Prefix-lists are quite useful...
I believe Enke Chen (or was it Sourav Seal) wrote this up:
[snip]
Defects addressed in this image:
- --------------------------------
CSCdj61356: Prefix-list - facility for efficient route filtering
--------
Using Prefix-list in Route Filtering
--------------------------------------
1. Introduction
The prefix-list is implemented for the purpose of efficient route
filtering. Comparing with using the (extended) access-list in route
filtering, there are several advantages with using the prefix-list:
- Significant performance improvemnt in loading and route lookup of
large lists.
- Support for incremental updates.
- More user-friendly command line interface.
Several key features with the access-list are preserved in prefix-list:
- Configuration of either "permit" or "deny".
- Order dependency - first match wins.
- Filtering on prefix length - both exact match and range match.
However, non-contiguous masks are not supported in the prefix-list.
2. CLI for Prefix-list
Command:
no ip prefix-list <list-name>
This command can be used to delete a prefix-list.
Command:
[no] ip prefix-list <list-name> [seq <seq-value>] deny|permit \
<network>/<len> [ge <ge-value] [le <le-value]
This command can be used to configure or delete an entry of a prefix-list.
Command Attributes:
<list-name>: A string identifier of a prefix-list.
seq <seq-value>: Optional. It can be used to specify the sequence number
of an entry of a prefix list.
By default, the entries of a prefix list would have sequence values
of 5, 10, 15 and so on. In the absence of a specified sequence value,
the entry would be assigned with a sequence number of (Current_Max
+ 5).
If a given prefix matches multiple entries of a prefix list, the one
with the smallest sequence number is considered as the match.
deny|permit: An action taken once a match is found.
<network>/<len>: The prefix and its length. Multiple policies (exact match
or range match) with different sequence numbers can be configured
for the same <network>/<len>.
ge <ge-value>: "greater than or equal to"
le <le-value>: "less than or equal to".
Both "ge" and "le" are optional. They can be used to specify the range
of the prefix length to be matched for prefixes that are more specific
than <network>/<len>.
Value range: len < ge-value < le-value <= 32
Exact match is assumed when neither "ge" nor "le" is specified.
The range is assumed to be from "ge-value" to 32 if only the "ge"
attribute is specified. And the range is assumed to be from "len" to
"le-value" if only the "le" attribute is specified.
Remarks:
- As usual, an implicit deny is assumed if a given prefix does not
match any entries of a prefix-list.
- To speed up insertion, the maximum and minimum sequence numbers are not
re-calculated after deletion of entries.
3. Configuration Examples
3.1 Exact match
ip prefix-list aaa deny 0.0.0.0/0
ip prefix-list aaa permit 35.0.0.0/8
3.2 Prefix Length match
- in 192/8, accept up to /24
ip prefix-list aaa permit 192.0.0.0/8 le 24
- in 192/8, deny /25+
ip prefix-list aaa deny 192.0.0.0/8 ge 25
- in all address space, permit /8 - /24
ip prefix-list aaa permit 0.0.0.0/0 ge 8 le 24
- in all address space, deny /25+
ip prefix-list aaa deny 0.0.0.0/0 ge 25
- in 10/8, deny all
ip prefix-list aaa deny 10.0.0.0/8 le 32
- in 204.70.1/24, deny /25+
ip prefix-list aaa deny 204.70.1.0/24 ge 25
- permit all
ip prefix-list aaa permit 0.0.0.0/0 le 32
3.3 Incremental Updates
As oppose to the normal access-list where one "no" command will erase the
whole access-list, a prefix-list can be modified incrementally. For
example,
to change a prefix-list from A to B, only the difference between
B and A needs to be deployed to the router.
