Managing the process of exchanging routing updates using prefix lists (prefix-list)
1. Introduction to prefix lists
In Cisco IOS, you can use various methods of filtering route updates, such as distribute-list and prefix-list, to control the exchange of routing information, its reception, sending, or redistribution.
The use of distribution lists has certain disadvantages, such as:
- ACLs (Access-List, access control lists) used in distribution lists were originally designed for packet filtering, not for route filtering.
- The inability to determine the coincidence of the route mask using standard ACL
- Using extended ACLs can be cumbersome to configure.
- ACLs are fairly slow because they are consistently applied to each entry in the routing update.
Lists of prefixes were developed as an alternative to the use of ACLs, they can be used in a variety of commands for filtering routes.
The main advantages of using prefix lists are:
- Significant performance gains compared to ACLs and viewing large lists of entries. The router converts the list of prefixes into a tree structure, in which each branch of the tree represents a specific condition, which allows Cisco IOS to determine the necessary action, enable or disable, much faster
- Incremental change support. Standard numbered ACLs do not support editing, in which one no command deletes the entire ACL. Lists of prefixes can be modified. You can assign a sequential number to each line of the list of prefixes that the router will use to use these sequential numbers to sort the records. If you assign consecutive numbers with a certain margin (10, 20, 30), then later you can add new records between existing ones. You can also delete individual entries by their numbers.
Note : Named ACLs support incremental changes.
- More flexibility. For example, routers check the network numbers for matching the list of prefixes by the required number of bits in the address (determined by the mask length). The mask can be defined both in the standard version and with the help of the range
Lists of prefixes also have certain similarities with ACLs. Lists of prefixes can contain an arbitrary number of entries, each of which contains a condition and an action. When the router performs a route matching check on the list of prefixes, the first match with the condition will determine whether the action applied to the route is allowed or denied. If the route does not match any entry, then the default implicit deny any policy will be applied to it.
2. General rules for filtering routes using prefix lists
The route will be allowed or denied based on the following rules:
- An empty list allows all prefixes.
- If the prefix is enabled, the route is used, otherwise it is not used.
- The list of prefixes contains numbered entries, the router starts a compliance check starting at the top of the list, with the entry with the lowest number.
- If a match is found, then the list of prefixes is terminated. For greater efficiency, place the entries with the highest probability of coincidence at the top of the list with lower sequence numbers.
- If there is no match, the default implicit deny any policy will be applied.
3. Configuring Prefix Lists
To create a list of prefixes, use the ip prefix-list { list-name | list-number } [ seq seq-value ] { deny | permit } network / length [ ge ge-value ] [ le le-value ] global configuration mode. Description of the parameters of this command are given in table 1.
')
Table 1. Description of the ip prefix-list command parameters
| Parameter | Description |
| list-name | The name of the prefix list to create, case-sensitive |
| list-number | Number of the prefix list to be created |
| seq seq-value | The 32-bit number of the entry in the list of prefixes used to determine the order of compliance checking during filtering. Default increment by 5 |
| deny | permit | Action taken when matching |
| network / length | The recording condition is the prefix (network number) and the length of its mask. The network number is specified as an IP address, the mask length as the number of one bits in it |
| ge ge-value | The mask length matching range for networks with a mask longer than that specified by the network / length parameter. If only the parameter ge is used , the range is considered from the value of ge-value to 32 |
| le le-value | The mask length matching range for networks with a mask longer than that specified by the network / length parameter. If only the le parameter is used, the range is considered from the length value to the ge-value |
The parameters ge and le are optional, and can be used to determine the range of the length of the route mask, within which it will be assumed that the route matches the condition for writing the list of prefixes. The values of the parameters length , ge-value and le-value must satisfy the following rule: length < ge-value < le-value <= 32.
To remove a list of prefixes, use the no ip prefix-list command list-name of the global configuration mode.
The [ no ] ip prefix-list command list-name description text is used to add or remove text comments to the list of prefixes.
If the parameters ge and le are not specified, then an exact match is required to fulfill the condition of the record.
Using the parameters ge and le may seem confusing and difficult to understand. Below are some practical experiments, as a result of the analysis of which it will become easier to understand the possibilities of using these parameters.
Figure 1 shows the topology that will be used to demonstrate the operation of the parameters ge and le .
Figure 1. The network used to demonstrate the operation of the ge and le parameters of the ip prefix-list command
In the initial state, prefix lists are not used, and Router A received information from Router B on the routes to the following networks:
172.16.0.0 subnetted: 172.16.10.0/24 172.16.11.0/24
In this example, we will use some BGP commands, but detailed information on the operation of these commands is not needed to understand the examples with the parameters of the ip prefix-list command. The following information is important: Router B, which initially had two masked / 24 routes, summed them into one record 172.16.0.0/16, so it now has three routes that can be sent to the neighboring router C with IP address 10.1.1.1. Which routes will actually be transmitted depends on how the list of prefixes is used.
