Managing the routing update exchange process using prefix lists

1. Introduction to Prefix Lists


You can use various filtering methods for route updates, such as distribute-lists and prefix-lists, to manage the exchange of routing information, its reception, sending, or redistribution in Cisco IOS.
Using distribution lists has certain disadvantages, such as:
  • ACLs (Access-List) used in distribution lists were originally designed to filter packets, not filter routes
  • Inability to match route mask when using standard ACLs
  • Using extended ACLs can be cumbersome to configure
  • ACLs are quite slow, as they are applied sequentially to each entry in the routing update.

Lists of prefixes were developed as an alternative to using ACLs; they can be used in many commands designed to filter routes.

The main advantages of using prefix lists are:
  • Significant increase in performance compared to ACLs and viewing large record lists. The router converts the list of prefixes into a tree structure, in which each branch of the tree represents a certain condition, which allows Cisco IOS to determine the necessary action, permission or prohibition, much faster
  • Support incremental changes. Standard numbered ACLs do not support editing; in them, one no command deletes the entire ACL. Lists of prefixes can be modified. You can assign a serial number to each line of the prefix list; the router will use these serial numbers to sort the entries. If you assign consecutive numbers with a certain margin (10, 20, 30), then later it will be possible to add new entries between existing ones. You can also delete individual entries by their numbers

Note : Named ACLs support incremental changes.

  • More flexibility. For example, routers check network numbers for a list of prefixes for the required number of bits in the address (determined by the length of the mask). The mask can be defined both in the standard version, and using the range

Prefix lists also have certain similarities with ACLs. Prefix lists can contain an arbitrary number of entries, each of which contains a condition and an action. When the router checks the compliance of the route with the list of prefixes, the first match with the condition will determine the action applied to the route - permission or prohibition. If the route does not match any entries, then the implicit default policy deny any will apply to it .

2. General rules for filtering routes using prefix lists


The route will be allowed or denied based on the following rules:
  • An empty list allows all prefixes.
  • If the prefix is ​​enabled, then the route is used; otherwise, it is not used
  • The prefix list contains numbered entries, the router starts checking compliance starting from the top of the list, with an entry with a minimum number
  • If a match is found, then the list of prefixes stops. To increase efficiency, place records with the highest probability of matching at the top of the list with lower sequence numbers
  • If no matches have occurred, the implicit default policy will be applied deny any


3. Setting up prefix lists


To create a list of prefixes, use the ip prefix-list { list-name | list-number } [ seq seq-value ] { deny | permit } network / length [ ge ge-value ] [ le le-value ] global configuration mode. The parameters for this command are described in Table 1.

Table 1. Parameters for the ip prefix-list command
Parameter                                Description
list-nameThe name of the prefix list to be created is case sensitive
list-numberThe number of the prefix list to create
seq seq-valueThe 32-bit number of the entry in the prefix list used to determine the order of conformity check during filtering. Default increases by 5.
deny | permitMatching action
network / lengthThe recording condition is the prefix (network number) and the length of its mask. The network number is specified as an IP address, the length of the mask as the number of unit bits in it
ge ge-valueThe mask length matching range for networks with a mask longer than specified by the network / length parameter . If only the ge parameter is used , the range is considered to be from ge-value to 32
le le-valueThe mask length matching range for networks with a mask longer than specified by the network / length parameter . If only the le parameter is used , the range is from length to ge-value

The ge and le parameters are optional, and can be used to determine the range of the route mask length, within which it will be considered that the route meets the condition for writing a list of prefixes. The values ​​of the length , ge-value, and le-value parameters must satisfy the following rule: length < ge-value < le-value <= 32.
To remove the list of prefixes, use the no ip prefix-list list-name command of the global configuration mode.
Command [ no ] ip prefix-list list-name description textused to add or remove text comments in the list of prefixes.
If the parameters ge and le are not specified, then an exact match is required to satisfy the recording condition.
Using the ge and le options may seem confusing and difficult to understand. Below are some practical experiments, as a result of which analysis it will become easier to understand the possibilities of using these parameters.
Figure 1 shows the topology that will be used to demonstrate the operation of the ge and le parameters .

Figure 1. The network used to demonstrate the operation of the ge and le parametersip prefix-list commands

In the initial state, prefix lists are not used, and router A received information from router B on routes to the following networks:
172.16.0.0 subnetted:
172.16.10.0/24
172.16.11.0/24

In this example, we will use some BGP commands, but detailed information on the operation of these commands is not needed to understand examples with the ip prefix-list command parameters . The following information is important: Router B, which originally had two routes with the / 24 mask, summarized them into a single entry 172.16.0.0/16, so it now has three routes available for transmission to the neighboring C router with IP address 10.1.1.1. Which routes will actually be transmitted depends on how the list of prefixes is used.
We can assume 5 configuration scenarios:

In the first scenario, router B has the following configuration:

router bgp 65000
aggregate-address 172.16.0.0 255.255.0.0
neighbor 10.1.1.1 prefix-list test1 out
ip prefix-list test1 permit 172.16.10.0/8 le 24

If you view the current configuration of the router using the show running-config command, you can see that the last line will be automatically replaced with the following:
ip prefix-list test permit 172.0.0.0/8 le 24

This is because only the first 8 bits of the IP address are considered significant with the / 8 mask. In this case, routes to all three networks will be transmitted to the neighboring router: 172.16.0.0/16 , 172.16.10.0/24 and 172.16.11.0/24 . All these routes have the same and suitable first 8 bits, and have a mask leading in a range of lengths from 8 to 24.

