Overview
Like access control lists (ACLs), prefix lists are used as a filtering tool. However, unlike ACLs, which are used for a wide variety of tasks, prefix lists are predominantly used by routing protocols for route/prefix filtering. Prefix lists provide granular control over matching prefixes for route filtering; matching the prefix and prefix-length; ACLs match only the prefix. Like an ACL, prefix-lists use permit or deny clauses to match prefixes and prefix lengths. Internal processing of IP prefix-lists uses an internal tree structure that results in faster matching of routes compared to ACLs. In recent developments, improvements have been made with the processing of prefix-lists and ACLs in hardware.
Naming and Structure
The naming and structure of prefix lists is similar to named ACLs. The prefix list naming recommendations include the following:
- Name cannot contain spaces or punctuation marks.
- Prefix list name cannot begin with a number
- Prefix list name must be unique; prefix lists of different types cannot have the same name
- Prefix list name can have a mixture alpahnumeric characters
- Recommended that the prefix list name be written in capital letters
- Prefix list names are locally significant. Multiple routers on the network can be configured to have the same name
- Choose names that identify the function of the prefix list
Prefix-lists do not use wildcard masks or bits; they use the prefix length for matching against the network address and subnet mask. A prefix-list is used to match routes particularly for route filtering and not for packet filtering:
- Permit: the route is matched, the route should not be filtered.
- Deny: route is not matched and should be filtered.
Prefix-list have a default implicit deny all statement at the end.
The command to configure a prefix-list is:
ip prefix-list <name> [seq <num>] {deny | permit}
<prefix/prefix-length> [ge <prefix-length>] [le <prefix-length>] where:
- Prefix/prefix-length: is the prefix and prefix-length that is being matched.
- ge ( greater than or equal): value is used to match against the
subnet mask. The prefix-length to be matched by
geis in the range:gevalue and 32. Thegevalue sets the lower limit of the prefix length range to be matched. The prefix-length MUST be less than the ge value; otherwise IOS will report this error message% Invalid prefix range for 10.1.1.0/24, make sure: len < ge.value <= le.value. - le (less than or equal to): when matching the route's prefix length, the
levalue sets the upper limit of the prefix length comparison range. The range of prefix lengths to be matched is between route prefix length to thelevalue. The prefix-length must be less than thelevalue; otherwise IOS will report this error message:% Invalid prefix range for 10.1.1.0/24, make sure: len < ge.value <= le.value - le and ge: if both are configured, on the same prefix list statement,
the value of
lemust be greater than or equal to the value ofge:- Prefix lengths to be matched are in the range
gevalue tolevalue. - If
leis equal toge, then the prefix length is matched against the specificle/gevalue rather than a range.
- Prefix lengths to be matched are in the range
Prefix Matching
The logic of a prefix-list is as follows:
- The route's prefix must be within the range of addresses implied by the prefix-list command's prefix/length parameters.
- The route's prefix-length must match the range of prefixes implied by the
prefix-listcommand's prefix-length,geandleparameters.
Every matching done by a prefix list checks the network address and the subnet mask. Up to four types of matching can be performed using prefix lists:
- Exact match: only the prefix and prefix length are specified by the
prefix list.
The
geandlekeywords are not used in prefix and prefix length matching.-
ip prefix-list PL permit 10.1.1.0/24- Matches the network address 10.1.1.x.
- Matches the subnet mask 255.255.255.0.
-
- From minimum prefix length: implemented using the
gekeyword.ip prefix-list PL permit 10.1.1.0/24 ge 26- Matches the network address 10.1.1.x
- Matches the subnet mask 255.255.255.192 - 255.255.255.255
ip prefix-list PL permit 10.1.1.0/8 ge 9- Matches the network address of 10.x.x.x
- Matches the subnet mask 255.128.0.0 - 255.255.255.255.
- Up to a maximum prefix length: implemented using the
lekeyword prefix length in the range prefix length tolevalue.ip prefix-list PL permit 10.1.1.0/16 le 26- Matches the network address 10.1.x.x
- Matches the subnet 255.255.0.0 - 255.255.255.192
ip prefix-list PL permit 10.1.1.0/19 le 27- Matches for the network address of 10.1.x.x/19
- Matches the subnet mask 255.255.224 - 255.255.255.224.
- Range of prefix lengths: implemented by the configuration of both
geandlekeywords:ip prefix-list PL permit 10.1.1.0/16 ge 22 le 30- Matches the network address 10.1.x.x
- Matches the subnet 255.255.252.0 - 255.255.255.252
ip prefix-list PL permit 10.1.1.0/24 ge 26 le 29- Matches the network address of 10.1.1.x
- Matches the subnet mask 255.255.255.192 - 255.255.255.248.
ip prefix-list PL permit 10.1.1.0/24 ge 26 le 26- Matches the network address 10.1.1.x
- Matches the subnet 255.255.255.192
Matching the Default Route
IPv4
ip prefix-list PL permit 0.0.0.0/0
- Match any address
- The subnet mask MUST match zero(0). Only the default route has a subnet mask of zero.
IPv6
ipv6 prefix-list PL permit ::/0
Match all prefixes
IPv4
ip prefix-list PL permit 0.0.0.0/0 le 32
-
le32 implies that the subnet mask will match from 0.0.0.0 - 255.255.255.255. Even the broadcast address is matched.
IPv6
ipv6 prefix-list PL permit ::/0 le 128
Exercise
Objective: Deny all routes which have the first 24-bits of 10.10.10.x AND subnet mask is GE 24 but LE 30.
No comments:
Post a Comment