Access list entries determine if networks are allowed or denied in specific contexts used in various routing daemons. For example, an access list may be used to determine if a route is accepted or rejected, or for limiting routes distributed to neighbors.
Access lists are managed on the Access Lists tab under Services > FRR Global/Zebra.
Access List Configuration¶
To create a new access list, click Add from the Access Lists tab.
The top section of the page sets data about the access list itself:
The type of access list, can be one of:
A standard access list can match source addresses only.
An extended access list can match source or destination addresses.
A Zebra access list is similar to an Extended list, but supports IPv6.
- IP Version
The IP version to match using this access list, either
The name of this access list, which will be visible in drop-down lists throughout FRR where access lists can be selected.
The allowed names depend upon the chosen type, and are limited to:
1999for standard access lists.
2699for extended access lists.
Text names for zebra access lists.
A text comment to describe this access list.
Access List Entries¶
The Access list entries list contains rules which govern the behavior of the list. An access list can have multiple rules. To add more entries to the list, click Add.
The order of entries inside access lists is important, and the order is determined by this sequence number.
Each rule in an access list must have a unique sequence number. Best practice is to leave gaps in the sequence to allow for adding rules in the future. For example, use
30, rather than
The order of rules displayed in the GUI may be different than the order set by the sequence numbers. The sequence number order is the true order in which rules are evaluated.
The action to take for this rule, either
- Source Network
The source IP prefix to match for this rule, given in network/prefix notation. For example,
- Source Any
When set, the Source Network is ignored and any source will match the rule.
- Destination Network
The destination IP prefix to match for this rule, given in network/prefix notation. For example,
- Destination Any
When set, the Destination Network is ignored and any destination will match the rule.
Will only match if a network prefix matches exactly, rather than matching networks contained within the specified prefix.