Highly useful and scaleable for filtering BGP announcements.
A few commands have been added since the original note so you may want to
play around with the IOS help facility a bit. For example, there is a
'description' option that allows 80 character text description for a
prefix-list.
Our documentation is in the process of being updated.
This command FCS'ed in 11.1()CC as well as 11.3(3). It'll also be in 12.0
You should also try using: sho runn | ?
which appeared in 11.1(20)CC. It will also be in 12.0. The 'grep-like'
function works on most IOS 'show' commands.
Both commands have been mentioned a few times on Nanog FWIW.
Bruce
At 16:21 8/12/98 -0700, Danny McPherson wrote:
>
>Prefix-lists are quite useful...
>
>I believe Enke Chen (or was it Sourav Seal) wrote this up:
>
>[snip]
>Defects addressed in this image:
>- --------------------------------
>CSCdj61356: Prefix-list - facility for efficient route filtering
>
>--------
> Using Prefix-list in Route Filtering
> --------------------------------------
>
>1. Introduction
>
> The prefix-list is implemented for the purpose of efficient route
> filtering. Comparing with using the (extended) access-list in route
> filtering, there are several advantages with using the prefix-list:
>
> - Significant performance improvemnt in loading and route lookup of
> large lists.
> - Support for incremental updates.
> - More user-friendly command line interface.
>
> Several key features with the access-list are preserved in prefix-list:
>
> - Configuration of either "permit" or "deny".
> - Order dependency - first match wins.
> - Filtering on prefix length - both exact match and range match.
>
> However, non-contiguous masks are not supported in the prefix-list.
>
>
>2. CLI for Prefix-list
>
> Command:
>
> no ip prefix-list <list-name>
>
> This command can be used to delete a prefix-list.
>
>
> Command:
>
> [no] ip prefix-list <list-name> [seq <seq-value>] deny|permit \
> <network>/<len> [ge <ge-value] [le <le-value]
>
> This command can be used to configure or delete an entry of a prefix-list.
>
> Command Attributes:
>
> <list-name>: A string identifier of a prefix-list.
>
> seq <seq-value>: Optional. It can be used to specify the sequence number
> of an entry of a prefix list.
>
> By default, the entries of a prefix list would have sequence values
> of 5, 10, 15 and so on. In the absence of a specified sequence
value,
> the entry would be assigned with a sequence number of (Current_Max
> + 5).
>
> If a given prefix matches multiple entries of a prefix list, the one
> with the smallest sequence number is considered as the match.
>
> deny|permit: An action taken once a match is found.
>
> <network>/<len>: The prefix and its length. Multiple policies (exact match
> or range match) with different sequence numbers can be configured
> for the same <network>/<len>.
>
> ge <ge-value>: "greater than or equal to"
> le <le-value>: "less than or equal to".
>
> Both "ge" and "le" are optional. They can be used to specify the range
> of the prefix length to be matched for prefixes that are more specific
> than <network>/<len>.
>
> Value range: len < ge-value < le-value <= 32
>
> Exact match is assumed when neither "ge" nor "le" is specified.
> The range is assumed to be from "ge-value" to 32 if only the "ge"
> attribute is specified. And the range is assumed to be from "len" to
> "le-value" if only the "le" attribute is specified.
>
>
>Remarks:
>
> - As usual, an implicit deny is assumed if a given prefix does not
> match any entries of a prefix-list.
>
> - To speed up insertion, the maximum and minimum sequence numbers are not
> re-calculated after deletion of entries.
>
>
>3. Configuration Examples
>
>3.1 Exact match
>
> ip prefix-list aaa deny 0.0.0.0/0
> ip prefix-list aaa permit 35.0.0.0/8
>
>3.2 Prefix Length match
>
> - in 192/8, accept up to /24
>
> ip prefix-list aaa permit 192.0.0.0/8 le 24
>
> - in 192/8, deny /25+
>
> ip prefix-list aaa deny 192.0.0.0/8 ge 25
>
> - in all address space, permit /8 - /24
>
> ip prefix-list aaa permit 0.0.0.0/0 ge 8 le 24
>
> - in all address space, deny /25+
>
> ip prefix-list aaa deny 0.0.0.0/0 ge 25
>
> - in 10/8, deny all
>
> ip prefix-list aaa deny 10.0.0.0/8 le 32
>
> - in 204.70.1/24, deny /25+
>
> ip prefix-list aaa deny 204.70.1.0/24 ge 25
>
> - permit all
>
> ip prefix-list aaa permit 0.0.0.0/0 le 32
>
>
>3.3 Incremental Updates
>
> As oppose to the normal access-list where one "no" command will erase the
> whole access-list, a prefix-list can be modified incrementally. For
>example,
> to change a prefix-list from A to B, only the difference between
> B and A needs to be deployed to the router.
