Dynamic Routing Access Lists

Access List entries determine if networks are allowed or denied in specific contexts used in various routing daemons. For example, an access list may be used to determine if a route is accepted or rejected, or for limiting routes distributed to neighbors.

The order of entries inside access lists is important, and this order is determined by a sequence number.

Access List Configuration

To create a new access list, use the route dynamic access-list <name> command, which enters config-access-list mode:

tnsr(config)# route dynamic access-list myacl
tnsr(config-access-list)#

config-access-list mode contains the following commands:

remark <text>:

A text comment to describe this access list.

sequence <sequence-number> (permit|deny) <ip-prefix>:

Creates a new rule with the specified sequence number to permit or deny a given prefix.

sequence <sequence-number>:

The sequence number for this rule, which controls the order in which rules are matched inside this access list. Each rule in an access list must have a unique sequence number. Best practice is to leave gaps in the sequence to allow for adding rules in the future. For example, use 10, 20, 30, rather than 1, 2, 3.

(permit|deny):

The action to take for this rule, either permit or deny.

<ip-prefix>:

The IP prefix to match for this rule, given in network/prefix notation. For example, 192.168.0.0/16.

Access List Example

For example, the following ACL would deny 192.168.0.0/16 but permit all other networks:

tnsr(config)# route dynamic access-list myacl
tnsr(config-access-list)# sequence 10 deny 192.168.0.0/16
tnsr(config-access-list)# sequence 20 permit 0.0.0.0/0
tnsr(config-access-list)# exit
tnsr(config)#

This access list would then be used in another context, such as with a route map, to match routes for anything except 192.168.0.0/16 when taking other actions.

Access List Status

To view access lists, use the show route dynamic access-list [name] command. Add the name of an access list to restrict the output to a single access list.

tnsr# show route dynamic access-list

Access List: myacl
Remark:
    Seq Action Prefix
    --- ------ --------------
    10  deny   192.168.0.0/16
    20  permit 0.0.0.0/0