular expressions.' A regular expression is a pattern used to match against an input string. Define a regular expression to match entries in the as-path. In our example, we wanted to match any route update that included the entries 234 or 345 anywhere in the as-path of the update. The underscore characters enclosing as-path values indicate that the values can occur anywhere in the as-path. The table below describes the special characters and components you can use to create regular expressions.

Table 6-1. Special Characters and Components to Create Regular Expressions 

Component/C haracter	Description
Ranges	A sequence of characters within square brackets: [1234]
Atoms	A single character with special meaning. Atoms include:
.	Matches any single character.
^	Matches the beginning of an input string.
$	Matches the end of an input string.
_ (underscore)	Matches a comma, left brace, right brace, the beginning of an input string, the end of an input string, or a space.
Pieces	Atoms followed by a special character listed below:
Branches	0 or more concatenated pieces.

The following table provides sample regular expressions:

Table 6-2. Sample Regular Expressions

Regular Expression	Description
^nnn$	Indicates the route originated in autonomous system nnn. The ^ means the expression must start with the next character. The $ means the expression must end with the preceding character. ^100$ matches: 100
_nnn_	Indicates the route was via autonomous system nnn.
^$	Indicates the route originated in this autonomous system.

Applying AS-path Access Lists Using Filter-List

Use the neighbor filter-list command to apply the rules in an as-path access list to route updates.

In the following example:

• The ip as-path access-list commands create an as-path access list named 'isp2_inbound' to permit only those routes that include paths that originate from (nnn$) ASs 234 and 345.
  
  
• The neighbor filter-list command specifies that only paths from ASs 234 and 345 (as specified by access list isp2_inbound) are advertised to external neighbor 125.181.1.5.
  
  

router(config)#ip as-path access-list isp2_inbound permit _234$ router(config)#ip as-path access-list isp2_inbound permit _345$ router(config)#ip as-path access-list isp2_inbound deny any router(config)#router bgp 100 router(config-router)#neighbor 125.181.1.5 remote-as 171 router(config-router)#neighbor 125.181.1.5 filter-list isp2_inbound out

Applying AS-path Access Lists Using Route Maps

In addition to the neighbor filter-list command, you can also use route maps to apply as-path access lists to routing updates.

In the following example:

• The ip as-path access-list commands create an as-path access list named permitr&d that permits only routes that have passed through AS 411 or originated from AS 401.
  
  
• The route-map command creates a route map named accessr&d.
  
  
• The match as-path command adds to the rules defined in as-path access list permittr&d to the route map.
  
  
• The neighbor route-map command applies the route map to updates sent to neighbor 125.181.1.5.
  
  

router(config)#ip as-path access-list permitr&d permit _411_ router(config)#ip as-path access-list permitr&d permit ^401 router(config)#ip as-path access-list permitr&d deny .* router(config)#route-map accessr&d permit 10 router(config-route-map)#match as-path permitr&d router(config)#router bgp 100 router(config-router)#network 170.100.0.0 router(config-router)#neighbor 125.181.1.5 remote-as 171 router(config-router)#neighbor 125.181.1.5 route-map accessr&d out

Outbound route updates to neighbor 125.181.1.5 that match entries in as-path access list permitr&d is processed according to any set commands in the route map. Route updates without a matching as-path are not advertised.

Community Based Access Lists

Another method of filtering routes is community based access lists. The community attribute is a transitive, optional attribute that provides a way to group destinations into a community and then apply routing decisions to those communities.

A given destination can belong to more than one community. Aggregate routes include a community attribute that contains the communities of the initial routes. Like other access lists, community-lists can be used in the match clause of route maps.

There are two types of community identifiers:

• Integers that identify specific communities by an assigned number
  
  
• Keywords that identify commonly used community properties. These keywords and their meanings are:
  
  
  • no-export - Do not advertise this route outside a BGP confederation boundary.
    
    
  • no-advertise - Do not advertise this route to any peers.
    
    
  • local-as - Do not advertise this route to external peers.
    
    
  • internet - Advertise this route to all members of the internet.
    
    

PROCEDURE: There are seven steps to using the community attribute to control routing:

Step 1 Use the route-map command to create a route map.

Step 2 Use the set community route map configuration command to add the community attribute to route updates.

