Understanding IP prefix lists
IOS prefix lists work like access lists for route advertisements (prefixes). While extended (and to a limited extent, standard) access lists can be employed to match prefix announcements, prefix lists are generally more graceful. Prefix lists work very similarly to access lists; a prefix list contains one or more ordered entries which are processed sequentially. As with access lists, the evaluation of a prefix against a prefix list ends as soon as a match is found.
Assume you wanted to prevent a route for 10.0.0.0/24 from being redistributed from OSPF to BGP. One way to accomplish this would be to define an extended ACL matching this prefix and reference it from the BGP redistribution route map:
router ospf 1 router-id 2.2.2.2 log-adjacency-changes ! router bgp 65100 no synchronization bgp router-id 2.2.2.2 bgp log-neighbor-changes redistribute ospf 1 route-map OSPF->BGP neighbor 172.16.23.3 remote-as 65100 no auto-summary ! ip access-list extended OSPF_Redist deny ip host 10.0.0.0 host 255.255.255.0 permit ip any any ! route-map OSPF->BGP permit 10 match ip address OSPF_Redist
The above configuration prevents the exact prefix 10.0.0.0/24 from being advertised by denying the 10.0.0.0 network ("source" address) with a mask of 255.255.255.0 ("destination" address). All other prefixes are allowed by the permit ip any any statement.
This can be accomplished more intuitively by employing a prefix list:
router ospf 1 router-id 2.2.2.2 log-adjacency-changes ! router bgp 65100 no synchronization bgp router-id 2.2.2.2 bgp log-neighbor-changes redistribute ospf 1 route-map OSPF->BGP neighbor 172.16.23.3 remote-as 65100 no auto-summary ! ip prefix-list OSPF_Redist seq 5 deny 10.0.0.0/24 ip prefix-list OSPF_Redist seq 10 permit 0.0.0.0/0 le 32 ! route-map OSPF->BGP permit 10 match ip address prefix-list OSPF_Redist
As you can see, there are two entries in the prefix list defined above. These accomplish the same tasks as the two access list entries in the earlier example: deny 10.0.0.0/24 denies the exact prefix 10.0.0.0/24, and permit 0.0.0.0/0 le 32 allows all other prefixes.
The second prefix list entry warrants some explanation. Two keywords can be optionally appended to a prefix list entry: le (less than or equal to) and ge (greater than or equal to). Without either, an entry will match an exact prefix. The le parameter can be included to match all more-specific prefixes within a parent prefix up to a certain length. For example, 10.0.0.0/24 le 30 will match 10.0.0.0/24 and all prefixes contained therein with a length of 30 or less.
We can use le to create an entry to match "any" prefix: 0.0.0.0/0 le 32 matches any prefix with a length between 0 and 32 bits (inclusive). This matches all possible IPv4 prefixes.
The ge parameter works similarly to le but in the opposite direction; it specifies a minimum prefix length whereas le specifies a maximum length. For example, 10.0.0.0/8 ge 16 will match all prefixes within the 10.0.0.0/8 network that are at least 16 bits in length. The length specified by ge should naturally be longer than the length of the initial prefix as it is impossible to match anything larger than the initial prefix.
le and ge can also be combined. Continuing the ge example, 10.0.0.0/8 ge 16 le 24 will match all prefixes within the 10.0.0.0/8 network having a mask both a) greater than or equal to 16 bits, and b) less than or equal to 24 bits in length. For instance, 10.42.0.0/18 would be matched, because its length is between 16 and 24 (inclusive), but neither 10.16.0.0/12 nor 10.123.77.128/25 would be matched.
Prefix lists take some getting used to, but can be very helpful in expressing routing policy within IOS configuration once you've gotten the hang of them.
About the Author
Jeremy Stretch is a networking engineer and the maintainer of PacketLife.net. He currently lives in the Raleigh-Durham area of North Carolina. Although employed full-time out of necessity, his true passion lies in improving the field of network engineering around the world. You can contact him by email or follow him on Twitter.
Comments
Good stuff.
Nice! I must say, my favorite Cisco exam so far was BGP; and maybe my favorite topic was prefix lists, community lists, route maps, and AS path lists.
Thanks! This cleared things up a lot for me
In terms of cpu process, ¿wich has the higher cost? ACL or Prefix List? Sorry for my english.
PS: Great site stretch.
Thanks a lot
Good info... Interesting though is how the "default" route 0.0.0.0/0 handled if you wanted to do an exact match on that specific prefix for filtering? The match all possible example looks close to how I thought it would be written?
Good Stuff..!! Easy to understand.
Thanks,
Ashish
great stuff, really made prefix-list clearer to me. thanx man!
many many thanks
very informative for the Beginner. specially permit 0.0.0.0/0 le 32
- an extended acl for toute filtering is nonsense
- the acl entry is also nonsense:
ip access-list extended OSPF_Redist deny ip host 10.0.0.0 host 255.255.255.0 permit ip any any
should be:
ip access-list extended OSPF_Redist deny ip 10.0.0.0 0.0.0.255 permit ip any any
but even better:
ip access-list standard OSPF_Redist deny 10.0.0.0 0.0.0.255 permit any
:)
Gud One
Thanks!
thank you all
graaacias!
muchas muchas
Hi Jeremy ,
At Your Statement " but neither 10.8.0.0/12"
There is no network 10.8.0.0/12
There is 10.0.0.0/12, 10.16.0.0/12 , 10.32.0.0/12, 10.48.0.0/12, 10.64.0.0/12 etc,
Maybe you meant 10.8.0.0/13 ?
Just want some clarity on that, Please CMIIW
Got the confusion cleared.
Thanks Jeremy
thanks
Nicely explained. Thank you. The question I have is this:
Could you also do 255.255.255.255/32 ge 0 ?
Why might I ask this? No reason, just curious.
Merci Jeremy, c'est très clairement expliqué!
Hey just to follow up on my question with regards to the twisted logic above... I tried to use 255.255.255.255/32 ge 0. There are two problems:
1. The second prefix value cannot be 0, it has to be 1-32
2. Even if you set it to 1, you get an error stating that the first prefix value needs to be less than the second prefix value at all times.
Hi stretch,
I dont understand the first exmaple you provided using route-map to block 10.0.0.0/24 redistribution.
if you use "route-map OSPF->BGP permit 10" with access-list OSPF_Redist's entries "deny ip host 10.0.0.0 host 255.255.255.0", would the route-map block 10.0.0.0/24??? I think it will only take the "permit" networks and ignore all "deny" ones, right?
pls ignore the last comment, I think I have figured it out myself.
Great post Stretch,
Just to let you know the prefix-list link to cisco is broken at the start of the article.
Roger
Very informative Stretch. For disaster recovery, I need the same IP brought up in another subnet so I use mobile ARP to move it (Local Area Mobility). I use route-maps and prefix lists to redistribute IP addresses of hosts that I need to move into the other subnet in BGP. I create a route map for a neighbor in BGP outbound, and use the prefix list to permit what IP addresses to move. It works out pretty nice.