Configuring IP Prefix-lists
You can use prefix lists to permit or deny an address or range of addresses. Filtering by a prefix list involves matching the prefixes of routes or packets with the prefixes listed in the prefix list. An implicit deny is assumed if a given prefix does not match any entries in a prefix list.
You can configure multiple entries in a prefix list and permit or deny the prefixes that match the entry. Each entry has an associated sequence number that you can configure. If you do not configure a sequence number, Cisco NX-OS assigns a sequence number automatically. Cisco NX-OS evaluates prefix lists starting with the lowest sequence number. Cisco NX-OS processes the first successful match for a given prefix. Once a match occurs, Cisco NX-OS processes the permit or deny statement and does not evaluate the rest of the prefix list.
An empty prefix list permits all routes.
Diagram
Classes
route_control (vxlan.overlay_extensions)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ipv4_prefix_lists | List | [ipv4_prefix_lists] | No | |
| ipv6_prefix_lists | List | [ipv6_prefix_lists] | No |
ipv4_prefix_lists (vxlan.overlay_extensions.route_control)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[A-Za-z0-9-_]{1,63}$ | Yes | |
| description | String | No | ||
| entries | List | [entries] | No |
ipv6_prefix_lists (vxlan.overlay_extensions.route_control)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[A-Za-z0-9-_]{1,63}$ | Yes | |
| description | String | No | ||
| entries | List | [entries] | No |
entries (vxlan.overlay_extensions.route_control.ipv4_prefix_lists)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| seq_number | Integer | min: 1, max: 4294967294 | Yes | |
| operation | Choice | permit, deny | Yes | |
| prefix | IP | Yes | ||
| eq | Integer | min: 1, max: 32 | No | |
| ge | Integer | min: 1, max: 32 | No | |
| le | Integer | min: 1, max: 32 | No | |
| mask | IP | No |
entries (vxlan.overlay_extensions.route_control.ipv6_prefix_lists)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| seq_number | Integer | min: 1, max: 4294967294 | Yes | |
| operation | Choice | permit, deny | Yes | |
| prefix | IP | Yes | ||
| eq | Integer | min: 1, max: 128 | No | |
| ge | Integer | min: 1, max: 128 | No | |
| le | Integer | min: 1, max: 128 | No | |
| mask | IP | No |
Examples
These examples will create an IPv4 or IPv6 prefix list or add a prefix to an existing prefix list. The prefix-length is matched as follows:
- eq —Matches the exact prefix-length . This value must be greater than the mask length.
- ge —Matches a prefix length that is equal to or greater than the configured prefix-length.
- le —Matches a prefix length that is equal to or less than the configured prefix-length.
- mask —Specifies the bits of a prefix address in a prefix list that are compared to the bits of the prefix address used in routing protocols.
Example-1
In this example we will create one IPv4 Prefix-list named sac-prefix-list with a description: SAC IPv4 prefix-list.
There are 6 entries:
10permits exact prefix41.0.0.0/2420permits prefix in IP range42.0.0.0/24with CIDR between/24to/32.30permits prefix in IP range43.0.0.0/24with CIDR between/25to/32.40permits prefix in IP range44.0.0.0/24with CIDR eq to/25. Ex. 44.0.0.0/25 and 44.0.0.128/25.50permits prefix in IP range45.0.0.0/24with mask/24. So only 45.0.0.0/24 will be allow.60denies prefix in range35.0.0.0/8with CIDR between/24to/32.
This IP ACL is used in group ipv4_pfx_RCtrlGrp, which is consumed by the switch netascode-leaf1.
ip prefix-list sac-prefix-list description SAC IPv4 prefix-list
ip prefix-list sac-prefix-list seq 10 permit 41.0.0.0/24
ip prefix-list sac-prefix-list seq 20 permit 42.0.0.0/24 le 32
ip prefix-list sac-prefix-list seq 30 permit 43.0.0.0/24 ge 25
ip prefix-list sac-prefix-list seq 40 permit 44.0.0.0/24 eq 25
ip prefix-list sac-prefix-list seq 50 permit 45.0.0.0/24 mask 255.255.255.0
ip prefix-list sac-prefix-list seq 60 deny 35.0.0.0/8 ge 24 le 32
---
vxlan:
overlay_extensions:
route_control:
ipv4_prefix_lists:
- name: sac-ipv4_prefix-list
description: 'SAC IPv4 prefix-list'
entries:
- seq_number: 10
operation: permit
prefix: 41.0.0.0/24
- seq_number: 20
operation: permit
prefix: 42.0.0.0/24
le: 32
- seq_number: 30
operation: permit
prefix: 43.0.0.0/24
ge: 25
- seq_number: 40
operation: permit
prefix: 44.0.0.0/24
eq: 25
- seq_number: 50
operation: permit
prefix: 45.0.0.0/24
mask: 255.255.255.0
- seq_number: 60
operation: deny
prefix: 35.0.0.0/8
le: 32
ge: 24
groups:
- name: ipv4_pfx_RCtrlGrp
ipv4_prefix_lists:
- name: sac-ipv4_prefix-list
switches:
- name: netascode-leaf2
groups:
- ipv4_pfx_RCtrlGrp
Example-2
In this example we will create one IPv6 Prefix-list named sac with a description: SAC IPv6 prefix-list.
There are 6 entries:
10denies exact prefix in range2001:db8::/32to/12820permits prefix only this prefix2001:db7::/64.
ipv6 prefix-list sac description SAC IPv6 prefix-list
ipv6 prefix-list sac seq 10 deny 2001:db8::/32 le 128
ipv6 prefix-list sac seq 20 permit 2001:db7::/64
---
vxlan:
overlay_extensions:
route_control:
ipv6_prefix_lists:
- name: sac-ipv6_prefix-list
description: 'SAC IPv6 prefix-list'
entries:
- seq_number: 10
operation: deny
prefix: 2001:db8::/32
le: 128
- seq_number: 20
operation: permit
prefix: 2001:db7::/64
groups:
- name: ipv6_pfx_RCtrlGrp
ipv6_prefix_lists:
- name: sac-ipv6_prefix-list
switches:
- name: netascode-leaf1
groups:
- ipv6_pfx_RCtrlGrp