The prefix list have been introduced speclfically for route / prefix filtering they allow to match a range of prefixes within an address block this is not easy to implement with an IP extended ACL and not all routing protocols support this use of IP extended ACL.
Example:
ip prefix-list EXAMPLE permit 10.100.0.0/16 ge 20 le 24
This means all prefixes within 10.100.0.0/16 with prefix length between 20 and 24 are accepted:
10.100.20.0/24 is a match
10.100.21.128/25 is not a match
10.100.0.0/23 is a match
The most notable and important difference is that a prefix list allows you to filter networks based on their subnet mask. ACLs used in distribute list filter networks only by network addresses but they do not perform matching on subnet mask; in other words, for an ACL used in distribute list, the networks 192.168.10.0/24 and 192.168.10.0/28 are indistinguishable. Moreover, the prefix list also allows you to specify networks in a much more natural format than ACLs.
Example -1: How To Permit all the prefix.
Example #2: How to block the prefix 11.0.0.0/24.
Example #3: Permit only the default route
ip prefix-list DEFAULTE-ROUTE permit 0.0.0.0/0
Example #4: Permit all prefixes in the 11.0.0.0/16 with subnet mask less or equal /30
Example #5: Permits all prefixes in the 192.168.0.0/24 with subnet mask between 26 and 30 bits.
ip prefix-list TEST permit 192.168.0.0/24 ge 26 le 30
So, if you have these networks:
192.168.0.0/30
192.168.0.0/16
192.168.0.0/8
Only the second statement is valid; the third and fourth are not valid due to lesser subnet mask and the first one is not valid due the different network.
Example #6: Deny all the loopback network (/32)
ip prefix-list Test deny 0.0.0.0/0 ge 32 le 32
ip prefix-list Test permit 0.0.0.0/0 le 32
The first line block all the network with subnet mask /32, while the last line permit any.
Applications
Assume that there are routes 10.1.1.0/24, 10.1.1.0/26, 10.1.1.1/32, 10.2.2.0/24, and 10.1.0.0/16. How to use an IP prefix list to filter routes as required to meet the following requirements?
Permit only one route, for example, permit only the route 10.1.1.0/24.
Permit only the routes with the same network ID but different masks and deny other routes. For example, permit only three routes 10.1.1.0/24, 10.1.1.0/26, and 10.1.1.1/32.
Deny only one route and permit the other routes, for example, deny only the route 10.1.1.0/24.
Find the answers in the following examples:
--------------------------------Example 1 Single-node exact match------------------------------------------
l Example 1
ip ip-prefix test index 10 permit 10.1.1.0 24
Matching result: Only the route 10.1.1.0/24 is permitted, and other routes are denied.
Only the route with the specified network ID and mask is permitted.
------------------------------Examples 2 through 4 Match against the specified mask range----------------------------------
l Example 2
ip ip-prefix test index 10 permit 10.1.1.0 24 less-equal 32
Matching result: Only the routes 10.1.1.0/24, 10.1.1.0/26, and 10.1.1.1/32 are permitted, and other routes are denied.
The routes with the network ID 10.1.1.0 and mask length 24-32 are permitted.
l Example 3
ip ip-prefix test index 10 permit 10.1.1.0 24 greater-equal 26
Matching result: Only the routes 10.1.1.0/26 and 10.1.1.1/32 are permitted, and other routes are denied.
The routes with the network ID 10.1.1.0 and mask length 26-32 are permitted.
l Example 4
ip ip-prefix test index 10 permit 10.1.1.0 24 greater-equal 26 less-equal 32
Matching result: Only the routes 10.1.1.0/26 and 10.1.1.1/32 are permitted, and other routes are denied.
The routes with the network ID 10.1.1.0 and mask length 26-32 are permitted. The matching result is the same as that of Example 3.
--------------------Examples 5 and 6 Match against the wildcard address (0.0.0.0)-----------------------
The wildcard address 0.0.0.0 indicates that the network ID is not specified and only the mask range needs to be matched. Table 3-2 lists special wildcard addresses.
Special wildcard addresses
Special Wildcard Address | Description |
0.0.0.0 0 | Indicates that only the default route is matched. |
0.0.0.0 0 less-equal 32 | Indicates that all routes are matched. |
0.0.0.0 0 greater-equal 32 | Indicates that all host routes are matched. |
An IP prefix list uses the matching rule of deny by default. After one or multiple deny entries are created, an entry permit 0.0.0.0 0 less-equal 32 needs to be created to permit other routes.
l Example 5
ip ip-prefix test index 10 permit 0.0.0.0 8 less-equal 32
Matching result: All the five routes are permitted.
All the routes with the mask length 8-32 are permitted.
l Example 6
ip ip-prefix test index 10 deny 10.1.1.0 24
ip ip-prefix test index 20 permit 0.0.0.0 0 less-equal 32
Matching result: Only the route 10.1.1.0/24 is denied, and other routes are permitted.
The route 10.1.1.0/24 matches the entry with index number 10 in the IP prefix list test, but the matching mode is deny. Therefore, this route is denied. The entry with index number 20 permit 0.0.0.0 0 less-equal 32 indicates that all the routes are permitted. Therefore, the routes that do not match the entry with index number 10 match the entry with index number 20 and are all permitted.
An IP prefix list can filter routes as required. To control routes, for example, control receiving, advertisement, and import of routes, you need to invoke an IP prefix list in a filter-policy or route-policy. The following describes how to use a filter-policy to filter routes.
Summary
#Match Only Host IP as /32.
ip prefix-list Test permit 0.0.0.0/0 ge 32
#Any Subnet in a class B Address Space.
ip prefix-list Test permit 128.0.0.0/2 ge 17
#All Routes.
ip prefix-list Test permit 0.0.0.0/0 le 32
#Match Only default routes.
ip prefix-list Test permit 0.0.0.0/0
#Any prefix in a class A address Space Covering at least 256 Addresses.
ip prefix-list Test permit 0.0.0.0/1 le 24
No comments:
Post a Comment