summaryrefslogtreecommitdiff
path: root/docs/configuration/policy/access-list.rst
blob: 41c35986cb50a8d72a3f68625dfb6b5f300c60be (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
##################
Access List Policy
##################

Filtering is used for both input and output of the routing information. Once
filtering is defined, it can be applied in any direction. VyOS makes filtering
possible using acls and prefix lists.

Basic filtering can be done using access-list and access-list6.

*************
Configuration
*************

Access Lists
============

.. cfgcmd:: set policy access-list <acl_number>

   This command creates the new access list policy, where <acl_number> must be
   a number from 1 to 2699.

.. cfgcmd:: set policy access-list <acl_number> description <text>

   Set description for the access list.

.. cfgcmd:: set policy access-list <acl_number> rule <1-65535> action
   <permit|deny>

   This command creates a new rule in the access list and defines an action.

.. cfgcmd:: set policy access-list <acl_number> rule <1-65535>
   <destination|source> <any|host|inverse-mask|network>

   This command defines matching parameters for access list rule. Matching
   criteria could be applied to destinarion or source parameters:

   * any: any IP address to match.
   * host: single host IP address to match.
   * inverse-match: network/netmask to match (requires network be defined).
   * network: network/netmask to match (requires inverse-match be defined).

IPv6 Access List
================

Basic filtering could also be applied to IPv6 traffic.

.. cfgcmd:: set policy access-list6 <text>

   This command creates the new IPv6 access list, identified by <text>

.. cfgcmd:: set policy access-list6 <text> description <text>

   Set description for the IPv6 access list.

.. cfgcmd:: set policy access-list6 <text> rule <1-65535> action <permit|deny>

   This command creates a new rule in the IPv6 access list and defines an
   action.

.. cfgcmd:: set policy access-list6 <text> rule <1-65535> source
   <any|exact-match|network>

   This command defines matching parameters for IPv6 access list rule. Matching
   criteria could be applied to source parameters:

   * any: any IPv6 address to match.
   * exact-match: exact match of the network prefixes.
   * network: network/netmask to match (requires inverse-match be defined) BUG,
     NO invert-match option in access-list6


********
Examples
********

Examples would be uploaded soon.