Kaspersky SD-WAN
2.1
English

Contents

Filtering routes

Route filtering lets you manage the advertisement of network routes based on criteria that you can specify. This functionality is necessary for optimal performance and security of the network, and for preventing routing loops.

You can use route filtering to allow or prohibit the advertising of specific routes between CPE devices and third-party network devices, as well as between individual autonomous systems. For route filtering, Kaspersky SD-WAN uses access control lists (ACLs), prefix lists, and route maps.

Access control lists

An access control list is a set of rules for filtering routing information on a CPE device based on IP addresses and prefixes of the networks to which the routes belong.

Rules in an access control list can allow or deny the advertising of routes that belong to a specific network. Each rule is numbered. The CPE compares the information about the network to which the route belongs to the conditions of the rules in the access control list that is being used, starting with the rule with the lowest number.

Prefix lists

A prefix list is an extended version of an access control list. The distinction of the prefix list is that it can contain rules that filter routes based on IP addresses and ranges of network prefixes (rather than individual prefixes).

Route maps

While the access control list and prefix list are always applied to advertised routes, a route map is applied to routes only when specified conditions are met, and it can change the attributes of routes.

If none of the rules in the access control list, prefix list, or route map can be applied to a route, that route is discarded.

In this section

Creating an access-control list (ACL)

Editing the access control list

Deleting an access control list

Creating a prefix list

Editing a prefix list

Deleting a prefix list

Creating a route map

Editing a route map

Deleting a route map
Page top
[Topic 261983]

Creating an access-control list (ACL)

Expand all | Collapse all

You can create an access control list on an individual CPE device or on all devices that use the CPE template. To create an access control list, use the following instructions:

  • Creating an access control list on an individual CPE device.

    To create an access control list on an individual CPE device:

    1. In the menu, go to the SD-WAN section.

      By default, the CPE subsection is displayed with a table of CPE devices.

    2. Click the CPE device.

      The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

    3. Select the Routing Filters tab.

      The Access control lists tab, which is selected by default, displays the table of access control lists.

    4. Select the Override check box to ignore the applied CPE template and make the settings in the selected tab editable. This check box is cleared by default.
    5. Click + Access control list.
    6. This opens a window; in that window, in the Name field, enter the name of the access control list. Maximum length: 50 characters. Do not use spaces in this field.
    7. Click + Add rule to add a rule to the access control list. You can add multiple rules.
    8. In the Sequence field, enter the sequential number of the rule. The rule with the lowest number is processed first. Range of values: 1 to 4,294,967,295.
    9. In the Network drop-down list, select the type of the rule:
      • Any network for a rule that allows or denies advertising of any networks.
      • IP/mask for a rule that allows or denies the advertising of a specific network. This is the default setting.
    10. If in the Network drop-down list, you selected IP/mask, in the field that is displayed, enter the IP address and the network prefix.
    11. In the Action drop-down list, select the action that the rule must apply to routes:
      • Permitto allow route advertising. This is the default setting.
      • Deny to deny route advertising.
    12. Click Create.

      The access control list is created and displayed in the table.

    13. In the upper part of the settings area, click Save to save the configuration of the CPE device.
  • Creating an access control list on all devices that use the CPE template.

    To create an access control list on all devices that use the CPE template:

    1. In the menu, go to the SD-WAN → CPE templates subsection.

      A table of CPE templates is displayed.

    2. Click the CPE template.

      The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

    3. Select the Routing Filters tab.

      The Access control lists tab, which is selected by default, displays the table of access control lists.

    4. Click + Access control list.
    5. This opens a window; in that window, in the Name field, enter the name of the access control list. Maximum length: 50 characters. Do not use spaces in this field.
    6. Click + Add rule to add a rule to the access control list. You can add multiple rules.
    7. In the Sequence field, enter the sequential number of the rule. The rule with the lowest number is processed first. Range of values: 1 to 4,294,967,295.
    8. In the Network drop-down list, select the type of the rule:
      • Any network for a rule that allows or denies advertising of any networks.
      • IP/mask for a rule that allows or denies the advertising of a specific network. This is the default setting.
    9. If in the Network drop-down list, you selected IP/mask, in the field that is displayed, enter the IP address and the network prefix.
    10. In the Action drop-down list, select the action that the rule must apply to routes:
      • Permitto allow route advertising. This is the default setting.
      • Deny to deny route advertising.
    11. Click Create.

