Configure Standard Community List

Before you begin

  • Ensure that the community list name begins with an alphabet followed by one or more alphanumeric characters.
  • Ensure that the community list rule is inside single or double quotes.
  • If the community list is not associated with a device, the created community rules are stored in EFA DB only. If the community list is already associated with a device, the created rules are also pushed to the devices in addition to stored in DB.

Procedure

  1. Run the following command to create a standard community list.
    efa policy community-list create [flags]
     
    Flags:
          --name string        Name of the community list.
          --type string        Type of the community list. Valid options are standard, extended
          --rule stringArray   Rule in format seq[seq-num],action[permit/deny],std-value[<1-4294967295>|<AA:NN, AA & NN is 2 bytes>|internet|local-as|no-export|no-advertise] (or) ext-value[regular expression]. 
      
    Example: "seq[5],action[permit],std-value[6550:125;local-as;internet]" (or)    "seq[4],action[deny],ext-value[^65000:.*_]"
    
    Example:
    efa policy community-list create –-name comm1 –-type standard –-rule "seq[5],action[permit],std-value[100;11:22;local-as;no-export]"
    
    +-----------+-----+--------+--------------------+-------+
    | Community | Seq | Action |     Std Value      | Ext   |
    | List Name | num |        |                    | Value |
    +-----------+-----+--------+--------------------+-------+
    | comm-prye | 55  | permit | 100 11:22          |       |
    |           |     |        | local-as no-export |       |
    +-----------+-----+--------+--------------------+-------+
    Community List details
    +------------+--------+--------+-----------------+
    | IP Address | Result | Reason | Rollback reason |
    +------------+--------+--------+-----------------+
    Device Results
    
    efa policy community-list create –-name stdext1 –-type extended –-rule "seq[5],action[permit],ext-value[_2000_]"
    
    +---------------------+---------+--------+-----------+-----------+
    | Community List Name | Seq num | Action | Std Value | Ext Value |
    +---------------------+---------+--------+-----------+-----------+
    | stdext1             | 5       | permit |           | _2000_    |
    +---------------------+---------+--------+-----------+-----------+
    Community List details
    +------------+--------+--------+-----------------+
    | IP Address | Result | Reason | Rollback reason |
    +------------+--------+--------+-----------------+
    Device Results
    
  2. Run the following command to update a community list.
    efa policy community-list update [flags]
     
    Flags:
          --name string        Name of the community list.
          --type string        Type of the community list. Valid options are standard, extended
          --rule string        Rule in format seq[seq-num],action[permit/deny],std-value[<1-4294967295>|<AA:NN, AA & NN is 2 bytes>|internet|local-as|no-export|no-advertise] (or) ext-value[regular expression]. Example: seq[5],action[permit],std-value[6550:125;local-as;internet] (or) seq[4],action[deny],ext-value[^65000:.*_]
          --operation string   Valid options are update-rule, add-device, remove-device
          --ip string          Comma separated range of device IP addresses. Example: "1.1.1.1-3","1.1.1.2","2.2.2.2"
    Example:
    • Add Device
      efa policy community-list update --name stdext1 --type extended --operation add-device --ip 10.20.246.29-30
      +---------------------+---------+--------+-----------+-----------+
      | Community List Name | Seq num | Action | Std Value | Ext Value |
      +---------------------+---------+--------+-----------+-----------+
      | stdext1             | 4       | deny   |           | _1000_    |
      +---------------------+---------+--------+-----------+-----------+
      | stdext1             | 5       | permit |           | _2000_    |
      +---------------------+---------+--------+-----------+-----------+
      | stdext1             | 7       | deny   |           | _3000_    |
      +---------------------+---------+--------+-----------+-----------+
      Community List details
      +--------------+---------+--------+-----------------+
      |  IP Address  | Result  | Reason | Rollback reason |
      +--------------+---------+--------+-----------------+
      | 10.20.246.29 | Success |        |                 |
      +--------------+---------+--------+-----------------+
      | 10.20.246.30 | Success |        |                 |
      +--------------+---------+--------+-----------------+
      Device Results
      
      show running-config ip community-list
      ip community-list extended stdext1 seq 4 deny _1000_
      ip community-list extended stdext1 seq 5 permit _2000_
      ip community-list extended stdext1 seq 7 deny _3000_
      Verify the switch configuration on SLX devices.
      SLX# show running-config ip community-list
      ip community-list standard comm1 seq 5 permit 0:100 11:22 local-as no-export
      ip community-list extended commExt1 seq 3 permit _30000_
    • Delete Device
      efa policy community-list update --name comm1 --type standard --operation remove-device --ip 10.20.63.140-141
      +---------------------+---------+--------+-----------+-----------+
      | Community List Name | Seq num | Action | Std Value | Ext Value |
      +---------------------+---------+--------+-----------+-----------+
      | comm1               | 3       | permit | 65:12     |           |
      +---------------------+---------+--------+-----------+-----------+
      Community List details
      +--------------+---------+--------+-----------------+
      |  IP Address  | Result  | Reason | Rollback reason |
      +--------------+---------+--------+-----------------+
      | 10.20.63.140 | Success |        |                 |
      +--------------+---------+--------+-----------------+
      | 10.20.63.141 | Success |        |                 |
      +--------------+---------+--------+-----------------+
      Device Results
    • Update rule
      efa policy community-list update --name commExt1 --type extended --operation update-rule --rule "seq[1],action[permit],ext-value[_30000_]"
      +---------------------+---------+--------+
      | Community List Name | Seq num | Action |
      +---------------------+---------+--------+
      | commExt1            | 1       | permit |
      +---------------------+---------+--------+
      Community List details
      +---------------+----------+---------------------------------------+----------+
      |  IP Address   |  Result  |                 Reason                | Rollback |
      |               |          |                                       | reason   |
      +---------------+----------+---------------------------------------+----------+
      | 10.139.44.159 | Success  |                                       |          |
      +---------------+----------+---------------------------------------+----------+
      | 10.139.44.163 | Success  |                                       |          |
      +---------------+----------+---------------------------------------+----------+
      Device Results
      
