[mirror_frr.git] / doc / user / filter.rst

*********
Filtering
*********

FRR provides many very flexible filtering features. Filtering is used
for both input and output of the routing information. Once filtering is
defined, it can be applied in any direction.

IP Access List
==============

.. index:: access-list NAME permit IPV4-NETWORK
.. clicmd:: access-list NAME permit IPV4-NETWORK

.. index:: access-list NAME deny IPV4-NETWORK
.. clicmd:: access-list NAME deny IPV4-NETWORK

   Basic filtering is done by `access-list` as shown in the
   following example.

   .. code-block:: frr

      access-list filter deny 10.0.0.0/9
      access-list filter permit 10.0.0.0/8


IP Prefix List
==============

*ip prefix-list* provides the most powerful prefix based
filtering mechanism. In addition to *access-list* functionality,
*ip prefix-list* has prefix length range specification and
sequential number specification. You can add or delete prefix based
filters to arbitrary points of prefix-list using sequential number specification.

If no ip prefix-list is specified, it acts as permit. If *ip prefix-list*
is defined, and no match is found, default deny is applied.

.. index:: ip prefix-list NAME (permit|deny) PREFIX [le LEN] [ge LEN]
.. clicmd:: ip prefix-list NAME (permit|deny) PREFIX [le LEN] [ge LEN]

.. index:: ip prefix-list NAME seq NUMBER (permit|deny) PREFIX [le LEN] [ge LEN]
.. clicmd:: ip prefix-list NAME seq NUMBER (permit|deny) PREFIX [le LEN] [ge LEN]

   You can create *ip prefix-list* using above commands.

   seq
      seq `number` can be set either automatically or manually. In the
      case that sequential numbers are set manually, the user may pick any
      number less than 4294967295. In the case that sequential number are set
      automatically, the sequential number will increase by a unit of five (5)
      per list. If a list with no specified sequential number is created
      after a list with a specified sequential number, the list will
      automatically pick the next multiple of five (5) as the list number.
      For example, if a list with number 2 already exists and a new list with
      no specified number is created, the next list will be numbered 5. If
      lists 2 and 7 already exist and a new list with no specified number is
      created, the new list will be numbered 10.

   le
      Specifies prefix length. The prefix list will be applied if the prefix
      length is less than or equal to the le prefix length.

   ge
      Specifies prefix length. The prefix list will be applied if the prefix
      length is greater than or equal to the ge prefix length.


   Less than or equal to prefix numbers and greater than or equal to
   prefix numbers can be used together. The order of the le and ge
   commands does not matter.

   If a prefix list with a different sequential number but with the exact
   same rules as a previous list is created, an error will result.
   However, in the case that the sequential number and the rules are
   exactly similar, no error will result.

   If a list with the same sequential number as a previous list is created,
   the new list will overwrite the old list.

   Matching of IP Prefix is performed from the smaller sequential number to the
   larger. The matching will stop once any rule has been applied.

   In the case of no le or ge command, the prefix length must match exactly the
   length specified in the prefix list.

.. index:: no ip prefix-list NAME
.. clicmd:: no ip prefix-list NAME

.. _ip-prefix-list-description:

ip prefix-list description
--------------------------

.. index:: ip prefix-list NAME description DESC
.. clicmd:: ip prefix-list NAME description DESC

   Descriptions may be added to prefix lists. This command adds a
   description to the prefix list.

.. index:: no ip prefix-list NAME description [DESC]
.. clicmd:: no ip prefix-list NAME description [DESC]

   Deletes the description from a prefix list. It is possible to use the
   command without the full description.

.. _ip-prefix-list-sequential-number-control:

ip prefix-list sequential number control
----------------------------------------

.. index:: ip prefix-list sequence-number
.. clicmd:: ip prefix-list sequence-number

   With this command, the IP prefix list sequential number is displayed.
   This is the default behavior.

.. index:: no ip prefix-list sequence-number
.. clicmd:: no ip prefix-list sequence-number

   With this command, the IP prefix list sequential number is not
   displayed.