In the second scenario, router B has the following configuration:

router bgp 65000
aggregate-address 172.16.0.0 255.255.0.0
neighbor 10.1.1.1 prefix-list test2 out
ip prefix-list test2 permit 172.16.10.0/8 le 16

In this case, only one route will be transmitted to the neighboring router, the route to the network is 172.16.0.0/16 . Only he has the appropriate first 8 bits, and a mask leading to a range of lengths from 8 to 16.

In the third scenario, router B has the following configuration:

router bgp 65000
aggregate-address 172.16.0.0 255.255.0.0
neighbor 10.1.1.1 prefix-list test3 out
ip prefix-list test3 permit 172.16.10.0/8 ge 17

In this case, the routes to the networks will be transmitted to the neighboring router: 172.16.10.0/24 and 172.16.11.0/24 . In this case, the mask parameter / 8 will be used only to highlight the checked bits of the IP address, and will be ignored in checking the length of the mask, that is, the check will occur against the ge mask range ge 17 le 32 - from / 17 to / 32.

In the fourth scenario, router B has the following configuration:

router bgp 65000
aggregate-address 172.16.0.0 255.255.0.0
neighbor 10.1.1.1 prefix-list test4 out
ip prefix-list test4 permit 172.16.10.0/8 ge 16 le 24

In this case, routes to all networks will be transmitted to the neighboring router: 172.16.0.0/16 , 172.16.10.0/24 and 172.16.11.0/24 . In this case, the mask parameter / 8 will be used only to highlight the bits of the IP address to be checked, and will be ignored in checking the mask length, that is, the check will be performed for compliance with the range of ge 16 le 24 masks - from / 16 to / 24.

In the fifth scenario, Router B has the following configuration:

router bgp 65000
aggregate-address 172.16.0.0 255.255.0.0
neighbor 10.1.1.1 prefix-list test5 out
ip prefix-list test5 permit 172.16.10.0/8 ge 17 le 24

In this case, the routes to the networks will be transmitted to the neighboring router: 172.16.10.0/24 and 172.16.11.0/24 . In this case, the mask parameter / 8 will be used only to highlight the checked bits of the IP address, and will be ignored in checking the length of the mask, that is, the check will occur against the ge mask range ge 17 le 24 - from / 17 to / 24.

4. Numbering of entries in prefix lists


The numbering of entries in the prefix lists is done automatically if you do not disable this feature. If you disable automatic numbering, then when creating each record, you will need to use the seq seq-value parameter .
The prefix list is a sorted list. The record number is an important parameter if a route can match several entries in the prefix list, in which case the actions defined in the record with the lowest number of all that this route matched will be performed.
Check for compliance always starts with the record with the lowest number, and then down the list in ascending order of numbers until a match is found. If a match is found, the route will be either allowed or denied, depending on what action is specified in the corresponding entry in the list of prefixes - permit or deny .
Regardless of whether you use the default numbering of entries or not, you do not need to specify their numbers in order to remove a specific configuration item.
By default, prefix list items will receive the following numbers: 5, 10, 15, etc. If any of the sequence numbers is absent, the new record will receive no missing number, and the number is 5 greater than the maximum. Thus, if the number of the last record is 23, then the following will receive the numbers: 28, 33, 38, etc.
The show ip prefix-list command in its output displays the sequence numbers of all entries.
To turn off automatic numbering of prefix list entries, use the no ip prefix-list sequence-number command of the global configuration mode. To enable it again, use the ip prefix-list sequence-number command .

5. Examples of using prefix lists


Consider the ip prefix-list filter1 permit 192.168.0.0/16 prefix list . Which of the routes will correspond to this entry: route to the network 192.168.0.0/16, route to the network 192.168.0.0/20, route to the network 192.168.2.0/24?
Only the route to the network 192.168.0.0/16 will correspond to this entry, because as soon as it successfully satisfies the conditions for matching the address and mask.
Consider two more prefix lists:
  • ip prefix-list filter2 permit 192.168.0.0/16 le 20
  • ip prefix-list filter3 permit 192.168.0.0/16 ge 18

