Next-Generation Firewall
Configure a Filter Community List
Table of Contents
Configure a Filter Community List
Configure a filter community list to match on BGP community attributes of routes that
you want to control in the same way.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of these:
|
Configure a filter community list to reference in a BGP route to match on BGP
community attributes of routes that you want to control in the same way. You can
also reference a community list in a BGP route map to remove communities from routes
that meet the match criteria or to match BGP communities in routes that you want to
redistribution using a Redistribution route map.
A community list can have multiple rules; routes are evaluated against the rules in
sequential order. When a route matches a rule, the deny or permit action on occurs
and the route isn’t evaluated against subsequent rules.
- Log in to Strata Cloud Manager.Select and select the Configuration Scope where you want to configure a community list.You can select a folder or firewall from your Folders or select Snippets to configure a community list in a snippet.Add Filters Community List.Enter a Name for the community list.The name must start with an alphanumeric character, underscore (_), or hyphen (-), and can contain a combination of alphanumeric characters, underscore, or hyphen. No dot (.) or space is supported.Select the Type.
- Regular—Add a Seq number (range is 1 to 65,535) and select the Action: Deny (default) or Permit. Add one or more community values, select one or more well-known communities, or enter a combination of values of well-known communities.
- A regular community value in the format AA:NN where AA is an AS number and NN is a network number (each with a range of 0 to 65,535).
- accept-own—Represents well-known community value ACCEPT-OWN (0xFFFF0001).
- blackhole—Represents well-known community value BLACKHOLE (0xFFFF029A). The neighboring network should discard traffic destined for the prefix.
- graceful-shutdown—Represents well-known community value GRACEFUL_SHUTDOWN (0xFFFF0000).
- internet—Represents well-known community value 0 (0x00). Advertise a prefix to all BGP neighbors.
- local-as—Represents well-known community value NO_EXPORT_SUBCONFED (0xFFFFFF03). The effect isn’t to advertise the prefix outside of the sub-AS in a confederation.
- no-advertise—Represents well-known community value NO_ADVERTISE (0xFFFFFF02). Adding this community to a prefix means that the receiving BGP peer will place the prefix in its BGP route table, but won’t advertise the prefix to other neighbors.
- no-export—Represents well-known community value NO_EXPORT (0xFFFFFF01). Adding this community to a prefix means that the receiving BGP peer will advertise the prefix only to iBGP neighbors, not neighbors outside the AS.
- no-peer—Represents well-known community value NOPEER (0xFFFFFF04).
- route-filter-v4—Represents well-known community value ROUTE_FILTER_v4 (0xFFFF0003).
- route-filter-v6——Represents well-known community value ROUTE_FILTER_v6 (0xFFFF0005).
- Large—Add a Seq number (range is 1 to 65,535) and select the Action: Deny (default) or Permit. Add a large community regular expression (LC REGEX) entry. Characters allowed in an entry are 1234567890_^|[,{}()]$*+.?-\. Each community must be in the format regex1:regex2:regex3. Enter a maximum of eight communities in a large entry (rule).
- Extended—Add a Seq number (range is 1 to 65,535) and select the Action: Deny (default) or Permit. Add the BGP extended community regular expression (EC REGEX). Characters allowed are 1234567890_^|[,{}()]$*+.?-\. Each extended community must be in the format regex1:regex2; for example, 204*[3-8]:205*[4-8]. Enter a maximum of eight communities in an Extended entry (rule).
Add your entries to the community list.Save.