We can assume 5 configuration scenarios:
In the first scenario, Router B has the following configuration:
router bgp 65000 aggregate-address 172.16.0.0 255.255.0.0 neighbor 10.1.1.1 prefix-list test1 out ip prefix-list test1 permit 172.16.10.0/8 le 24
If you view the current configuration of the router using the show running-config command, you can see that the last line will automatically be replaced with the following:
ip prefix-list test permit 172.0.0.0/8 le 24
This is because only the first 8 bits of the IP address are considered significant with the / 8 mask. In this case, the routes to all three networks will be transferred to the neighboring router: 172.16.0.0/16 , 172.16.10.0/24 and 172.16.11.0/24 . All these routes have the same and suitable first 8 bits, and have a mask that leads to a range of lengths from 8 to 24.
In the second scenario, Router B has the following configuration:
router bgp 65000 aggregate-address 172.16.0.0 255.255.0.0 neighbor 10.1.1.1 prefix-list test2 out ip prefix-list test2 permit 172.16.10.0/8 le 16
In this case, only one route will be transferred to the neighboring router, the route to the network: 172.16.0.0/16 . Only he possesses suitable first 8 bits, and a mask that leads to a range of lengths from 8 to 16.
In the third scenario, Router B has the following configuration:
router bgp 65000 aggregate-address 172.16.0.0 255.255.0.0 neighbor 10.1.1.1 prefix-list test3 out ip prefix-list test3 permit 172.16.10.0/8 ge 17
In this case, the routes to networks will be transferred to the neighboring router: 172.16.10.0/24 and 172.16.11.0/24 . In this case, the mask / 8 parameter will be used only to select the bits of the IP address to be checked, and will be ignored in the mask length check, i.e. the check will occur if the ge 17 le 32 range of masks is from / 17 to / 32.
In the fourth scenario, Router B has the following configuration:
router bgp 65000 aggregate-address 172.16.0.0 255.255.0.0 neighbor 10.1.1.1 prefix-list test4 out ip prefix-list test4 permit 172.16.10.0/8 ge 16 le 24
In this case, the routes to all networks will be transferred to the neighboring router: 172.16.0.0/16 , 172.16.10.0/24 and 172.16.11.0/24 . In this case, the mask / 8 parameter will be used only to select the bits of the IP address to be checked, and will be ignored in the mask length check, i.e. the check will be made for matching the range of ge 16 le 24 masks from / 16 to / 24.
In the fifth scenario, Router B has the following configuration:
router bgp 65000 aggregate-address 172.16.0.0 255.255.0.0 neighbor 10.1.1.1 prefix-list test5 out ip prefix-list test5 permit 172.16.10.0/8 ge 17 le 24
In this case, the routes to networks will be transferred to the neighboring router: 172.16.10.0/24 and 172.16.11.0/24 . In this case, the mask / 8 parameter will be used only to select the bits of the IP address to be checked, and will be ignored in the mask length check, i.e. the check will occur for matching the range of ge 17 le 24 masks from / 17 to / 24.
4. Numbering entries in prefix lists
The numbering of entries in the prefix lists is done automatically, unless you disable this feature. If you disable automatic numbering, then when creating each record you will need to use the seq seq-value parameter.
The list of prefixes is a sorted list. The record number is an important parameter if the route can match several entries in the list of prefixes, in this case the actions defined in the entry with the smallest number of all those that came under the condition will be performed.
Compliance check always begins with the entry with the lowest number, and then through the list in ascending order of numbers, until a match is found. When a match is found, the route will be either allowed or denied, depending on what action is specified in the corresponding entry in the list of prefixes - permit or deny .
Regardless of whether you use numbering entries by default or not, you do not need to specify their numbers in order to remove a specific configuration item.
By default, prefix list items will get the following numbers: 5, 10, 15, etc. If one of the sequence numbers is missing, the new record will receive not a missing number, but a number 5 more than the maximum. Thus, if the last record number is 23, then the following numbers will get: 28, 33, 38, etc.
The show ip prefix-list command displays the sequential numbers of all entries in its output.
To disable the automatic numbering of prefix list entries, use the no ip prefix-list global configuration mode sequence-number command. To re-enable it, use the ip prefix-list sequence-number command.
5. Examples of using prefix lists
Consider the list of prefixes ip prefix-list filter1 permit 192.168.0.0/16 . Which routes will correspond to this entry: route to the network 192.168.0.0/16, route to the network 192.168.0.0/20, route to the network 192.168.2.0/24?
This entry will only match the route to the network 192.168.0.0/16 because as soon as it successfully satisfies the conditions of address and mask matching.
Consider two more prefix lists:
- ip prefix-list filter2 permit 192.168.0.0/16 le 20
- ip prefix-list filter3 permit 192.168.0.0/16 ge 18
In the first case, the routes to the networks will be suitable for compliance: 192.168.0.0/16 and 192.168.0.0/20 , the route to the network 192.168.2.0/24 has a longer mask than necessary.
