Hello, Community members!
This post refers to the 3 IP prefix list, as part of the Huawei S Series Switches Routing Policy. Please have a look below for more details.
1 IP Prefix List
To filter received, advertised, and imported routes or to set attributes for routes, you first need to match the required routes using ACLs or an IP prefix list. In the preceding section about route-policy, ACLs are used to match routes. This section describes how to use an IP prefix list to match routes. First, let’s learn the differences between ACL and IP prefix list.
1.1 Differences Between ACL and IP Prefix List
The following two examples can help differentiate ACL and IP prefix list.
1.1.1 Example 1 Using ACLs to Filter Imported Routes
In Figure 3-1, ACLs are configured to import two RIP routes into OSPF and set attributes for the routes.
Using ACLs to filter imported routes
Check the IP routing table of SwitchB. The following command output shows that it contains two RIP routes 192.168.2.0/24 and 192.168.3.0/24. Now the two RIP routes need to be readvertised into OSPF and the costs of the two routes 192.168.2.0/24 and 192.168.3.0/24 need to be set to 10 and 20 respectively.
[SwitchB] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 D 192.168.1.2 Vlanif10
192.168.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.2.0/24 RIP 100 1 D 192.168.1.1 Vlanif10
192.168.3.0/24 RIP 100 1 D 192.168.1.1 Vlanif10
Configure ACLs to match the required routes.
# Configure a basic ACL 2001 to match the route 192.168.2.0.
[SwitchB] acl 2001
[SwitchB-acl-basic-2001] rule permit source 192.168.2.0 0
[SwitchB-acl-basic-2001] quit
# Configure a basic ACL 2002 to match the route 192.168.3.0.
[SwitchB] acl 2002
[SwitchB-acl-basic-2002] rule permit source 192.168.3.0 0
[SwitchB-acl-basic-2002] quit
Configure a route-policy and apply it to the imported routes.
# Configure node 10 in the route-policy RP to set the cost of the route matching the basic ACL 2001 to 10.
[SwitchB] route-policy RP permit node 10
[SwitchB-route-policy] if-match acl 2001
[SwitchB-route-policy] apply cost 10
[SwitchB-route-policy] quit
# Configure node 20 in the route-policy RP to set the cost of the route matching the basic ACL 2002 to 20.
[SwitchB] route-policy RP permit node 20
[SwitchB-route-policy] if-match acl 2002
[SwitchB-route-policy] apply cost 20
[SwitchB-route-policy] quit
# Import the RIP routes permitted by the route-policy RP into OSPF.
[SwitchB] OSPF
[SwitchB-ospf-1] import-route rip 1 route-policy RP
[SwitchB-ospf-1] quit
After the preceding configurations are complete, check the IP routing table of SwitchC. The following command output shows that the two RIP routes have been imported and their costs have been configured as required.
<SwitchC> display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------
Routing Tables: Public
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif20
10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif20
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.2.0/24 O_ASE 150 10 D 10.1.1.1 Vlanif20
192.168.3.0/24 O_ASE 150 20 D 10.1.1.1 Vlanif20
1.1.2 Example 2 Using an IP Prefix List to Filter Imported Routes
In Figure 3-2, SwitchB has two static routes, but only the static route 192.168.0.0/16 needs to be imported into OSPF.
Using an IP prefix list to filter imported routes
Check the IP routing table of SwitchB. The following command output shows that it has two static routes 192.168.0.0/16 and 192.168.0.0/24. Now only the route 192.168.0.0/16 needs to be readvertised into OSPF.
[SwitchB] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------
Routing Tables: Public Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.10.12.0/24 Direct 0 0 D 10.10.12.1 Vlanif10
10.10.12.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.0.0/16 Static 60 0 D 0.0.0.0 NULL0
192.168.0.0/24 Static 60 0 D 0.0.0.0 NULL0
First, you try to use an ACL to meet this requirement.
Configure a basic ACL 2001.
[SwitchB] acl 2001
[SwitchB-acl-basic-2001] rule permit source 192.168.0.0 0.0.255.255
[SwitchB-acl-basic-2001] quit
Configure a route-policy and apply it to the imported routes.
# Configure node 10 in the route-policy RP to permit the route matching the basic ACL 2001 and deny all the unmatched routes.
[SwitchB] route-policy RP permit node 10
[SwitchB-route-policy] if-match acl 2001
[SwitchB-route-policy] quit
# Import the static route permitted by the route-policy RP into OSPF.
[SwitchB] OSPF
[SwitchB-ospf-1] import-route static route-policy RP
[SwitchB-ospf-1] quit
After the preceding configurations are complete, check the IP routing table of SwitchC. The following command output shows that the two routes to 192.168.0.0 have been imported. This is because in the ACL 2001 rule permit source 192.168.0.0 0.0.255.255, 0.0.255.255 indicates a wildcard but not the mask length.
