Prefix-list vs ACL
So I have been running through some router filtering labs and I had a question on the difference between an IP prefix list, and an ACL, and when to use what.
For example:
Router A connected to Router B, both in OSPF area 0
Router A is advertising the networks 1.1.1.1, 2.2.2.2, and 3.3.3.3
On Router B, we add:
distribute-list 1 in
access-list 1 deny 2.2.2.2
access-list 1 permit any
In this case, we would not install 2.2.2.2 in the routing table, but the other routes would.
Now if we were to do this with a prefix-list:
distribute-list prefix BLOCK in
ip prefix-list BLOCK deny 2.2.2.2/32
ip prefix-list BLOCK permit 0.0.0.0/0
And we get the same result.
My question is, why would you use one over the other? I know that prefix lists allow the GE and LE option to offer some more flexibility, but when talking about specific routes, I don't understand the difference.
Thanks for any input
For example:
Router A connected to Router B, both in OSPF area 0
Router A is advertising the networks 1.1.1.1, 2.2.2.2, and 3.3.3.3
On Router B, we add:
distribute-list 1 in
access-list 1 deny 2.2.2.2
access-list 1 permit any
In this case, we would not install 2.2.2.2 in the routing table, but the other routes would.
Now if we were to do this with a prefix-list:
distribute-list prefix BLOCK in
ip prefix-list BLOCK deny 2.2.2.2/32
ip prefix-list BLOCK permit 0.0.0.0/0
And we get the same result.
My question is, why would you use one over the other? I know that prefix lists allow the GE and LE option to offer some more flexibility, but when talking about specific routes, I don't understand the difference.
Thanks for any input
Comments
-
ITdude Member Posts: 1,181 ■■■□□□□□□□It is really your call but prefix lists are generally the most convenient way to filter networks in BGP. In some cases, however for example, when you want to filter odd and even networks while you also control the mask length, then extended access lists will offer you greater flexibility and control than prefix lists.
With a prefix-list you can pull entries out of a sequence, and insert them without re-writing the entire prefix-list again.
HTH a littleI usually hang out on 224.0.0.10 (FF02::A) and 224.0.0.5 (FF02::5) when I'm in a non-proprietary mood.
__________________________________________
Simplicity is the ultimate sophistication.
(Leonardo da Vinci) -
dtlokee Member Posts: 2,378 ■■■■□□□□□□You can achieve the same results with both methods as you demonstrated. I find prefix lists to be more convenient and will typically use them. You can use extended access-lists to achieve some odd matching rules but I typically don't find a need to do that in production.
For my money it doesn't get any better than prefix-lists.The only easy day was yesterday! -
GT-Rob Member Posts: 1,090haha sounds good. I was seeing the same results, but I just wasn't sure if there was something happening that I was missing.
Also, I have noticed on some IOS releases, that the 0.0.0.0/0 doesn't work unless I throw on ge 1, just in case anyone has ever had a problem with that. -
dtlokee Member Posts: 2,378 ■■■■□□□□□□I would use 0.0.0.0/0 le 32 to match all routesThe only easy day was yesterday!