      On 10.139.44.159:
      show running-config ip community-list
      ip community-list extended commExt1 seq 30 action permit _30000_
      
      efa policy community-list update –-name comm1 –-type standard –-operation update-rule "–-rule seq[5]","action[permit]","std-value[100;no-advertise]"
      
      +---------------+---------+--------------------------------------------+----------+
      |  IP Address   |  Result |                   Reason                   | Rollback |
      |               |         |                                            | reason   |
      +---------------+---------+--------------------------------------------+----------|
      | 10.139.44.159 | Failed  | Failed to create community list for        |          |
      |               |         | comm1 on the device 10.139.44.159.         |          |
      |               |         | Reason: For seq 5: netconf rpc [error]     |          |
      |               |         | '%Error: Same filter is already configured |          |
      |               |         | with sequencenumber 30.'                   |          |
      +---------------+---------+--------------------------------------------+----------+
      | 10.139.44.163 | Rollback|                                            |          |
      +---------------+---------+--------------------------------------------+----------+
      Device Results
      On 10.139.44.159:
      show running-config ip community-list
      ip community-list standard comm1 seq 30 action permit 100 no-advertise
  3. Run the following command to delete a community list.
     efa policy community-list delete [flags]
     
    Flags:
          --name string   Name of the community list.
          --type string   Type of the community list. Valid options are standard, extended.
          --seq string    Sequence numbers. For example 5,10,20 or all
    • The CLI deletes the standard community list rules on all devices for the name, type, and sequence number provided and then deletes the community list rules from EFA.
    • Pre-validation is done for seq IDs provided or for all sequence ids in case of 'all'. If any out-of-band, seq ID is provided in the request (or 'all' is specified and any out-of-band seq ID exists), the operation is errored out without proceeding to remove config from device or EFA DB.
    • You must either provide only EFA managed seq IDs in the CLI or REST request or remove the out-of-band seq IDs from device and execute the CLI or REST request again.
    Example:
    efa policy community-list delete --name commExt1 --seq all --type standard
    +---------------------+---------+--------+
    | Community List Name | Seq num | Action |
    +---------------------+---------+--------+
    | commExt1            | 1       | permit |
    +---------------------+---------+--------+
    | commExt1            | 2       | permit |
    +---------------------+---------+--------+
    | commExt1            | 3       | permit |
    +---------------------+---------+--------+
    Community List details
    +---------------+---------+--------------+----------+
    | IP Address    | Result  |    Reason    | Rollback |
    |               |         |              | reason   |
    +---------------+---------+--------------+----------+
    | 10.139.44.159 | Success |              |          |
    +---------------+---------+--------------+----------+
    | 10.139.44.163 | Success |              |          |
    +---------------+---------+--------------+----------+
    Device Results
  4. Run the following command to show a community list.
    efa policy community-list list [flags]
     
    Flags:
          --ip string     Comma separated range of device IP addresses. Example: 1.1.1.1-3,1.1.1.2,2.2.2.2
          --name string   Name of the community list.
          --type string   Type of the community list. Valid options are standard, extended
    Example,
    efa policy community-list list
    
    Community list details:
     
    Name: clist1
    Seq: 5
    Action: deny
    StdValue: 50:125 internet local-as no-advertise
    ExtValue:
     
    Name: clist1
    Seq: 15
    Action: deny
    StdValue: 50:125 local-as
    ExtValue:
    
    Name: clist2
    Seq: 1
    Action: permit
    StdValue:
    ExtValue: _2000_
    
    efa policy community-list list –-type standard –-ip 10.20.246.29-30
     
    Community list details:
     
    Name: clist1
    Seq: 5
    Action: deny
    StdValue: 50:125 internet local-as no-advertise
    ExtValue:
     
    Name: clist1
    Seq: 15
    Action: deny
    StdValue: 50:125 local-as
    ExtValue:
     
    IP Addresses:
    +--------+-----+--------------+-------------+
    |  Name  | Seq |  IP Address  |  App State  |
    +--------+-----+--------------+-------------+
    | clist1 | 5   | 10.20.246.29 | cfg-in-sync |
    +--------+-----+--------------+-------------+
    | clist1 | 5   | 10.20.246.30 | cfg-in-sync |
    +--------+-----+--------------+-------------+
    | clist1 | 15  | 10.20.246.29 | cfg-in-sync |
    +--------+-----+--------------+-------------+
    | clist1 | 15  | 10.20.246.30 | cfg-in-sync |
    +--------+-----+--------------+-------------+