After a wildcard is converted into a binary number, 0 indicates that routes need to match this ACL, while 1 indicates that routes do not. For example, 192.168.0.0 0.0.255.255 specifies a route prefix range: 192.168.0.0 to 192.168.255.255. The two routes 192.168.0.0/16 and 192.168.0.0/24 both match the ACL 2001. Therefore, the two routes match node 10 in the route-policy RP and both are imported into OSPF. ACLs cannot ensure that only the route 192.168.0.0/16 or 192.168.0.0/24 is matched because ACLs can match only network ID but not mask.
<SwitchC> display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------
Routing Tables: Public
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.10.12.0/24 Direct 0 0 D 10.10.12.2 Vlanif10
10.10.12.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.0.0/16 O_ASE 150 1 D 10.10.12.1 Vlanif10
192.168.0.0/24 O_ASE 150 1 D 10.10.12.1 Vlanif10
The following uses an IP prefix list to filter the imported routes. Check whether an IP prefix list can ensure that only the route 192.168.0.0/16 is imported and the route 192.168.0.0/24 is filtered out.
Configure an IP prefix list to permit the required route.
# Configure an IP prefix list huawei and configure node 10 to permit the route 192.168.0.0/16.
[SwitchB] ip ip-prefix huawei index 10 permit 192.168.0.0 16
Configure a route-policy and apply it to the imported routes.
# Configure a route-policy RP and configure node 10 to permit the route that matches the IP prefix list huawei and deny all the unmatched routes.
[SwitchB] route-policy RP permit node 10
[SwitchB-route-policy] if-match ip-prefix huawei
[SwitchB-route-policy] quit
# Import the static route permitted by the route-policy RP into OSPF.
[SwitchB] OSPF
[SwitchB-ospf-1] import-route static route-policy RP
[SwitchB-ospf-1] quit
After the preceding configurations are complete, check the IP routing table of SwitchC. The following command output shows that only the route 192.168.0.0/16 is imported into OSPF.
<SwitchC> display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------
Routing Tables: Public
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.10.12.0/24 Direct 0 0 D 10.10.12.2 Vlanif10
10.10.12.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.0.0/16 O_ASE 150 1 D 10.10.12.1 Vlanif10
The preceding two examples indicate that both ACL and IP prefix list can be used to filter routes. ACLs can match only the network ID but not the mask (prefix length), but an IP prefix list is more flexible than ACLs because it can match both the network ID and mask, improving route matching accuracy.
1.2 Principles and Applications of IP Prefix List
1.2.1 Filtering Rules
An IP prefix list can contain multiple index entries, each of which corresponds to a filtering rule. In Figure 3-3, the system matches the routes to be filtered against entries in ascending order of index number.
l If a route matches a permit entry, this route is permitted. If a route matches a deny entry, this route is denied.
l If a route does not match any entry in the IP prefix list, this route is denied.
Matching principles of an IP prefix list
Route filtering rules of an IP prefix list: sequential match, unique match, and deny by default.
l Sequential match: Routes to be filtered are matched against entries in ascending order of index number. If different index numbers are configured for entries in the same IP prefix list, different filtering results may be obtained. Therefore, exercise caution when configuring index numbers.
l Unique match: If a route to be filtered matches one entry, it no longer tries to match other entries.
l Deny by default: By default, all the routes that do not match any entry are denied. Therefore, after one or multiple deny entries are created in an IP prefix list, one entry needs to be created to permit all the other routes.
1.2.2 Mask Matching
An IP prefix list can be used to match a route mask, which is an advantage compared to ACL. In the preceding example, a mask has been used in exact route match. Additionally, an IP prefix list can also be used to match a mask range.
An IP prefix list is configured using the ip ip-prefix command, for example:
ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ipv4-address mask-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ]
In this command, ipv4-address mask-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ] defines the network ID and mask range of routes to be filtered. Table 3-1 describes parameters in this command.
An address range in an IP prefix list
Parameter | Description |
ipv4-address | Specifies a network ID. |
mask-length | Specifies the mask length for exact match. |
greater-equal greater-equal-value | Indicates that the mask length must be larger than or equal to greater-equal-value. |
less-equal less-equal-value | Indicates that the mask length must be less than or equal to greater-equal-value. |
When a route to be filtered has matched a network ID, the mask length can be matched exactly or within a specified mask length.
l If both greater-equal and less-equal are not configured in the command, exact match is performed on routes. That is, only the routes with the specified mask-length are matched.
l If only greater-equal is configured in the command, the mask length range used for matching routes is [greater-equal-value, 32].
l If only less-equal is configured in the command, the mask length range used for matching routes is [mask-length, less-equal-value].
l If both greater-equal and less-equal are configured in the command, the mask length range used for matching routes is [greater-equal-value, less-equal-value].