Step 3 Use the neighbor send-community command to include the community attribute in route updates sent to neighbors or peer groups.

Step 4 Use the ip community-list to create a community based access list.

Step 5 Use the route-map command to create a route map.

Step 6 Use the match community-list route map configuration command to identify community access list as the match criteria for the route map.

Step 7 Use the neighbor route-map command to apply the route map and its associated community access list to updates to neighbors and peer groups.

Figure 6-4. Community Access Lists

In Figure 6-4 Router A is configured with a route map to set the community attribute to local-as (Do not advertise this route to external peers). The neighbor send-community command adds the community attribute to updates sent to Router B. The community attribute prevents Router B from advertising the routes to an external peer (Router C).

Adding the Community Attribute to Route Updates

The community attribute is added to route updates using the set community route map configuration command.

In the following example:

• The route-map command is used to create a route map named set_community.
  
  
• The match as-path command specifies that only routes that match criteria defined in an as-path access list named 3 is accepted.
  
  
• The set community command specifies that any routes that match the criteria defined in as-path access list 3 have their community attribute set to local-as:
  
  

router(config)#route-map set_community permit router(config-route-map)#match as-path 3 router(config-route-map)#set community local-as

All routes that pass as-path access list 3 have the community attribute added to their route updates. The local-as keyword specifies that the route is not advertised outside the local AS.

In this second example, the community attribute is set to 300 500 additive:

router(config)#route-map community_300_500 router(config-route-map)#match as-path 3router(config-route-map)#set community 300 500 additive

The additive keyword specifies that the value 300 500 is added to an existing community value before being sent to the neighbor. (If no community value exists, additive adds the community attribute, using the specified value, to the updates.)

Sending the Community Attribute to Neighbors

Unlike other attributes, community is an optional attribute that is not included in route updates by default. You must configure your BGP speakers to include the community attribute in route updates.

Example: In the following example, the neighbor send-community command is used to send the community attribute in route updates to a neighbor.

router#router bgp 300 router(config)#network 10.5.1.0 router(config)#neighbor 10.5.5.5 remote-as 200 router(config)#neighbor 10.5.5.5 send-community router(config)#neighbor 10.5.5.5 route-map community_300_500 out

Route updates to neighbor 10.5.5.5 include the community attribute as specified by the route map community_300_500.

Once you have configured a route map to add the community attribute to route updates and specified that peers include the community attribute in their route updates, you can create an access list to control the distribution of route updates based on the community attribute.

The following example creates a community-list named permit70s that permits routing updates from communities numbered 71 - 73, and rejects all other routes:

router(config)#ip community-list permit70s permit 71 router(config)#ip community-list permit70s permit 72 router(config)#ip community-list permit70s permit 73 router(config)#ip community-list permit70s deny any

The following syntax is also accepted:

router(config)#ip community-list permit70s permit 71 72 73 router(config)#ip community-list permit70s deny any

Configuring an IP Community-list Description

A text description of up to 255 characters can be associated with an IP community-list using the description keyword. Only one description can be associated with a given community-list. The last description entered will be used. Entering another description for a given community-list overwrites a previous description.

Use the ip community-list list-name description to specify a description to be associated with this list.

Use the no ip community-list list-name description command to delete a description associated with this community-list.

Applying Community Based Access Lists

Like other types of access lists, a community access list is applied to route updates using a route map.

In the following example:

• The route-map command is used to create a route map named setmetric.
  
  
• The match community command specifies that only routes that match criteria defined in ip community access list 13 is accepted.
  
  
• The neighbor route-map command applies the route map to outbound route updates to neighbor 125.181.1.5.
  
  

router(config)#route-map setmetric 10 permit router(config-route-map)#match community 13 router(config)#router bgp 100 router(config-router)#network 170.100.0.0. router(config-router)#neighbor 125.181.1.5 remote-as 171 router(config-router)#neighbor 125.181.1.5 route-map setmetric out

Outbound route updates to neighbor 125.181.1.5 that match entries in community list 13 is processed according to any set commands in the route map. Route updates without a matching community attribute are not advertised.