>
> From A:
> ip prefix-list aaa deny 0.0.0.0/0 le 7
> ip prefix-list aaa deny 0.0.0.0/0 ge 25
> ip prefix-list aaa permit 35.0.0.0/8
> ip prefix-list aaa permit 204.70.0.0/15
>
> To B:
> ip prefix-list aaa deny 0.0.0.0/0 le 7
> ip prefix-list aaa deny 0.0.0.0/0 ge 25
> ip prefix-list aaa permit 35.0.0.0/8
> ip prefix-list aaa permit 198.0.0.0/8
>
> by deploying the difference:
>
> no ip prefix-list aaa permit 204.70.0.0/15
> ip prefix-list aaa permit 198.0.0.0/8
>
>
>4. Show and Clear Commands
>
> show ip prefix-list [detail|summary]
>
> ---> Displays information of all prefix-lists.
>
> show ip prefix-list [detail|summary] [<name>]
>
> ---> Displays information of a prefix-list.
>
> show ip prefix-list <name> [seq <seq-num>]
>
> ---> Display the prefix-list entry with the given sequence number
>
> show ip prefix-list <name> <network>/<len>
>
> ---> displays the policy associated with the node <network>/<len>
>
> show ip prefix-list <name> <network>/<len> longer
>
> ---> displays all entries of a prefix list that are more specific
> than the given <network>/<len>
>
> show ip prefix-list <name> <network>/<len> first-match
>
> ---> displays the entry of a prefix list that matches the given
> <network>/<len>
>
> clear ip prefix-list [<name>] [<network>/<len>]
>
> ---> resets the "hit count" of prefix-list entries
>
>
>5. Using Prefix-list with BGP
>
> The prefix-list can be used as an alternative to the BGP
> "neighbor x.x.x.x distribute-list" command. The configuration
> of prefix-list and distribute-list for a BGP peer are
> mutually exclusive.
>
> Configuration Command:
>
> router bgp xxx
> neighbor x.x.x.x prefix-list <name> in|out
>
> Also, prefix-list can be used in a peer-group configuration.
>
> Implicit deny is assumed if a specified prefix-list has not been
> configured.
>
>
>6. Using Prefix-list in Route-map
>
> The prefix-list can be used as an alternative to access-lists used in
> the command "match ip address|next-hop|route-source <access-list>"
> of a route-map. The configuration of prefix-lists and access-lists
> are mutually exclusive within the same sequence of a route-map.
>
> Configuration Command:
>
> route-map <name> permit|deny <seq-num>
> match ip address|next-hop|route-source prefix-list <name> [<name> ...]
>
>
> Besides its application in BGP, route-maps using prefix-lists can be used
> for route filtering, default-origination, and redistribution in other
> routing protocols as well.
>
> However, prefix-lists, or prefix-lists in route-maps does not support
> packet filtering.
>
>7. Using Prefix-list in Other Routing Protocols and Redistribution
>
> The prefix-list can be used to filter inbound and outbound routing
> updates, as well to control route redistribution between different
> routing protocols.
>
> Compared with using the access-list, prefix-list based filtering offers
> the ability of prefix length filtering. It also has the flexibility of
> filtering either the prefix, or the gateway, or both for incoming
updates.
>
> As usual, access-list and prefix-list are mutually exclusive in one
> "distribute-list" command.
>
>7.1 Filtering on inbound updates
>
> Inbound updates can be filtering on the prefix, or the gateway or
> both prefix and gateway:
>
> router rip | igrp | eigrp
> distribute-list {prefix <name1>} | {gateway <name2>} |
> {prefix <name1> gateway <name2>} in [<interface>]
>
> where <names> is the name of a prefix-list to be applied to the prefix
> being updated, and <name2> the name of a prefix-list to be applied
> to the gateway (i.e., next-hop) of a prefix being updated.
>
> The filtering can also be specified with a specific interface.
>
>
>7.2 Filtering on outbound updates or redistribution
>
> router rip | igrp |eigrp ...
> distribute-list prefix <name1> out [<routing_process> | <interface>]
>
>
>7.3 Example
>
> In the following configuration, the RIP process will only accept
> prefixes with prefix length of /8 to /24:
>
> router rip
> version 2
> network x.x.x.x
> distribute-list prefix max24 in
> !
> ip prefix-list max24 seq 5 permit 0.0.0.0/0 ge 8 le 24
> !
>
> Also, the following configuration will make RIP accept routing
> update only from 192.1.1.1, besides the filtering on prefix
> length:
>
> router rip
> distribute-list prefix max24 gateway allowlist in
> !
> ip prefix-list allowlist seq 5 permit 192.1.1.1/32
> !
>
>THE END
>
>
>
>
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:13 EDT