1.2.3 Applications
Assume that there are routes 10.1.1.0/24, 10.1.1.0/26, 10.1.1.1/32, 10.2.2.0/24, and 10.1.0.0/16. How to use an IP prefix list to filter routes as required to meet the following requirements?
Permit only one route, for example, permit only the route 10.1.1.0/24.
Permit only the routes with the same network ID but different masks and deny other routes. For example, permit only three routes 10.1.1.0/24, 10.1.1.0/26, and 10.1.1.1/32.
Deny only one route and permit the other routes, for example, deny only the route 10.1.1.0/24.
Find the answers in the following examples:
--------------------------------Example 1 Single-node exact match------------------------------------------
l Example 1
ip ip-prefix test index 10 permit 10.1.1.0 24
Matching result: Only the route 10.1.1.0/24 is permitted, and other routes are denied.
Only the route with the specified network ID and mask is permitted.
------------------------------Examples 2 through 4 Match against the specified mask range----------------------------------
l Example 2
ip ip-prefix test index 10 permit 10.1.1.0 24 less-equal 32
Matching result: Only the routes 10.1.1.0/24, 10.1.1.0/26, and 10.1.1.1/32 are permitted, and other routes are denied.
The routes with the network ID 10.1.1.0 and mask length 24-32 are permitted.
l Example 3
ip ip-prefix test index 10 permit 10.1.1.0 24 greater-equal 26
Matching result: Only the routes 10.1.1.0/26 and 10.1.1.1/32 are permitted, and other routes are denied.
The routes with the network ID 10.1.1.0 and mask length 26-32 are permitted.
l Example 4
ip ip-prefix test index 10 permit 10.1.1.0 24 greater-equal 26 less-equal 32
Matching result: Only the routes 10.1.1.0/26 and 10.1.1.1/32 are permitted, and other routes are denied.
The routes with the network ID 10.1.1.0 and mask length 26-32 are permitted. The matching result is the same as that of Example 3.
--------------------Examples 5 and 6 Match against the wildcard address (0.0.0.0)-----------------------
The wildcard address 0.0.0.0 indicates that the network ID is not specified and only the mask range needs to be matched. Table 3-2 lists special wildcard addresses.
Special wildcard addresses
Special Wildcard Address | Description |
0.0.0.0 0 | Indicates that only the default route is matched. |
0.0.0.0 0 less-equal 32 | Indicates that all routes are matched. |
0.0.0.0 0 greater-equal 32 | Indicates that all host routes are matched. |
An IP prefix list uses the matching rule of deny by default. After one or multiple deny entries are created, an entry permit 0.0.0.0 0 less-equal 32 needs to be created to permit other routes.
l Example 5
ip ip-prefix test index 10 permit 0.0.0.0 8 less-equal 32
Matching result: All the five routes are permitted.
All the routes with the mask length 8-32 are permitted.
l Example 6
ip ip-prefix test index 10 deny 10.1.1.0 24
ip ip-prefix test index 20 permit 0.0.0.0 0 less-equal 32
Matching result: Only the route 10.1.1.0/24 is denied, and other routes are permitted.
The route 10.1.1.0/24 matches the entry with index number 10 in the IP prefix list test, but the matching mode is deny. Therefore, this route is denied. The entry with index number 20 permit 0.0.0.0 0 less-equal 32 indicates that all the routes are permitted. Therefore, the routes that do not match the entry with index number 10 match the entry with index number 20 and are all permitted.
An IP prefix list can filter routes as required. To control routes, for example, control receiving, advertisement, and import of routes, you need to invoke an IP prefix list in a filter-policy or route-policy. The following describes how to use a filter-policy to filter routes.
For more details, click the following hyperlink:
Describes various tools used in routing policy and invoking between these tools. | |
Describes the components, matching rules, and applications of route-policy. | |
Describes how to use an IP prefix list and differences between it and ACL. | |
Describes filter-policy principles and applications. | |
Describes applications of IP prefix list, filter-policy, and route-policy in BGP. | |
Describes applications of AS_Path filter and Community attribute in BGP. | |
Collection of Chapters 1 Through 6 (Click Here to Download the PDF Document) | Provides the collection of the preceding chapters. |