Packet Filtering Access Lists

Packet filtering allows you to protect the Avici router from Denial of Service (DoS) attacks by controlling the types of:

• Inbound packets that can access the server
  
  
• Inbound IP and IP encapsulated MPLS packets that can cross the fabric
  
  
• Outbound IP packets that can cross the fabric
  
  
• Server sourced packets that can exit the router
  
  

In standard mode, packet filtering can operate on a single or set of source or destination addresses. Standard mode can only be used for server based inbound and outbound packets. Any packets traversing the fabric must use extended mode.

In extended mode there are eight header fields that packet filtering can operate on: source address, destination address, protocol, source port, destination port, TOS byte, IP length, and fragment. IPriori provides two basic tools to configure packet filtering. Access lists provide for the grouping of permit and deny entries into lists. The access group associates access lists with specific interfaces.

Configuring a Packet Filtering Access List

There are two distinct steps to configuring access lists to filter packets:

• Define the access lists using the access-list or ip access-list command.
  
  
• Apply the access list to a specific interface using the ip access-group command.
  
  

  NOTE When configuring access lists, all access lists have an implicit deny-all as a last rule. If an uncreated or empty access list is applied to an interface, it will drop traffic until rules are applied to the list. To insure that the list operates as desired, first create the access list and add the appropriate rules before applying the access list to the interface.

Packet filtering access lists are lists of rules with a permit or deny statement on each line. Packets identified by a permit statement are allowed if the conditions in the rule are met. Packets identified by a deny statement are dropped if the conditions in the rule are met.

If a packet does not match the rules in an applied access list, the packet is denied access. An explicit deny statement is appended to all access lists.

The syntax of an access-list command depends upon the packet protocol. The supported protocols are: TCP, UDP, ICMP, IGMP, IP, OSPF, and PIM. Using the ip keyword filters all internet protocols including ICMP, TCP, and UDP. Possible syntax attributes are detailed in Table 6-3 . See the access-list or ip access-list command information in the IPriori CLI Reference Guide (Vol. 2) for access list entry syntax by protocol.

Packet filtering takes place at the server when using the access-list command. Packet filtering takes place at the module when using the ip access-list command.

IPriori allows for the entry of up to 4K access lists per port and 8K access lists per module depending upon the complexity of the access list. Counter memory resources may not be sufficient to provide counters for the number of access lists supported. IPriori allocates counters while resources are available and will automatically allocate subsequent access lists without counters.

Sampling, Rate Limiting, and Mirroring Filtered Packets

Any number of named sample rates can be configured. A named sample rate can be applied to an access list entry as a ratio of 1 over the number of packets to be sampled (1/x where x is the entered rate). Use the sample command in configuration mode to configure a named sample rate to be applied to an access list.

If an access list is configured for sampling, and the interface is configured for port mirroring, a copy of the complete sampled packet is sent to the interface or netflow specified by the mirror command.

Received packets can be rate limited up to 4gb per-second of received packets. Once the rate limit is reached, all other packets for the remainder of the second are dropped. Use the rate-limit command in configuration mode to specify the rate limit in bits-per-second for this router's interfaces.

Example: The following example:

• Configures a sample rate named 1in200 to 1 in every 200 packets and applies it to access-list netFlowACL.
  
  
• Configures a rate-limit named rate2gb for 2 gigabits.
  
  
• Applies the configured sample rate and rate-limit to the access-list netFlowACL.
  
  

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#sample 1in200 200 router(config)#rate-limit rate2gb 2147483647 router(config)#ip access-list extended netFlowACL router(config-ext-acl)#permit ip any any sample 1in200 rate-limit rate2gb router(config-ext-acl)end router#

Packet Filtering Attributes

You can control packets based on a variety of attributes. The attributes available for any given command line syntax are protocol dependent. The packet attributes and their valid values are as follows:

