Overview:
The prefix list is specifically used to match routing entries, not traffic. It is equivalent to the upgraded basic ACL. Why do you say this is because it can not only match the source of the routing entry, but also match the mask of the routing entry.
rule:
- Multiple index entries can be created in an address prefix list, and each index corresponds to a filtering rule.
- When a certain index item is matched, if the index item is permit, the route is allowed to pass; if the index item is deny, the route is rejected.
- When all the index items in the address prefix list are traversed, and no match is found, the route is rejected.
As shown in the figure, the routes to be filtered are matched according to the order of index numbers from smallest to largest:
the principle of filtering routes in the address prefix list can be summarized as: sequential matching, unique matching, and default rejection.
- Sequential matching: match according to the index number from smallest to largest. If multiple entries in the same address prefix list have different index numbers, they may have different filtering results. Pay attention to the actual configuration.
- Unique match: As long as the route to be filtered matches one entry, it will not try to match other entries.
- Default deny: By default, all routes that do not match any entry are regarded as failing the filtering of the address prefix list. Therefore, after creating one or more deny mode entries in an address prefix list, you need to create an entry to allow all other routes to pass.
ip-prefix syntax:
The address prefix list is configured through the ip ip-prefix command, and the common format is as follows:
ip ip-prefix ip-prefix-name [index index-number] {permit | deny} ipv4-address mask-length [greater-equal greater-equal- value] [less-equal less-equal-value]
Among them, ipv4-address mask-length [greater-equal greater-equal-value] [less-equal less-equal-value] is used to limit the network number and mask range for filtering routes. The meanings of the parameters are shown in the table.
Parameter meaning:
- ipv4-address: used to specify the network number.
- mask-length: Used to limit the first few digits of the network number to be strictly matched.
- greater-equal greater-equal-value: can be understood as mask ≥ greater-equal-value.
- less-equal less-equal-value: can be understood as mask ≤ less-equal-value.
When the route to be filtered matches the network number of the current entry, the mask length can be matched exactly or within a certain mask length range:
- If greater-equal and less-equal are not configured, exact matching is performed, that is, only routes with mask-length mask-length are matched.
- If only greater-equal is configured, the matching mask length range is [greater-equal-value, 32].
- If only less-equal is configured, the matched mask length range is [mask-length, less-equal-value].
- If greater-equal and less-equal are configured at the same time, the matching mask length range is [greater-equal-value, less-equal-value].
Wildcard address (0.0.0.0) matching example: The
wildcard address 0.0.0.0 means that the network number is not limited, and it only needs to match the mask range. Several special wildcard addresses are listed in the table.
Note: The address prefix list adopts the matching principle of default deny. After creating one or more entries in the deny mode, you need to create a permit 0.0.0.0 0 less-equal 32 entry to allow all other routes to pass.
For example:
How to use the prefix list:
In addition to working with tools such as routing policies, you can also use filter-policy to filter the global advertised and received routing information (filter-policy can be matched with ACL or prefix list):
-
The ip ip-prefix command can be used in conjunction with the following commands to filter the globally advertised routing information using the address prefix list as the filter condition.
filter-policy export (under RIP view)
filter-policy export (under OSPF view)
filter-policy export (under IS-IS view)
filter-policy export (under BGP view) -
The ip ip-prefix command can be used in conjunction with the following commands to filter the routing information received globally using the address prefix list as the filter condition.
filter-policy import (under RIP view)
filter-policy import (under OSPF view)
filter-policy import (under IS-IS view)
filter-policy import (under BGP view) -
The ip ip-prefix command can be used in conjunction with the following commands to configure a filter based on the address prefix list for route filtering for a specific peer.
peer ip-prefix (BGP) -
In the IS-IS protocol, when configuring route leakage to prevent sub-optimal paths,
the address prefix list is used as a filter condition to control IS-IS Level-1 routes to the Level-2 area for route leakage.
import-route isis level-1 into level-2 filter-policy ip-prefix ip-prefix-name [tag tag] Use
the address prefix list as the filter condition to control IS-IS Level-2 routes to level-1 areas for route penetration .
import-route isis level-2 into level-1 filter-policy ip-prefix ip-prefix-name [tag tag]
experiment:
R1 and R2 establish an IBGP neighbor relationship. R2 advertises two loopback ports to enter BGP. Configure the prefix list on R1:
ip ip-prefix gok index 10 deny 1.1.1.1 32 greater-equal 32 less-equal 32
bgp 1
peer 10.1. 1.2 ip-prefix huawei import
On R2, you can see that two entries are sent to R1:
Then check on R1: There is no BGP routing entry, indicating that the matched routing entry is filtered out, and there is no matching routing entry basis The default deny is still filtered.
For OSPF filtering, the prefix list and ACL default are the same, and those that do not match are rejected by default.
Reference materials: "Switch in the arena", HCIE routing exchange study guide