ACLs Applied to a Filter Policy
About Filter Policy
Filter policy can use ACL, IP-prefix and route-policy to filter routes during importing or exporting routes.
Take OSPF as an example. On the network shown in the following figure, there are three routes to 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24 on RTA.
If you do not want to advertise the routes to 10.1.1.0/24 and 10.1.2.0/24 on RTB, you can configure the following commands:
[RTB] acl 2000 [RTB-acl2000] rule 5 deny source 10.1.1.0 0.0.0.255 [RTB-acl2000] rule 10 deny source 10.1.2.0 0.0.0.255 [RTB-acl2000] rule 15 permit source any [RTB] ospf 100 [RTB-ospf-100] filter-policy acl 2000 export
Filter-policy impacts only on the routes advertised to or received from neighbors, not on the routes imported from a route protocol to another route protocol. To import routes learned by other routing protocols, run the import-route command in the OSPF view.
Matching Principle of ACLs Applied to a Filter-policy
ACL Rule Matching Result |
Processing Result of Filter-policy |
|---|---|
Route matches PERMIT rule |
The route is imported or advertised |
Route matches DENY rule |
The route is not imported or advertised |
There are rules in the ACL but no rule is matched |
The route is not imported or advertised |
The ACL does not exist |
All routes are imported or advertised |
The ACL exists but there is no rule in the ACL |
All routes are not imported or advertised |
If Unsupported ACL Filter Option Applied to Filter-policy
Only numbered basic ACL (rule ID ranges from 2000 to 2999) can apply to filter-policy.
The numbered basic ACL and named ACL applied to filter-policy support only two matching options, source-address and the time-range, and do not support other options (such as destination-address, vpn-instance).
If the unsupported matching option is configured for filter-policy, the matching result of the option is "permit".
Example 1
Only the static route 10.1.0.0/24 can be advertised to BGP peer.
acl number 2000 rule 5 permit source 10.1.0.0 0.0.0.255 # bgp 100 ipv4-family unicast filter-policy acl 2000 export #
Example 2
All routes to 10.1.0.0/24 cannot be advertised to all BGP VPNv4 peers, no matter the L3VPNs the denied routes belong to. The "vpn-instance vpnb" does not take effect.
acl number 2000 rule 5 deny source 10.1.0.0 0.0.0.255 vpn-instance vpnb rule 10 permit # route-policy policy1 permit node 10 if-match acl 2000 # bgp 100 ipv4-family vpnv4 filter-policy 2000 export #
What is "Route Matches ACL Rule" in Filter-policy?
In filter-policy, if the route is in the network segment range defined by the source address and its wildcard mask of the ACL rule, the route is considered to match the ACL rule.
For example, in the following configurations, the routes 10.1.1.0/24, 10.1.1.0/25, 10.1.1.0/30 is in the segment range of 10.1.1.0/24. Therefore, these routes are considered to match the ACL rule. The route 10.1.1.0/16 is considered to mismatch the ACL rule since it is outside of the segment range of 10.1.1.0/24.
acl number 2000 rule 1 permit source 10.1.1.0 0.0.0.255 rule 99 deny any