      The access control list is created and displayed in the table.

    12. In the upper part of the settings area, click Save to save the configuration of the CPE template.
Page top
[Topic 244831]

Editing an access control list

You can edit an access control list on an individual CPE device or on all devices that use the CPE template. For a description of the settings, see the instructions for creating an access control list.

To edit an access control list on an individual CPE device:

  1. In the menu, go to the SD-WAN section.

    By default, the CPE subsection is displayed with a table of CPE devices.

  2. Click the CPE device.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Routing Filters tab.

    The Access control lists tab, which is selected by default, displays the table of access control lists.

  4. Select the Override check box to ignore the applied CPE template and make the settings in the selected tab editable. This check box is cleared by default.
  5. Click Edit next to the access control list.
  6. This opens a window; in that window, edit the settings that you want to change.
  7. Click Save.
  8. In the upper part of the settings area, click Save to save the configuration of the CPE device.

To edit an access control list on all devices that use the CPE template:

  1. In the menu, go to the SD-WAN → CPE templates subsection.

    A table of CPE templates is displayed.

  2. Click the CPE template.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Routing Filters tab.

    The Access control lists tab, which is selected by default, displays the table of access control lists.

  4. Click Edit next to the access control list.
  5. This opens a window; in that window, edit the settings that you want to change.
  6. Click Save.
  7. In the upper part of the settings area, click Save to save the configuration of the CPE template.
Page top
[Topic 256512]

Deleting an access control list

You can delete an access control list on an individual CPE device or on all devices that use the CPE template. Deleted access control lists cannot be restored.

To delete an access control list on an individual CPE device:

  1. In the menu, go to the SD-WAN section.

    By default, the CPE subsection is displayed with a table of CPE devices.

  2. Click the CPE device.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Routing Filters tab.

    The Access control lists tab, which is selected by default, displays the table of access control lists.

  4. Select the Override check box to ignore the applied CPE template and make the settings in the selected tab editable. This check box is cleared by default.
  5. Click Delete next to the access control list.
  6. In the confirmation window, click Delete.

    The access control list is deleted and is no longer displayed in the table.

  7. In the upper part of the settings area, click Save to save the configuration of the CPE device.

To delete an access control list on all devices that use the CPE template:

  1. In the menu, go to the SD-WAN → CPE templates subsection.

    A table of CPE templates is displayed.

  2. Click the CPE template.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Routing Filters tab.

    The Access control lists tab, which is selected by default, displays the table of access control lists.

  4. Click Delete next to the access control list.
  5. In the confirmation window, click Delete.

    The access control list is deleted and is no longer displayed in the table.

  6. In the upper part of the settings area, click Save to save the configuration of the CPE template.
Page top
[Topic 256513]

Creating a prefix list

Expand all | Collapse all

You can create a prefix list on an individual CPE device or on all devices that use the CPE template. To create a prefix list, use the following instructions:

  • Creating a prefix list on an individual CPE device.

    To create a prefix list on an individual CPE device:

    1. In the menu, go to the SD-WAN section.

      By default, the CPE subsection is displayed with a table of CPE devices.

    2. Click the CPE device.

      The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

    3. Select the Routing Filters → Prefix lists tab.

      A table of prefix lists is displayed.

    4. Select the Override check box to ignore the applied CPE template and make the settings in the selected tab editable. This check box is cleared by default.
    5. Click + Prefix list.
    6. This opens a window; in that window, in the Name field, enter the name of the prefix list. Maximum length: 50 characters. Do not use spaces in this field.
    7. Click + Add rule to add a rule to the prefix list. You can add multiple rules.
    8. In the Sequence field, enter the sequential number of the rule. The rule with the lowest number is processed first. Range of values: 1 to 4,294,967,295.
    9. In the Network drop-down list, select the type of the rule:
      • Any network for a rule that allows or denies advertising of any networks.
      • IP/mask for a rule that allows or denies the advertising of a specific network. This is the default setting.
    10. If in the Network drop-down list, you selected IP/mask, in the field that is displayed, enter the IP address and the network prefix.
    11. In the Action drop-down list, select the action that the rule must apply to routes:
      • Permit to allow route advertising. This is the default setting.
      • Deny to deny route advertising.
    12. In the Greater or equal and Less or equal fields, enter the starting and ending values for the range of prefixes. Range of values in each field: 0 to 32.
    13. Click Create.