From A:
ip prefix-list aaa deny 0.0.0.0/0 le 7
ip prefix-list aaa deny 0.0.0.0/0 ge 25
ip prefix-list aaa permit 35.0.0.0/8
ip prefix-list aaa permit 204.70.0.0/15
To B:
ip prefix-list aaa deny 0.0.0.0/0 le 7
ip prefix-list aaa deny 0.0.0.0/0 ge 25
ip prefix-list aaa permit 35.0.0.0/8
ip prefix-list aaa permit 198.0.0.0/8
by deploying the difference:
no ip prefix-list aaa permit 204.70.0.0/15
ip prefix-list aaa permit 198.0.0.0/8
4. Show and Clear Commands
show ip prefix-list [detail|summary]
---> Displays information of all prefix-lists.
show ip prefix-list [detail|summary] [<name>]
---> Displays information of a prefix-list.
show ip prefix-list <name> [seq <seq-num>]
---> Display the prefix-list entry with the given sequence number
show ip prefix-list <name> <network>/<len>
---> displays the policy associated with the node <network>/<len>
show ip prefix-list <name> <network>/<len> longer
---> displays all entries of a prefix list that are more specific
than the given <network>/<len>
show ip prefix-list <name> <network>/<len> first-match
---> displays the entry of a prefix list that matches the given
<network>/<len>
clear ip prefix-list [<name>] [<network>/<len>]
---> resets the "hit count" of prefix-list entries
5. Using Prefix-list with BGP
The prefix-list can be used as an alternative to the BGP
"neighbor x.x.x.x distribute-list" command. The configuration
of prefix-list and distribute-list for a BGP peer are
mutually exclusive.
Configuration Command:
router bgp xxx
neighbor x.x.x.x prefix-list <name> in|out
Also, prefix-list can be used in a peer-group configuration.
Implicit deny is assumed if a specified prefix-list has not been
configured.
6. Using Prefix-list in Route-map
The prefix-list can be used as an alternative to access-lists used in
the command "match ip address|next-hop|route-source <access-list>"
of a route-map. The configuration of prefix-lists and access-lists
are mutually exclusive within the same sequence of a route-map.
Configuration Command:
route-map <name> permit|deny <seq-num>
match ip address|next-hop|route-source prefix-list <name> [<name> ...]
Besides its application in BGP, route-maps using prefix-lists can be used
for route filtering, default-origination, and redistribution in other
routing protocols as well.
However, prefix-lists, or prefix-lists in route-maps does not support
packet filtering.
7. Using Prefix-list in Other Routing Protocols and Redistribution
The prefix-list can be used to filter inbound and outbound routing
updates, as well to control route redistribution between different
routing protocols.
Compared with using the access-list, prefix-list based filtering offers
the ability of prefix length filtering. It also has the flexibility of
filtering either the prefix, or the gateway, or both for incoming updates.
As usual, access-list and prefix-list are mutually exclusive in one
"distribute-list" command.
7.1 Filtering on inbound updates
Inbound updates can be filtering on the prefix, or the gateway or
both prefix and gateway:
router rip | igrp | eigrp
distribute-list {prefix <name1>} | {gateway <name2>} |
{prefix <name1> gateway <name2>} in [<interface>]
where <names> is the name of a prefix-list to be applied to the prefix
being updated, and <name2> the name of a prefix-list to be applied
to the gateway (i.e., next-hop) of a prefix being updated.
The filtering can also be specified with a specific interface.
7.2 Filtering on outbound updates or redistribution
router rip | igrp |eigrp ...
distribute-list prefix <name1> out [<routing_process> | <interface>]
7.3 Example
In the following configuration, the RIP process will only accept
prefixes with prefix length of /8 to /24:
router rip
version 2
network x.x.x.x
distribute-list prefix max24 in
!
ip prefix-list max24 seq 5 permit 0.0.0.0/0 ge 8 le 24
!
Also, the following configuration will make RIP accept routing
update only from 192.1.1.1, besides the filtering on prefix
length:
router rip
distribute-list prefix max24 gateway allowlist in
!
ip prefix-list allowlist seq 5 permit 192.1.1.1/32
!
THE END
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:13 EDT