Using Prefix-list in Route Filtering ------------------------------------- 1. Introduction Currently the access-list is implemented using linked lists and is used for both route filtering and packet filtering. This implementation, however, has shown performance limitations in large scale route filtering, including excessive CPU utilization and long loading time. The prefix-list is implemented to address the performance limitations. Based on a radix trie, it offers a scalable route filtering mechanism for routing protocols. Compared with the access-list, it provides for significant performance improvement (in terms of CPU consumed), faster loading of large lists, and support of incremental configuration. In addition, the command line interface has been made more intuitive. The prefix-list preserves several key features of access-list: - Configuration of either "permit" or "deny". - Order dependency - first match wins when there are multiple overlapping (i.e., sharing a subset of prefixes) entries in a prefix-list. - Filtering on prefix length - both exact match and range match are supported. To avoid overloading, the prefix-list does not support packet filtering. This documents presents the detailed configuration commands and several applications of the prefix-list in route filtering. 2. Configuration Commands There are several configuration commands related to the prefix-list. Command: [no] ip prefix-list sequence-number This command can be used to disable or enable the NVGEN of the sequence numbers (see below) of prefix-list entries. The default is "enable". Command: no ip prefix-list where is the string identifier of a prefix-list. This command can be used to delete (i.e., destroy) a prefix-list. Command: [no] ip prefix-list description This command can be used to add/delete a text description for a prefix-list. Command: [no] ip prefix-list [seq ] deny|permit \ / [ge : Mandatory. A string identifier of a prefix-list. seq : Optional. It can be used to specify the sequence number of an entry being configured. By default, the entries of a prefix list would have sequence values of 5, 10, 15 and so on. In the absence of a specified sequence value, the entry would be assigned with a sequence number of (Current_Max + 5). A prefix-list is an ordered list. The number is significant when a given prefix is matched by multiple entries of a prefix list, in which case the one with the smallest sequence number is considered as the real match. The sequence number does not need to be specified in de-configuring an entry. deny|permit: Mandatory. An action taken once a match is found. /: Mandatory. The prefix (i.e., network and prefix length). Multiple policies (exact match or range match) with different sequence numbers can be configured for the same /. ge : Optional. le : Optional. Both "ge" and "le" are optional. They can be used to specify the range of the prefix length to be matched for prefixes that are more specific than /. Exact match is assumed when neither "ge" nor "le" is specified. The range is assumed to be from "ge-value" to 32 if only the "ge" attribute is specified. And the range is assumed to be from "len" to "le-value" if only the "le" attribute is specified. A specified and/or must satisfy the following condition: len < ge-value < le-value <= 32 3. Configuration Examples 3.1 Specification of Exact Prefixes - Deny the default route 0.0.0.0/0 ip prefix-list abc deny 0.0.0.0/0 - Permit the prefix 35.0.0.0/8 ip prefix-list abc permit 35.0.0.0/8 3.2 Specification of Group of Prefixes - in 192/8, accept up to /24 ip prefix-list abc permit 192.0.0.0/8 le 24 - in 192/8, deny /25+ ip prefix-list abc deny 192.0.0.0/8 ge 25 - in all address space, permit /8 - /24 ip prefix-list abc permit 0.0.0.0/0 ge 8 le 24 - in all address space, deny /25+ ip prefix-list abc deny 0.0.0.0/0 ge 25 - in 10/8, deny all ip prefix-list abc deny 10.0.0.0/8 le 32 - in 204.70.1/24, deny /25+ ip prefix-list abc deny 204.70.1.0/24 ge 25 - permit all ip prefix-list abc permit 0.0.0.0/0 le 32 3.3 Incremental Configuration A prefix-list can be re-configured incrementally, that is, an entry can be deleted or added individually. For example, to change a prefix-list from the initial configuration to a new configuration, only the difference between the two needs to be deployed as follows: The initial configuration: ip prefix-list abc deny 0.0.0.0/0 le 7 ip prefix-list abc deny 0.0.0.0/0 ge 25 ip prefix-list abc permit 35.0.0.0/8 ip prefix-list abc permit 204.70.0.0/15 The new configuration: ip prefix-list abc deny 0.0.0.0/0 le 7 ip prefix-list abc deny 0.0.0.0/0 ge 25 ip prefix-list abc permit 35.0.0.0/8 ip prefix-list abc permit 198.0.0.0/8 The difference between the two configurations: no ip prefix-list abc permit 204.70.0.0/15 ip prefix-list abc permit 198.0.0.0/8 3.4 Remarks on the Sequence Number The sequence number is used internally to identify the "real" match (the one with the lowest sequence number) when multiple prefix-list entries match a given prefix. It can also be used to insert an entry to a specific relative position (e.g., sequence number of 7). However, in most cases a prefix-list can be structured such that there is no need to specify sequence numbers, and such an approach would make it easier to automate prefix-list generation, "diff" generation, and deployment. By default, the sequence numbers are generated in NVGEN, and they can be suppressed with the the configuration command [no] ip prefix-list sequence-number Regardless of whether the default sequence numbers are used in configuring a prefix-list, a sequence number does not need to be specified when de-configuring an entry. In addition, the show commands always include the sequence numbers in its output. 