      The prefix list is created and displayed in the table.

    14. In the upper part of the settings area, click Save to save the configuration of the CPE device.
  • Creating a prefix list on all devices that use the CPE template.

    To create a prefix list on all devices that use the CPE template:

    1. In the menu, go to the SD-WAN → CPE templates subsection.

      A table of CPE templates is displayed.

    2. Click the CPE template.

      The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

    3. Select the Routing Filters → Prefix lists tab.

      A table of prefix lists is displayed.

    4. Click + Prefix list.
    5. This opens a window; in that window, in the Name field, enter the name of the prefix list. Maximum length: 50 characters. Do not use spaces in this field.
    6. Click + Add rule to add a rule to the prefix list. You can add multiple rules.
    7. In the Sequence field, enter the sequential number of the rule. The rule with the lowest number is processed first. Range of values: 1 to 4,294,967,295.
    8. In the Network drop-down list, select the type of the rule:
      • Any network for a rule that allows or denies advertising of any networks.
      • IP/mask for a rule that allows or denies the advertising of a specific network. This is the default setting.
    9. If in the Network drop-down list, you selected IP/mask, in the field that is displayed, enter the IP address and the network prefix.
    10. In the Action drop-down list, select the action that the rule must apply to routes:
      • Permit to allow route advertising. This is the default setting.
      • Deny to deny route advertising.
    11. In the Greater or equal and Less or equal fields, enter the starting and ending values for the range of prefixes. Range of values in each field: 0 to 32.
    12. Click Create.

      The prefix list is created and displayed in the table.

    13. In the upper part of the settings area, click Save to save the configuration of the CPE template.
Page top
[Topic 244845]

Editing a prefix list

You can edit a prefix list on an individual CPE device or on all devices that use the CPE template. For a description of the settings, see the instructions for creating a prefix list.

To edit a prefix list on an individual CPE device:

  1. In the menu, go to the SD-WAN section.

    By default, the CPE subsection is displayed with a table of CPE devices.

  2. Click the CPE device.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Routing Filters → Prefix lists tab.

    A table of prefix lists is displayed.

  4. Select the Override check box to ignore the applied CPE template and make the settings in the selected tab editable. This check box is cleared by default.
  5. Click Edit next to the prefix list.
  6. This opens a window; in that window, edit the settings that you want to change.
  7. Click Save.
  8. In the upper part of the settings area, click Save to save the configuration of the CPE device.

To edit a prefix list on all devices that use the CPE template:

  1. In the menu, go to the SD-WAN → CPE templates subsection.

    A table of CPE templates is displayed.

  2. Click the CPE template.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Routing Filters → Prefix lists tab.

    A table of prefix lists is displayed.

  4. Click Edit next to the prefix list.
  5. This opens a window; in that window, edit the settings that you want to change.
  6. Click Save.
  7. In the upper part of the settings area, click Save to save the configuration of the CPE template.
Page top
[Topic 256514]

Deleting a prefix list

You can delete a prefix list on an individual CPE device or on all devices that use the CPE template. Deleted prefix lists cannot be restored.

To delete a prefix list on an individual CPE device:

  1. In the menu, go to the SD-WAN section.

    By default, the CPE subsection is displayed with a table of CPE devices.

  2. Click the CPE device.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Routing Filters → Prefix lists tab.

    A table of prefix lists is displayed.

  4. Select the Override check box to ignore the applied CPE template and make the settings in the selected tab editable. This check box is cleared by default.
  5. Click Delete next to the prefix list.
  6. In the confirmation window, click Delete.

    The prefix list is deleted and is no longer displayed in the table.

  7. In the upper part of the settings area, click Save to save the configuration of the CPE device.

To delete a prefix list on all devices that use the CPE template:

  1. In the menu, go to the SD-WAN → CPE templates subsection.

    A table of CPE templates is displayed.