.. _showing-ip-prefix-list:

Showing ip prefix-list
----------------------

.. index:: show ip prefix-list
.. clicmd:: show ip prefix-list

   Display all IP prefix lists.

.. index:: show ip prefix-list NAME
.. clicmd:: show ip prefix-list NAME

   Show IP prefix list can be used with a prefix list name.

.. index:: show ip prefix-list NAME seq NUM
.. clicmd:: show ip prefix-list NAME seq NUM

   Show IP prefix list can be used with a prefix list name and sequential
   number.

.. index:: show ip prefix-list NAME A.B.C.D/M
.. clicmd:: show ip prefix-list NAME A.B.C.D/M

   If the command longer is used, all prefix lists with prefix lengths equal to
   or longer than the specified length will be displayed. If the command first
   match is used, the first prefix length match will be displayed.

.. index:: show ip prefix-list NAME A.B.C.D/M longer
.. clicmd:: show ip prefix-list NAME A.B.C.D/M longer
.. index:: show ip prefix-list NAME A.B.C.D/M first-match
.. clicmd:: show ip prefix-list NAME A.B.C.D/M first-match
.. index:: show ip prefix-list summary
.. clicmd:: show ip prefix-list summary
.. index:: show ip prefix-list summary NAME
.. clicmd:: show ip prefix-list summary NAME
.. index:: show ip prefix-list detail
.. clicmd:: show ip prefix-list detail
.. index:: show ip prefix-list detail NAME
.. clicmd:: show ip prefix-list detail NAME

Clear counter of ip prefix-list
-------------------------------

.. index:: clear ip prefix-list
.. clicmd:: clear ip prefix-list

   Clears the counters of all IP prefix lists. Clear IP Prefix List can be used
   with a specified name and prefix.

