Kaspersky SD-WAN
2.3
English

Contents

Filtering routes and traffic packets

You can use the following mechanisms for route filtering when working with the BGP and OSPF protocols, and for filtering traffic packets when working with the PIM protocol:

  • Access control lists (ACL) allow or deny the specified IPv4 prefixes.
  • Prefix lists are an extended version of access control lists. These additionally allow or block IPv4 prefixes in the specified prefix length range. You can use prefix lists in route maps.
  • Route maps are an extended version of prefix lists. Route maps additionally modify attribute values.

You can create rules in access control lists, prefix lists, and route maps. Each rule is numbered. The rule with the lowest sequence number is the first to be applied to an IPv4 prefix. If none of the rules can be applied, the IPv4 prefix is denied.

In this section

Managing access control lists (ACLs)

Managing prefix lists

Managing route maps
Page top
[Topic 261983]

Managing access control lists (ACLs)

You can view the table of access control lists in a CPE template and on a CPE device:

  • To view the table of access control lists in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Routing filters → Access control lists tab.
  • To view the table of access control lists on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Routing filters → Access control lists tab.

Information about access control lists is displayed in the following columns of the table:

  • Name is the name of the access control list.
  • Inherited indicates whether the access control list is inherited from the CPE template:
    • Yes
    • No

    This column is displayed only on the CPE device.

  • Sequence is the sequence number of the rule in the access control list. The rule with the lowest sequence number is the first to be applied to the IPv4 prefix by the access control list.
  • Network is the IPv4 prefix to which the access control list applies the rule.
  • Action is the action that the rule performs on the IPv4 prefix:
    • Permit allows the IPv4 prefix.
    • Deny blocks the IPv4 prefix.
  • Management contains the actions that can be performed on the access control list.

In this section

Creating an access-control list

Editing an access control list

Deleting an access control list
Page top
[Topic 270712]

Creating an access-control list

You can create an access control list in a CPE template or on a CPE device. An access control list created in the CPE template is automatically created on all CPE devices that use this CPE template.

To create an access control list:

  1. Create an access control list in one of the following ways:
    • If you want to create an access control list in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Routing filters → Access control lists tab.
    • If you want to create an access control list on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Routing filters → Access control lists tab and select the Override check box.

    A table of access control lists is displayed.

  2. Click + Access control list.
  3. This opens a window; in that window, in the Name field, enter the name of the access control list. The maximum length of the name is 50 characters. Do not use spaces in this field.
  4. Create a rule in the access control list:
    1. Click + Rule.
    2. In the Sequence field, enter the sequential number of the rule. The rule with the lowest sequence number is the first to be applied to the IPv4 prefix by the access control list. Range of values: 1 to 4,294,967,295.
    3. In the Network drop-down list, select the type of the rule:
      • Any network for a rule that allows or denies all IPv4 prefixes.
      • IP/mask for a rule that allows or denies the specified IPv4 prefix. This is the default setting. If you select this value, enter the IPv4 prefix in the field that is displayed.
    4. In the Action drop-down list, select the action that the rule performs with the IPv4 prefix:
      • Permit allows the IPv4 prefix. This is the default setting.
      • Deny blocks the IPv4 prefix.

    The rule is created. You can create multiple rules or delete rules. To delete a rule, click the delete icon cross_icon_3 next to it.

  5. Click Create.

    The access control list is created and displayed in the table.

  6. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.
Page top
[Topic 244831]

Editing an access control list

You can edit an access control list in a CPE template or on a CPE device. An access control list edited in the CPE template is automatically modified on all CPE devices that use this CPE template.

To edit an access control list:

  1. Edit an access control list in one of the following ways:
    • If you want to edit an access control list in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Routing filters → Access control lists tab.
    • If you want to edit an access control list on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Routing filters → Access control lists tab and select the Override check box.

    A table of access control lists is displayed.

  2. Click Edit next to the access control list that you want to edit.
  3. This opens a window; in that window, if necessary, edit the settings of the access control list. For a description of the settings, see the instructions for creating an access control list.
  4. Click Save.

    The access control list is modified and updated in the table.

  5. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.
Page top
[Topic 256512]

Deleting an access control list

You can delete an access control list in a CPE template or on a CPE device. An access control list deleted in the CPE template is automatically deleted on all CPE devices that use this CPE template.

Deleted access control lists cannot be restored.

To delete an access control list:

  1. Delete an access control list in one of the following ways:
    • If you want to delete an access control list in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Routing filters → Access control lists tab.
    • If you want to delete an access control list on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Routing filters → Access control lists tab and select the Override check box.

    A table of access control lists is displayed.

  2. Click Delete next to the access control list that you want to delete.
  3. In the confirmation window, click Delete.

    The access control list is deleted and is no longer displayed in the table.

  4. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.
Page top
[Topic 256513]

Managing prefix lists

The table of prefix lists is displayed in the CPE template and on the CPE device:

  • To display the table of prefix lists in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Routing filters → Prefix lists tab.
  • To display the table of prefix lists on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Routing filters → Prefix lists tab.