  2. Click the CPE template.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Routing Filters → Prefix lists tab.

    A table of prefix lists is displayed.

  4. Click Delete next to the prefix list.
  5. In the confirmation window, click Delete.

    The prefix list is deleted and is no longer displayed in the table.

  6. In the upper part of the settings area, click Save to save the configuration of the CPE template.
Page top
[Topic 256515]

Creating a route map

Expand all | Collapse all

You can create a route map on an individual CPE device or on all devices that use the CPE template. To create a route map, use the following instructions:

  • Creating a route map on an individual CPE device.

    To create a route map on an individual CPE device:

    1. In the menu, go to the SD-WAN section.

      By default, the CPE subsection is displayed with a table of CPE devices.

    2. Click the CPE device.

      The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

    3. Select the Routing Filters → Route maps tab.

      A table of route maps is displayed.

    4. Select the Override check box to ignore the applied CPE template and make the settings in the selected tab editable. This check box is cleared by default.
    5. Click + Route map.
    6. This opens a window; in that window, in the Name field, enter the name of the route map. Maximum length: 50 characters. Do not use spaces in this field.
    7. Click + Add rule to add a rule to the route map. You can add multiple rules.
    8. In the Sequence field, enter the sequential number of the rule. The rule with the lowest number is processed first. Range of values: 1 to 4,294,967,295.
    9. In the Action drop-down list, select the action that the rule must apply to routes:
      • Permit to allow route advertising. This is the default setting.
      • Deny to deny route advertising.
    10. In the Match type drop-down list, select the condition that must be satisfied to apply the rule to a route:
      • None — Apply the rule to all routes. You cannot change the values of attributes using this rule. This is the default setting.
      • Prefix-List — Apply the rule to routes matching the selected prefix list.
      • Community — Apply the rule to routes that have the 'community' attribute with the specified value.
      • Extcommunity — Apply the rule to routes that have the 'extended community' attribute with the specified value.
    11. If in the Match type drop-down list, you selected Prefix-List, in the Prefix list drop-down list, select a prefix list.
    12. If in the Match type drop-down list, you selected Community or Extcommunity, in the Value, enter the attribute value.
    13. In the Change attribute drop-down list, select the attribute which you want to modify when the rule is applied to a route:
      • None — Do not change the values of attributes. This is the default setting.
      • IP next-hop — Change the value of the 'next hop' attribute. An IP address must be entered as the new value.
      • Local preference — Change the value of the local preference attribute. Range of values: 0 to 4,294,967,295.
      • Metric — change the value of the 'MED' attribute. Range of values: 0 to 4,294,967,295.
      • Community — change the value of the 'community' attribute.
      • Extcommunity — change the value of the 'extended community' attribute.
      • VPNv4 next-hop — change the value of the 'next hop' attribute for VPNv4 routes. An IPv4 address must be entered as the new value.
      • AS Path Prepend — Add the number of the autonomous system to the 'as path' attribute. You may specify multiple numbers separated by spaces.
    14. In the New value field, enter the value that you want to assign to the attribute. You can enter numbers or characters depending on the attribute selected in the Change attribute drop-down list.
    15. Click Create.

      The route map is created and displayed in the table.

    16. In the upper part of the settings area, click Save to save the configuration of the CPE device.
  • Creating a route map on all devices that use the CPE template.

    To create a route map on all devices that use the CPE template:

    1. In the menu, go to the SD-WAN → CPE templates subsection.

      A table of CPE templates is displayed.

    2. Click the CPE template.

      The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

    3. Select the Routing Filters → Route maps tab.

      A table of route maps is displayed.