4. How Does Matching Work The matching is similar to that of the access-list. More specifically, - An empty prefix-list would permit all prefixes. - An implicit deny is assumed if a given prefix does not match any entries of a prefix-list. - When multiple entries of a prefix-list match a given prefix, the one with the smallest sequence is considered as the "real" match. In short, the first match wins! Here is an example to illustrate the "first match rule": Suppose that a prefix-list is configured as follows: ip prefix-list abc deny 10.0.0.0/8 le 32 ip prefix-list abc permit 0.0.0.0/0 le 32 Then, a given prefix 10.1.0.0/16 would match both entries. However, the prefix will be "denied" as the first entry is the real match. 5. Show and Clear Commands show ip prefix-list [detail|summary] ---> Displays information of all prefix-lists. show ip prefix-list [detail|summary] [] ---> Displays information of a prefix-list. show ip prefix-list [seq ] ---> Display the prefix-list entry with the given sequence number show ip prefix-list / ---> displays the policy associated with the node / show ip prefix-list / longer ---> displays all entries of a prefix list that are more specific than the given / show ip prefix-list / first-match ---> displays the entry of a prefix list that matches the given / clear ip prefix-list [] [/] ---> resets the "hit count" of prefix-list entries 6. Using Prefix-list with BGP The prefix-list can be used as an alternative to the BGP "neighbor x.x.x.x distribute-list" command. These two neighbor commands are mutually exclusive for a BGP peer. Configuration Command: router bgp xxx neighbor x.x.x.x prefix-list in|out In addition, prefix-list can be used in route-maps that are configured for BGP peers. This application is detailed in the next section. 7. Using Prefix-list in Route-map The prefix-list can be used as an alternative to access-lists used in the command "match ip address|next-hop|route-source " of a route-map. The configuration of prefix-lists and access-lists are mutually exclusive within the same sequence of a route-map. Configuration Command: route-map permit|deny match ip address|next-hop|route-source prefix-list [ ...] Besides its application in BGP, route-maps using prefix-lists can be used for route filtering, default-origination, and redistribution in other routing protocols as well. For example, the following configuration can be used to conditionally originate a default route (0.0.0.0/0) when there exists a prefix 10.1.1.0/24 in the routing table: ip prefix-list cond permit 10.1.1.0/24 ! route-map default-condition permit 10 match ip address prefix-list cond ! router rip default-information originate route-map default-condition ! 8. Using Prefix-list in the Distribute-list Command The prefix-list can be used to filter inbound and outbound routing updates via the distribute-list command. Compared with using the access-list, prefix-list based filtering offers the ability of prefix length filtering. It also has the flexibility of filtering either the prefix, or the gateway, or both for incoming updates. As usual, access-list and prefix-list are mutually exclusive in one "distribute-list" command. 8.1 Filtering on inbound updates Inbound updates can be filtering on the prefix, or the gateway or both prefix and gateway: router rip | igrp | eigrp distribute-list {prefix } | {gateway } | {prefix gateway } in [] where is the name of a prefix-list to be applied to the prefix being updated, and the name of a prefix-list to be applied to the gateway (i.e., next-hop) of a prefix being updated. The filtering can also be specified with a specific interface. 8.2 Filtering on outbound updates router rip | igrp |eigrp ... distribute-list prefix out [ | ] 8.3 Example In the following configuration, the RIP process will only accept prefixes with prefix length of /8 to /24: router rip version 2 network x.x.x.x distribute-list prefix max24 in ! ip prefix-list max24 seq 5 permit 0.0.0.0/0 ge 8 le 24 ! Also, the following configuration will make RIP accept routing update from 192.1.1.1 only, besides the filtering on prefix length: router rip distribute-list prefix max24 gateway allowlist in ! ip prefix-list allowlist seq 5 permit 192.1.1.1/32 ! 9. Debugging with Prefix-list To be implemented. 10. Availability 11.1CC(17), 11.3(3) and 12.0 With the exception of the command [no] ip prefix-list sequence number which will be integrated into later releases. THE END