Table 6-3. Packet Attributes and Valid Values 

Attribute	Description
permit	Permits access of packet if conditions are matched.
deny	Denies access of packet if conditions are matched.
protocol	Name or number of an Internet protocol. Name keywords are: icmp, igmp, ip, ipinip (IP encap- sulated in IP), ospf, pim, rsvp, tcp, or udp. Number entries are standard internet protocol numbers from 0 - 255. If a protocol is not specified, the entry applies to all protocols.
source	IP address of network or host sending the packet. The router compares routes being tested to this value. Specify the address using one of the following formats: 32-bit IP address in dotted decimal format. keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255 keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0 The source attribute applies to all protocols
source-mask	Network mask applied to the source address. Specify as a 32-bit IP address in dotted decimal format. The source-mask attribute applies to all protocols.
destination	IP address of network or host to which the packet is being sent. Specify the address using one of the following formats: 32-bit IP address in dotted decimal format. keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255 keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0 The destination attribute applies to all protocols.
destination-mask	Network mask applied to the destination address. Specify as a 32-bit IP address in dotted decimal format. The destination-mask attribute apples to all protocols.
operator	For udp and tcp packets only. Compares destination ports. When used after the source IP address/source-mask, specifies a source port. When used after the destination IP address/destination-mask, specifies a destination port. Valid values are: eq- specifies the port number is equal to the operand. range- specifies an inclusive range of ports in the operand delineated by a space, i.e. ports 1 through 3 would be entered 1 3. gt- Match packets with port number greater than this port.
operand	Specifies the destination port. Valid values are either a port number or a predefined port number keyword: 0 - 65535- port number Predefined port number keywords for tcp are: bgp- Border Gateway Protocol (179) cmd- Remote command execution (rexec, 514) domain- Domain Name Service (53) echo- Echo (7) exec- Exec (rsh, 512) ftp- File Transfer Protocol (21) ftp-data- FTP data connections (used infrequently, 20) login- Login (rlogin, 513) netbios-dgm- NETBIOS Datagram Service (138) netbios-ns- NETBIOS Name Service (137) nntp- Network News Transport Protocol (119) smtp- Simple Mail Transport Protocol (25) snmp- Simple Network Management Protocol (161) snmptrap- Simple Network Management Protocol Traps (162) sunrpc- Sun Remote Procedure Call (111) syslog- Syslog (514) tacacs- TACACS database service (65) telnet- Telnet (23) www- World Wide Protocol (80) Predefined port number keywords for udp are: bootpc- Server port for the bootp protocol bootps- DNS packets cmd- Remote command execution (rexec, 514) domain- echo - UDP echo port echo- echo (7) netbios-dgm- NETBIOS Datagram Service (138) netbios-ns- NETBIOS Name Service (137) ntp- Network Time Protocol packets nntp- Network News Transport Protocol (119) rip- RIP routing protocol packets smtp- Simple Mail Transport Protocol (25) snmp- SNMP packets snmptrap- Simple Network Management Protocol Traps (162) sunrpc- Sun Remote Procedure Call (111) syslog- Syslog (514) tacacs- TACACS database service (65) tftp- Trivial File Transfer Protocol (69)
icmpType, icmpCode	ICMP type and code as defined in RFC 792. For ICMP messages only
icmpMessage	ICMP message text. For ICMP messages only.
igmpType	IGMP message type. For IGMP messages only.
established	For tcp protocol only. Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The non-matching case is the initial TCP datagram to form a connection.
eq | gt	<0-65535> Port number bgp- Border Gateway Protocol (179) cmd- Remote command execution (rexec, 514) domain- Domain Name Service (53) echo- Echo (7) exec- Exec (rsh, 512) ftp- File Transfer Protocol (21) ftp-data- FTP data connections (used infrequently, 20) login- Login (rlogin, 513) netbios-dgm- NETBIOS Datagram Service (138) netbios-ns- NETBIOS Name Service (137) nntp- Network News Transport Protocol (119) smtp- Simple Mail Transport Protocol (25) snmp- Simple Network Management Protocol (161) snmptrap- Simple Network Management Protocol Traps (162) sunrpc- Sun Remote Procedure Call (111) syslog- Syslog (514) tacacs- TACACS database service (65) telnet- Telnet (23) www- World Wide Protocol (80)
fragment	Match occurs on packet fragments (those packets with a non-zero offset in their IP header). This keyword can not be used if a port number is specified or if the established keyword is used.
tos range	IP TOS byte value or range between 0 - 255. For range, specify the low and high number delineated by a space. The tos attribute is not used for the ICMP or IGMP protocols.
dscp range	An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:2. The parameters can be a range, a value from 0 - 63, or a predefined keyword. The following keywords and predefined values: ef = 46 af11 = 10 af12 = 12 af13 = 14 af21 = 18 af22 = 20 <