Information about prefix lists is displayed in the following columns of the table:

  • Name is the name of the prefix list.
  • Inherited indicates whether the prefix list is inherited from the CPE template:
    • Yes
    • No

    This column is displayed only on the CPE device.

  • Sequence is the sequence number of the rule in the prefix list. The rule with the lowest sequence number is the first to be applied to the IPv4 prefix by the prefix list.
  • Network is the IPv4 prefix to which the prefix list applies the rule.
  • Action is the action that the rule performs on the IPv4 prefix:
    • Permit allows the IPv4 prefix.
    • Deny blocks the IPv4 prefix.
  • Greater or equal is starting value of the prefix length range to which the prefix list applies the rule.
  • Less or equal is the ending value of the prefix length range to which the prefix list applies the rule.
  • Management contains the actions that can be performed on the prefix list.

In this section

Creating a prefix list

Editing a prefix list

Deleting a prefix list
Page top
[Topic 270724]

Creating a prefix list

You can create a prefix list in a CPE template or on a CPE device. A prefix list created in the CPE template is automatically created on all CPE devices that use this CPE template.

To create a prefix list:

  1. Create a prefix list in one of the following ways:
    • If you want to create a prefix list in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Routing filters → Prefix lists tab.
    • If you want to create a prefix list on a CPE device, go to the SD-WAN menu section, click the CPE device, select the Routing filters → Prefix lists tab, and select the Override check box.

    A table of prefix lists is displayed.

  2. Click + Prefix list.
  3. This opens a window; in that window, in the Name field, enter the name of the prefix list. The maximum length of the name is 50 characters. Do not use spaces in this field.
  4. Create a rule in the prefix list:
    1. Click + Rule.
    2. In the Sequence field, enter the sequential number of the rule. The rule with the lowest sequence number is the first to be applied to the IPv4 prefix by the prefix list. Range of values: 1 to 4,294,967,295.
    3. In the Network drop-down list, select the type of the rule:
      • Any network for a rule that allows or denies all IPv4 prefixes.
      • IP/mask for a rule that allows or denies the specified IPv4 prefix. Default value. If you select this value, enter the IPv4 prefix in the field that is displayed.
    4. In the Action drop-down list, select the action that the rule performs with the IPv4 prefix:
      • Permit allows the IPv4 prefix. Default value.
      • Deny blocks the IPv4 prefix.
    5. In the Greater or equal field, enter the starting value of the prefix length range to which the prefix list applies the rule. Range of values: 0 to 32.
    6. In the Less or equal field, enter the ending value of the prefix length range to which the prefix list applies the rule. Range of values: 0 to 32.

    The rule is created. You can create multiple rules or delete a rule. To delete a rule, click the delete icon cross_icon_3 next to it.

  5. Click Create.

    The prefix list is created and displayed in the table.

  6. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.
Page top
[Topic 244845]

Editing a prefix list

You can edit a prefix list in a CPE template or on a CPE device. A prefix list edited in the CPE template is automatically modified on all CPE devices that use this CPE template.

To edit a prefix list:

  1. Edit a prefix list in one of the following ways:
    • If you want to edit a prefix list in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Routing filters → Prefix lists tab.
    • If you want to edit a prefix list on a CPE device, go to the SD-WAN menu section, click the CPE device, select the Routing filters → Prefix lists tab, and select the Override check box.

    A table of prefix lists is displayed.

  2. Click Edit next to the prefix list that you want to edit.
  3. This opens a window; in that window, if necessary, edit the settings of the prefix list. For a description of the settings, see the instructions for creating a prefix list.
  4. Click Save.

    The prefix list is modified and updated in the table.

  5. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.
Page top
[Topic 256514]

Deleting a prefix list

You can delete a prefix list in a CPE template or on a CPE device. A prefix list deleted in the CPE template is automatically deleted on all CPE devices that use this CPE template.

Deleted prefix lists cannot be restored.

To delete a prefix list:

  1. Delete a prefix list in one of the following ways:
    • If you want to delete a prefix list in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Routing filters → Prefix lists tab.
    • If you want to delete a prefix list on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Routing filters → Prefix lists tab, and select the Override check box.

    A table of prefix lists is displayed.

  2. Click Delete next to the prefix list that you want to delete.
  3. In the confirmation window, click Delete.

    The prefix list is deleted and is no longer displayed in the table.

  4. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.
Page top
[Topic 256515]

Managing route maps

The table of route maps is displayed in the CPE template and on the CPE device:

  • To display the table of route maps lists in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Routing filters → Route maps tab.
  • To display the table of route maps on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Routing filters → Route maps tab.

Information about route maps is displayed in the following columns of the table:

  • Name is the name of the route map.
  • Inherited indicates whether the route map is inherited from the CPE template:
    • Yes
    • No

    This column is displayed only on the CPE device.