In the first case, routes to networks are suitable for compliance conditions: 192.168.0.0/16 and 192.168.0.0/20 , the route to the network 192.168.2.0/24 has a longer mask than necessary.
In the second case, routes to networks are suitable for compliance conditions: 192.168.0.0/20 and 192.168.2.0/24 , the route to the network 192.168.0.0/16 has too short a mask.
Another example is the ip prefix-list filter4 0.0.0.0/0 prefix list . The prefix "All zeros" corresponds to all networks, but in this case the parameters ge and le are not used and therefore it is necessary to match the zero mask / 0 as well. Only the default route is suitable for this list of prefixes .
If we use the prefix list: ip prefix-list filter5 0.0.0.0/0 ge 32 , then any routes with the / 32 mask will correspond to it .
Or to such a list of prefixes: ip prefix-list filter6 0.0.0.0/0 le 32 , in turn, will correspond to any routes , any network, and any mask length.
If we want to select all routes with a mask from / 1 to / 24 , then we need to use the following list of prefixes: ip prefix-list filter7 0.0.0.0/1 le 24 .

6. Managing redistribution using prefix lists


Consider the network shown in Figure 2. Suppose we need to restrict the redistribution of routing information from one protocol to another only to certain networks:
From the routing domain of the RIPv2 protocol to the routing domain of the OSPFv2 protocol, only information about the networks should be transmitted:
  • 10.1.0.0
  • 10.2.0.0
  • 10.3.0.0

From the routing domain of the OSPFv2 protocol to the routing domain of the RIPv2 protocol, you need to transfer information only about networks:
  • 10.8.0.0
  • 10.9.0.0
  • 10.10.0.0
  • 10.11.0.0

Figure 2. The network used to demonstrate redistribution control using prefix lists.

Router R2 has the following configuration:
router ospf 1
network 10.0.0.8 0.0.0.0 area 0
redistribute rip route-map intoOSPF subnets
router rip
network 10.0.0.0
version 2
passive-interface s0 / 0/0
redistribute ospf 1 route-map intoRIP metric 5
route-map intoOSPF permit 10
match ip address prefix-list PFX1
route-map intoRIP permit 10
match ip address prefix-list PFX2
ip prefix-list PFX1 permit 10.0.0.0/14
ip prefix-list PFX2 permit 10.8.0.0/14

IntoOSPF Route Map uses the PFX1 prefix list . Thus, all networks within the range 10.0.0.0/14 - from 10.0.0.0 to 10.3.0.0 will be allowed to be redistributed from RIP to OSPF , other networks will be prohibited by this list of prefixes and will not be redistributed. IntoRIP
Route Map uses the PFX2 prefix list . Thus, all networks within the range 10.8.0.0/14 - from 10.8.0.0 to 10.11.0.0 will be allowed to redistribute from OSPF to RIP , other networks will be prohibited by this list of prefixes and will not be redistributed.
Note that the decision about whether certain routes will be redistributed or not is based only on the permit or deny action of the route-map command , and not on the permit or deny action of the ip prefix-list command . The permit or deny action of the ip prefix-list ip command only affects whether the route matches the condition of the route map or not.
In networks with backup paths, the use of prefix lists eliminates the possibility of route loops. But at the same time, like distribution lists, prefix lists allow you to completely filter some routes from route updates. Thus, some routers on the network will not be aware of alternative ways to reach some networks, so use these technologies in networks with backup paths with caution.

7. Checking prefix lists


The main commands used to check and diagnose prefix lists are shown in table 2. Use the ip prefix-list help ? for complete information on the available parameters and their purpose.

Table 2 Commands for checking and diagnosing prefix lists
Parameter                                Description
show ip prefix-list [ detail | summary ]Displays information about all prefix lists. Using the detail parameter displays a description and counters for each entry in the prefix list.
show ip prefix-list [ detail | summary ] prefix-list-nameDisplay entries for the specified prefix list
show ip prefix-list prefix-listname [ network / length ]Displays the policy defined in this list of prefixes for the specified network / mask pair
show ip prefix-list prefix-listname [ seq sequence-number ]Display a record with the specified number of this list of prefixes
show ip prefix-list prefix-listname [ network / length ] longerDisplay all prefix list entries that are suitable and more accurate than the specified net / mask pair
show ip prefix-list prefix-listname [ network / length ] firstmatchDisplays the first matching prefix list / mask pair for the specified network / mask pair
clear ip prefix-list prefix-listname [ network / length ]Reset all counters for a given list of prefixes

The following is an example demonstrating the output of the show ip prefix-list detail command . A single list of prefixes was created on the router with the name “superonly” with one entry with number 5. The value “hit count: 0” means that there have not been any matches for this entry.

The output of the show ip prefix-list detail command is :
ROUTER # show ip prefix-list detail
Prefix-list with the last deletion / insertion: superonly ip prefix-list superonly:
Description: only permit supernet
count: 1, range entries: 0, sequences: 5 - 5, refcount: 1
seq 5 permit 172.0.0.0/8 (hit count: 0, refcount: 1)

Also popular now: