Access Lists

Access list entries determine if networks are allowed or denied in specific contexts used in various routing daemons. For example, an access list may be used to determine if a route is accepted or rejected, or for limiting routes distributed to neighbors.

Access lists are managed on the Access Lists tab under Services > FRR Global/Zebra.

Access List Configuration

To create a new access list, click fa-plus Add from the Access Lists tab.

The top section of the page sets data about the access list itself:

Type:

The type of access list, can be one of:

Standard:

A standard access list can match source addresses only.

Extended:

An extended access list can match source or destination addresses.

Zebra:

A Zebra access list is similar to an Extended list, but supports IPv6.

IP Version:

The IP version to match using this access list, either IPv4 or IPv6.

Name:

The name of this access list, which will be visible in drop-down lists throughout FRR where access lists can be selected.

The allowed names depend upon the chosen type, and are limited to:

  • 1-99 or 1300-1999 for standard access lists.

  • 100-199 or 2000-2699 for extended access lists.

  • Text names for zebra access lists.

Description:

A text comment to describe this access list.

Access List Entries

The Access list entries list contains rules which govern the behavior of the list. An access list can have multiple rules. To add more entries to the list, click fa-plus Add.

Sequence:

The order of entries inside access lists is important, and the order is determined by this sequence number.

Each rule in an access list must have a unique sequence number. Best practice is to leave gaps in the sequence to allow for adding rules in the future. For example, use 10, 20, 30, rather than 1, 2, 3.

Warning

The order of rules displayed in the GUI may be different than the order set by the sequence numbers. The sequence number order is the true order in which rules are evaluated.

Action:

The action to take for this rule, either permit or deny.

Source Network:

The source IP prefix to match for this rule, given in network/prefix notation. For example, 192.168.0.0/16.

Source Any:

When set, the Source Network is ignored and any source will match the rule.

Destination Network:

The destination IP prefix to match for this rule, given in network/prefix notation. For example, 192.168.0.0/16.

Destination Any:

When set, the Destination Network is ignored and any destination will match the rule.

Exact:

Will only match if a network prefix matches exactly, rather than matching networks contained within the specified prefix.