Route filtering with prefix-list

EildorEildor Senior MemberMember Posts: 444
I can't quite get my head around what additional functionality -apart from speed, apparently- filtering with prefix-lists adds when compared to filtering with an ACL. Perhaps someone could give me an example of where an ACL wont work to make things clear.

Thank you

Comments

  • networker050184networker050184 Went to the dark side.... Mod Posts: 11,962 Mod
    For example say you had a 10/8 range and you wanted to filter out everything in the 10.1/16 range that was longer than a /24. How many lines would that take with an ACL? How many with a prefix-list?
    An expert is a man who has made all the mistakes which can be made.
  • EildorEildor Senior Member Member Posts: 444
    For example say you had a 10/8 range and you wanted to filter out everything in the 10.1/16 range that was longer than a /24. How many lines would that take with an ACL? How many with a prefix-list?

    Now I'm even more confused. Are you asking how I would filter addresses using a subnet mask greater than a /24 in the 10.1.0.0 - 10.1.255.255 range?
  • mattaumattau Senior Member Member Posts: 218
    the thing with an acl is, its not desgined to filter actual prefixes (although there is a hack on it)

    just like networker said, imagine having the enormous range of 10.1.0.0/16 and only wanting to deny the prefixes that were only in the range of 10.1.0.0/16 but had /24 masks.

    this means every acl would have to be like this

    deny 10.1.0.0 0.0.0.255
    deny 10.1.1.0 0.0.0.255
    deny 10.1.2.0 0.0.0.255
    "
    "
    "
    deny 10.1.255.0 0.0.0.255

    you cant really go like this for an acl shortcut

    deny 10.1.0.0 0.0.255.255 because this is implying you want to deny everything that is in the 10.1.0.0/16 range regardless of the mask.

    with the prefix list you can skip all that and just say

    deny 10.1.0.0/16 ge 24

    which means I want to deny prefixes that are in the range of 10.1.0.0/16 ( 10.1.255.255 ) BUT only if these prefixes have a mask of ge (greater than or equal to ) 24
    _____________________________________
    CCNP ROUTE - passed 20/3/12
    CCNP SWITCH - passed 25/10/12
    CCNP TSHOOT - passed 11/12/12




  • EildorEildor Senior Member Member Posts: 444
    mattau wrote: »
    the thing with an acl is, its not desgined to filter actual prefixes (although there is a hack on it)

    just like networker said, imagine having the enormous range of 10.1.0.0/16 and only wanting to deny the prefixes that were only in the range of 10.1.0.0/16 but had /24 masks.

    this means every acl would have to be like this

    deny 10.1.0.0 0.0.0.255
    deny 10.1.1.0 0.0.0.255
    deny 10.1.2.0 0.0.0.255
    "
    "
    "
    deny 10.1.255.0 0.0.0.255

    you cant really go like this for an acl shortcut

    deny 10.1.0.0 0.0.255.255 because this is implying you want to deny everything that is in the 10.1.0.0/16 range regardless of the mask.

    with the prefix list you can skip all that and just say

    deny 10.1.0.0/16 ge 24

    which means I want to deny prefixes that are in the range of 10.1.0.0/16 ( 10.1.255.255 ) BUT only if these prefixes have a mask of ge (greater than or equal to ) 24

    Aha I get it now. Thank you!
Sign In or Register to comment.