  • Sequence is the sequence number of the rule in the route map. The rule with the lowest sequence number is the first to be applied to the IPv4 prefix by the route map.
  • Action is the action that the rule performs on the IPv4 prefix:
    • Permit allows the IPv4 prefix.
    • Deny blocks the IPv4 prefix.
  • Match type is the criterion that makes the route map apply the rule to the IPv4 prefix:
    • None applies the rule to all IPv4 prefixes.
    • Prefix-List applies the rule to IPv4 prefixes allowed by the specified prefix list.
  • Value is an IPv4 prefix that the prefix list must allow for the route map to apply the rule to the IPv4 prefix. This column displays a value only if the Match type column displays Prefix-List.
  • Change attribute is the attribute whose value changes the rule.
  • New value is the value that the rule sets for the attribute.
  • Management contains the actions that can be performed with the route map.

In this section

Creating a route map

Editing a route map

Deleting a route map
Page top
[Topic 270732]

Creating a route map

You can create a route map in a CPE template or on a CPE device. A route map created in the CPE template is automatically created on all CPE devices that use this CPE template.

To create a route map:

  1. Create a route map in one of the following ways:
    • If you want to create a route map in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Routing filters → Route maps tab.
    • If you want to create a route map on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Routing filters → Route maps tab, and select the Override check box.

    A table of route maps is displayed.

  2. Click + Route map.
  3. This opens a window; in that window, in the Name field, enter the name of the route map. The maximum length of the name is 50 characters. Do not use spaces in this field.
  4. Create a rule in the route map:
    1. Click + Rule.
    2. In the Sequence field, enter the sequential number of the rule. The rule with the lowest sequence number is the first to be applied to the IPv4 prefix by the route map. Range of values: 1 to 4,294,967,295.
    3. In the Action drop-down list, select the action that the rule performs on the IPv4 prefix:
      • Permit allows the IPv4 prefix. Default value.
      • Deny blocks the IPv4 prefix.
    4. In the Match type drop-down list, select the criterion that makes the route map apply the rule to the IPv4 prefix:
      • None applies the rule to all IPv4 prefixes. Default value.
      • Prefix-List applies the rule to IPv4 prefixes allowed by the specified prefix list. If you select this value, in the Prefix list drop-down list, select a created prefix list.
    5. If in the Match type drop-down list, you selected Prefix-List, in the Change attribute drop-down list, select the attribute that the rule modifies:
      • None if you do not want to modify attribute values. Default value.
      • IP next-hop if you want to change the value of the 'next hop' attribute to the specified IPv4 address. If you select this value, enter an IPv4 address in the New value field.
      • Local Preference if you want to change the value of the 'local preference' attribute to the specified value. If you select this value, in the New value field, enter a value for the 'local preference' attribute. Range of values: 0 to 4,294,967,295.
      • Metric if you want to change the value of the MED attribute to the specified value. If you select this value, in the New value field, enter a value for the MED attribute. Range of values: 0 to 4,294,967,295.
      • AS Path Prepend — Add the number of the autonomous system to the 'as path' attribute. If you select this value, enter the autonomous system number in the New value field. You may enter multiple numbers separated by spaces. Range of values: 0 to 4,294,967,295.

    The rule is created. You can create multiple rules or delete a rule. To delete a rule, click the delete icon cross_icon_3 next to it.

  5. Click Create.

    The route map is created and displayed in the table.

  6. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.
Page top
[Topic 244851]

Editing a route map

You can edit a route map in a CPE template or on a CPE device. A route map edited in the CPE template is automatically edited on all CPE devices that use this CPE template.

If you want the changes you make to a route map to be immediately applied to the BGP peers or BGP peer groups that use that route map, select the BFD or Soft-reconfiguration inbound check box when creating or editing the BGP peer or BGP peer group.

To edit a route map:

  1. Edit a route map in one of the following ways:
    • If you want to edit a route map in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and in the displayed settings area, select the Routing filters → Route maps tab.
    • If you want to edit a route map on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and in the displayed settings area, select the Routing filters → Route maps tab and select the Override check box.

    A table of route maps is displayed.

  2. Click Edit next to the route map that you want to edit.
  3. This opens a window; in that window, if necessary, edit the route map settings. For a description of the settings, see the instructions for creating a route map.
  4. Click Save.

    The route map is modified and updated in the table.

  5. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.

See also

Creating a BGP peer

Editing a BGP peer

Creating a BGP peer group

Editing a BGP peer group
Page top
[Topic 256517]

Deleting a route map

You can delete a route map in a CPE template or on a CPE device. A route map deleted in the CPE template is automatically deleted on all CPE devices that use this CPE template.

Deleted route maps cannot be restored.

To delete a route map:

  1. Delete a route map in one of the following ways:
    • If you want to delete a route map in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Routing filters → Route maps tab.
    • If you want to delete a route map on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Routing filters → Route maps tab, and select the Override check box.

    A table of route maps is displayed.

  2. Click Delete next to the route map that you want to delete.
  3. In the confirmation window, click Delete.

    The route map is deleted and is no longer displayed in the table.

  4. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.
Page top
[Topic 256519]