Tip
This is the documentation for the 20.02 version. Looking for the documentation of the latest version? Have a look here.
Dynamic Routing Access Lists¶
Access List entries determine if networks are allowed or denied in specific contexts used in various routing daemons. For example, an access list may be used to determine if a route is accepted or rejected, or for limiting routes distributed to neighbors.
The order of entries inside access lists is important, and this order is determined by a sequence number.
Access List Configuration¶
To create a new access list, use the route dynamic access-list <name>
command, which enters config-access-list
mode:
tnsr(config)# route dynamic access-list myacl
tnsr(config-access-list)#
config-access-list
mode contains the following commands:
- remark <text>:
A text comment to describe this access list.
- sequence <sequence-number> (permit|deny) <ip-prefix>:
Creates a new rule with the specified sequence number to
permit
ordeny
a given prefix.- sequence <sequence-number>:
The sequence number for this rule, which controls the order in which rules are matched inside this access list. Each rule in an access list must have a unique sequence number. Best practice is to leave gaps in the sequence to allow for adding rules in the future. For example, use
10
,20
,30
, rather than1
,2
,3
.- (permit|deny):
The action to take for this rule, either
permit
ordeny
.- <ip-prefix>:
The IP prefix to match for this rule, given in network/prefix notation. For example,
192.168.0.0/16
.
Access List Example¶
For example, the following ACL would deny 192.168.0.0/16
but permit all
other networks:
tnsr(config)# route dynamic access-list myacl
tnsr(config-access-list)# sequence 10 deny 192.168.0.0/16
tnsr(config-access-list)# sequence 20 permit 0.0.0.0/0
tnsr(config-access-list)# exit
tnsr(config)#
This access list would then be used in another context, such as with a route
map, to match routes for anything except 192.168.0.0/16
when taking other
actions.
Access List Status¶
To view access lists, use the show route dynamic access-list [name]
command.
Add the name of an access list to restrict the output to a single access list.
tnsr# show route dynamic access-list
Access List: myacl
Remark:
Seq Action Prefix
--- ------ --------------
10 deny 192.168.0.0/16
20 permit 0.0.0.0/0