.. index:: clear ip prefix-list NAME
.. clicmd:: clear ip prefix-list NAME

.. index:: clear ip prefix-list NAME A.B.C.D/M
.. clicmd:: clear ip prefix-list NAME A.B.C.D/M
Commit	Line	Data
42fc5d26 QY	1	*********
	2	Filtering
	3	*********
	4
c1a54c05 QY	5	FRR provides many very flexible filtering features. Filtering is used
c1a54c05 QY	6	for both input and output of the routing information. Once filtering is
42fc5d26 QY	7	defined, it can be applied in any direction.
42fc5d26 QY	8
42fc5d26 QY	9	IP Access List
	10	==============
	11
c1a54c05 QY	12	.. index:: access-list NAME permit IPV4-NETWORK
c1a54c05 QY	13	.. clicmd:: access-list NAME permit IPV4-NETWORK
42fc5d26	14
c1a54c05 QY	15	.. index:: access-list NAME deny IPV4-NETWORK
c1a54c05 QY	16	.. clicmd:: access-list NAME deny IPV4-NETWORK
42fc5d26	17
c1a54c05 QY	18	Basic filtering is done by `access-list` as shown in the
c1a54c05 QY	19	following example.
42fc5d26	20
9eb95b3b	21	.. code-block:: frr
42fc5d26	22
c1a54c05 QY	23	access-list filter deny 10.0.0.0/9
c1a54c05 QY	24	access-list filter permit 10.0.0.0/8
a8c90e15	25
42fc5d26	26
42fc5d26 QY	27	IP Prefix List
	28	==============
	29
	30	ip prefix-list provides the most powerful prefix based
c1a54c05	31	filtering mechanism. In addition to access-list functionality,
42fc5d26	32	ip prefix-list has prefix length range specification and
c1a54c05	33	sequential number specification. You can add or delete prefix based
42fc5d26 QY	34	filters to arbitrary points of prefix-list using sequential number specification.
42fc5d26 QY	35
c1a54c05	36	If no ip prefix-list is specified, it acts as permit. If ip prefix-list
42fc5d26 QY	37	is defined, and no match is found, default deny is applied.
42fc5d26 QY	38
c1a54c05 QY	39	.. index:: ip prefix-list NAME (permit\|deny) PREFIX [le LEN] [ge LEN]
c1a54c05 QY	40	.. clicmd:: ip prefix-list NAME (permit\|deny) PREFIX [le LEN] [ge LEN]
42fc5d26	41
c1a54c05 QY	42	.. index:: ip prefix-list NAME seq NUMBER (permit\|deny) PREFIX [le LEN] [ge LEN]
c1a54c05 QY	43	.. clicmd:: ip prefix-list NAME seq NUMBER (permit\|deny) PREFIX [le LEN] [ge LEN]
42fc5d26	44
c1a54c05	45	You can create ip prefix-list using above commands.
42fc5d26	46
c1a54c05 QY	47	seq
c1a54c05 QY	48	seq `number` can be set either automatically or manually. In the
42fc5d26	49	case that sequential numbers are set manually, the user may pick any
c1a54c05	50	number less than 4294967295. In the case that sequential number are set
42fc5d26	51	automatically, the sequential number will increase by a unit of five (5)
c1a54c05	52	per list. If a list with no specified sequential number is created
42fc5d26 QY	53	after a list with a specified sequential number, the list will
	54	automatically pick the next multiple of five (5) as the list number.
	55	For example, if a list with number 2 already exists and a new list with
c1a54c05	56	no specified number is created, the next list will be numbered 5. If
42fc5d26 QY	57	lists 2 and 7 already exist and a new list with no specified number is
	58	created, the new list will be numbered 10.
	59
c1a54c05 QY	60	le
	61	Specifies prefix length. The prefix list will be applied if the prefix
	62	length is less than or equal to the le prefix length.
42fc5d26	63
c1a54c05 QY	64	ge
	65	Specifies prefix length. The prefix list will be applied if the prefix
	66	length is greater than or equal to the ge prefix length.
42fc5d26	67
42fc5d26	68
c1a54c05 QY	69	Less than or equal to prefix numbers and greater than or equal to
	70	prefix numbers can be used together. The order of the le and ge
	71	commands does not matter.
42fc5d26	72
c1a54c05 QY	73	If a prefix list with a different sequential number but with the exact
	74	same rules as a previous list is created, an error will result.
	75	However, in the case that the sequential number and the rules are
	76	exactly similar, no error will result.
42fc5d26	77
c1a54c05 QY	78	If a list with the same sequential number as a previous list is created,
c1a54c05 QY	79	the new list will overwrite the old list.
42fc5d26	80
c1a54c05 QY	81	Matching of IP Prefix is performed from the smaller sequential number to the