In the second case, the routes to the networks will be suitable for compliance: 192.168.0.0/20 and 192.168.2.0/24 , the route to the network 192.168.0.0/16 has a too short mask.
Another example is the list of ip prefix-list filter4 0.0.0.0/0 . The prefix "All zeros" matches all networks, but in this case the parameters ge and le are not used and therefore it is necessary to match the zero mask / 0 as well. Only the default route is suitable for this list of prefixes.
If we use the list of prefixes: ip prefix-list filter5 0.0.0.0/0 ge 32 , then any routes with a mask / 32 will correspond to it.
Or such a list of prefixes: ip prefix-list filter6 0.0.0.0/0 le 32 , in turn, will correspond to any routes , any network, and any mask length.
If we want to select all routes with a mask from / 1 to / 24 , then it is necessary to use the following list of prefixes: ip prefix-list filter7 0.0.0.0/1 le 24 .
6. Managing Redistribution Using Prefix Lists
Consider the network shown in Figure 2. Suppose we need to restrict the redistribution of routing information from one protocol to another only by certain networks:
From the routing domain of the RIPv2 protocol to the routing domain of the OSPFv2 protocol, it is necessary to transfer information only about networks:
- 10.1.0.0
- 10.2.0.0
- 10.3.0.0
From the routing domain of the OSPFv2 protocol to the routing domain of the RIPv2 protocol, it is necessary to transfer information only about networks:
- 10.8.0.0
- 10.9.0.0
- 10.10.0.0
- 10.11.0.0
Figure 2. The network used to demonstrate redistribution control using prefix lists
R2 has the following configuration:
router ospf 1 network 10.0.0.8 0.0.0.0 area 0 redistribute rip route-map intoOSPF subnets router rip network 10.0.0.0 version 2 passive-interface s0 / 0/0 redistribute ospf 1 route-map intoRIP metric 5 route-map intoOSPF permit 10 match ip address prefix-list PFX1 route-map intoRIP permit 10 match ip address prefix-list PFX2 ip prefix-list PFX1 permit 10.0.0.0/14 ip prefix-list PFX2 permit 10.8.0.0/14
The route map intoOSPF uses the list of prefixes PFX1 . Thus, all networks within the range 10.0.0.0/14 - from 10.0.0.0 to 10.3.0.0 - will be allowed for redistribution from RIP to OSPF, the rest of the networks will be prohibited by this list of prefixes and will not be redistributed.
The route map intoRIP uses the list of prefixes PFX2 . Thus, all networks within the 10.8.0.0/14 range - from 10.8.0.0 to 10.11.0.0 - will be allowed to be redistributed from OSPF to RIP , the rest of the networks will be prohibited by this list of prefixes and will not be redistributed.
Note that deciding whether specific routes will be redistributed or not is based only on the permit or deny action of the route-map command, and not on the action permit or deny of the ip prefix-list command. The action to permit or deny of the ip prefix-list command only affects whether this route is suitable for the condition of the route map or not.
In networks with backup paths, the use of prefix lists eliminates the possibility of routing loops. But at the same time, like distribution lists, prefix lists allow you to completely filter some routes from route updates. Thus, some routers in the network will not be aware of alternative ways to reach certain networks, so caution should be used in networks with backup paths.
7. Check the prefix lists
The main commands used to check and diagnose prefix lists are listed in Table 2. Use the ip prefix-list help ? for complete information on the available parameters and their purpose.
Table 2 Commands for checking and diagnosing prefix lists
| Parameter | Description |
| show ip prefix-list [ detail | summary ] | Displays information about all prefix lists. Using the detail parameter displays the description and counters for each entry in the list of prefixes. |
| show ip prefix-list [ detail | summary ] prefix-list-name | Displaying records of the specified list of prefixes |
| show ip prefix-list prefix-listname [ network / length ] | Displays the policy defined in this list of prefixes for the specified network / mask pair |
| show ip prefix-list prefix-listname [ seq sequence-number ] | Display an entry with the specified number of this list of prefixes |
| show ip prefix-list prefix-listname [ network / length ] longer | Displays all the prefix list entries that are suitable and more accurate than the specified net / mask pair |
| show ip prefix-list prefix-listname [ network / length ] firstmatch | Displays the first matching network / mask prefix list entry for the specified pair |
| clear ip prefix-list prefix-listname [ network / length ] | Reset all counters for this prefix list |
Below is an example showing the output of the show ip prefix-list detail command. The router has one list of prefixes named “superonly” with one entry that has number 5. The value “hit count: 0” means that there have not yet been any matches for this entry.
The output of the show ip prefix-list detail command:
ROUTER # show ip prefix-list detail Prefix-list with the last deletion / insertion: superonly ip prefix-list superonly: Description: only permit supernet count: 1, range entries: 0, sequences: 5-5, refcount: 1 seq 5 permit 172.0.0.0/8 (hit count: 0, refcount: 1)
Source: https://habr.com/ru/post/212049/
All Articles