    4. Click + Route map.
    5. This opens a window; in that window, in the Name field, enter the name of the route map. Maximum length: 50 characters. Do not use spaces in this field.
    6. Click + Add rule to add a rule to the route map. You can add multiple rules.
    7. In the Sequence field, enter the sequential number of the rule. The rule with the lowest number is processed first. Range of values: 1 to 4,294,967,295.
    8. In the Action drop-down list, select the action that the rule must apply to routes:
      • Permit to allow route advertising. This is the default setting.
      • Deny to deny route advertising.
    9. In the Match type drop-down list, select the condition that must be satisfied to apply the rule to a route:
      • None — Apply the rule to all routes. You cannot change the values of attributes using this rule. This is the default setting.
      • Prefix-List — Apply the rule to routes matching the selected prefix list.
      • Community — Apply the rule to routes that have the 'community' attribute with the specified value.
      • Extcommunity — Apply the rule to routes that have the 'extended community' attribute with the specified value.
    10. If in the Match type drop-down list, you selected Prefix-List, in the Prefix list drop-down list, select a prefix list.
    11. If in the Match type drop-down list, you selected Community or Extcommunity, in the Value, enter the attribute value.
    12. In the Change attribute drop-down list, select the attribute which you want to modify when the rule is applied to a route:
      • None — Do not change the values of attributes. This is the default setting.
      • IP next-hop — Change the value of the 'next hop' attribute. An IP address must be entered as the new value.
      • Local preference — Change the value of the local preference attribute. Range of values: 0 to 4,294,967,295.
      • Metric — change the value of the 'MED' attribute. Range of values: 0 to 4,294,967,295.
      • Community — change the value of the 'community' attribute.
      • Extcommunity — change the value of the 'extended community' attribute.
      • VPNv4 next-hop — change the value of the 'next hop' attribute for VPNv4 routes. An IPv4 address must be entered as the new value.
      • AS Path Prepend — Add the number of the autonomous system to the 'as path' attribute. You may specify multiple numbers separated by spaces.
    13. In the New value field, enter the value that you want to assign to the attribute. You can enter numbers or characters depending on the attribute selected in the Change attribute drop-down list.
    14. Click Create.

      The route map is created and displayed in the table.

    15. In the upper part of the settings area, click Save to save the configuration of the CPE template.
Page top
[Topic 244851]

Editing a route map

You can edit a route map on an individual CPE device or on all devices that use the CPE template. For a description of the settings, see the instructions for creating a route map.

To edit a route map on an individual CPE device:

  1. In the menu, go to the SD-WAN section.

    By default, the CPE subsection is displayed with a table of CPE devices.

  2. Click the CPE device.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Routing Filters → Route maps tab.

    A table of route maps is displayed.

  4. Select the Override check box to ignore the applied CPE template and make the settings in the selected tab editable. This check box is cleared by default.
  5. Click Edit next to the route map.
  6. This opens a window; in that window, edit the settings that you want to change:
  7. Click Save.
  8. In the upper part of the settings area, click Save to save the configuration of the CPE device.

To edit a route map on all devices that use the CPE template:

  1. In the menu, go to the SD-WAN → CPE templates subsection.

    A table of CPE templates is displayed.

  2. Click the CPE template.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Routing Filters → Route maps tab.

    A table of route maps is displayed.

  4. Click Edit next to the route map.
  5. This opens a window; in that window, edit the settings that you want to change:
  6. Click Save.
  7. In the upper part of the settings area, click Save to save the configuration of the CPE template.
Page top
[Topic 256517]

Deleting a route map

You can delete a route map on an individual CPE device or on all devices that use the CPE template. Deleted route maps cannot be restored.

To delete a route map on an individual CPE device:

  1. In the menu, go to the SD-WAN section.

    By default, the CPE subsection is displayed with a table of CPE devices.

  2. Click the CPE device.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Routing Filters → Route maps tab.

    A table of route maps is displayed.

  4. Select the Override check box to ignore the applied CPE template and make the settings in the selected tab editable. This check box is cleared by default.
  5. Click Delete next to the route map.
  6. In the confirmation window, click Delete.

    The route map is deleted and is no longer displayed in the table.

  7. In the upper part of the settings area, click Save to save the configuration of the CPE device.

To delete a route map on all devices that use the CPE template:

  1. In the menu, go to the SD-WAN → CPE templates subsection.

    A table of CPE templates is displayed.

  2. Click the CPE template.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Routing Filters → Route maps tab.

    A table of route maps is displayed.

  4. Click Delete next to the route map.
  5. In the confirmation window, click Delete.

    The route map is deleted and is no longer displayed in the table.

  6. In the upper part of the settings area, click Save to save the configuration of the CPE template.
Page top
[Topic 256519]