c1a54c05 QY	82	larger. The matching will stop once any rule has been applied.
42fc5d26	83
c1a54c05 QY	84	In the case of no le or ge command, the prefix length must match exactly the
c1a54c05 QY	85	length specified in the prefix list.
42fc5d26	86
c1a54c05 QY	87	.. index:: no ip prefix-list NAME
c1a54c05 QY	88	.. clicmd:: no ip prefix-list NAME
42fc5d26	89
0efdf0fe	90	.. _ip-prefix-list-description:
42fc5d26 QY	91
	92	ip prefix-list description
	93	--------------------------
	94
c1a54c05 QY	95	.. index:: ip prefix-list NAME description DESC
c1a54c05 QY	96	.. clicmd:: ip prefix-list NAME description DESC
42fc5d26	97
c1a54c05 QY	98	Descriptions may be added to prefix lists. This command adds a
c1a54c05 QY	99	description to the prefix list.
42fc5d26	100
c1a54c05 QY	101	.. index:: no ip prefix-list NAME description [DESC]
c1a54c05 QY	102	.. clicmd:: no ip prefix-list NAME description [DESC]
42fc5d26	103
c1a54c05 QY	104	Deletes the description from a prefix list. It is possible to use the
c1a54c05 QY	105	command without the full description.
42fc5d26	106
0efdf0fe	107	.. _ip-prefix-list-sequential-number-control:
42fc5d26 QY	108
	109	ip prefix-list sequential number control
	110	----------------------------------------
	111
c1a54c05 QY	112	.. index:: ip prefix-list sequence-number
c1a54c05 QY	113	.. clicmd:: ip prefix-list sequence-number
42fc5d26	114
c1a54c05 QY	115	With this command, the IP prefix list sequential number is displayed.
c1a54c05 QY	116	This is the default behavior.
42fc5d26	117
c1a54c05 QY	118	.. index:: no ip prefix-list sequence-number
c1a54c05 QY	119	.. clicmd:: no ip prefix-list sequence-number
42fc5d26	120
c1a54c05 QY	121	With this command, the IP prefix list sequential number is not
c1a54c05 QY	122	displayed.
42fc5d26	123
11ab5329	124	.. _showing-ip-prefix-list:
42fc5d26 QY	125
	126	Showing ip prefix-list
	127	----------------------
	128
c1a54c05 QY	129	.. index:: show ip prefix-list
c1a54c05 QY	130	.. clicmd:: show ip prefix-list
42fc5d26	131
c1a54c05	132	Display all IP prefix lists.
42fc5d26	133
c1a54c05 QY	134	.. index:: show ip prefix-list NAME
c1a54c05 QY	135	.. clicmd:: show ip prefix-list NAME
42fc5d26	136
c1a54c05	137	Show IP prefix list can be used with a prefix list name.
42fc5d26	138
c1a54c05 QY	139	.. index:: show ip prefix-list NAME seq NUM
c1a54c05 QY	140	.. clicmd:: show ip prefix-list NAME seq NUM
42fc5d26	141
c1a54c05 QY	142	Show IP prefix list can be used with a prefix list name and sequential
c1a54c05 QY	143	number.
42fc5d26	144
c1a54c05 QY	145	.. index:: show ip prefix-list NAME A.B.C.D/M
c1a54c05 QY	146	.. clicmd:: show ip prefix-list NAME A.B.C.D/M
42fc5d26	147
c1a54c05 QY	148	If the command longer is used, all prefix lists with prefix lengths equal to
	149	or longer than the specified length will be displayed. If the command first
	150	match is used, the first prefix length match will be displayed.
42fc5d26	151
c1a54c05 QY	152	.. index:: show ip prefix-list NAME A.B.C.D/M longer
	153	.. clicmd:: show ip prefix-list NAME A.B.C.D/M longer
	154	.. index:: show ip prefix-list NAME A.B.C.D/M first-match
	155	.. clicmd:: show ip prefix-list NAME A.B.C.D/M first-match
	156	.. index:: show ip prefix-list summary
	157	.. clicmd:: show ip prefix-list summary
	158	.. index:: show ip prefix-list summary NAME
	159	.. clicmd:: show ip prefix-list summary NAME
	160	.. index:: show ip prefix-list detail
	161	.. clicmd:: show ip prefix-list detail
	162	.. index:: show ip prefix-list detail NAME
	163	.. clicmd:: show ip prefix-list detail NAME
42fc5d26 QY	164
	165	Clear counter of ip prefix-list
	166	-------------------------------
	167
c1a54c05 QY	168	.. index:: clear ip prefix-list
c1a54c05 QY	169	.. clicmd:: clear ip prefix-list
42fc5d26	170
c1a54c05 QY	171	Clears the counters of all IP prefix lists. Clear IP Prefix List can be used
c1a54c05 QY	172	with a specified name and prefix.
42fc5d26	173
c1a54c05 QY	174	.. index:: clear ip prefix-list NAME
c1a54c05 QY	175	.. clicmd:: clear ip prefix-list NAME
42fc5d26	176
c1a54c05 QY	177	.. index:: clear ip prefix-list NAME A.B.C.D/M
c1a54c05 QY	178	.. clicmd:: clear ip prefix-list NAME A.B.C.D/M