IP Prefix-Lists

sidebar_position: 7 sidebar_label: IP Prefix-Lists

You can use prefix lists to permit or deny an address or range of addresses. Filtering by a prefix list involves matching the prefixes of routes or packets with the prefixes listed in the prefix list. An implicit deny is assumed if a given prefix does not match any entries in a prefix list.

You can configure multiple entries in a prefix list and permit or deny the prefixes that match the entry. Each entry has an associated sequence number that you can configure. If you do not configure a sequence number, Cisco NX-OS assigns a sequence number automatically. Cisco NX-OS evaluates prefix lists starting with the lowest sequence number. Cisco NX-OS processes the first successful match for a given prefix. Once a match occurs, Cisco NX-OS processes the permit or deny statement and does not evaluate the rest of the prefix list.

Diagram

Classes

route_control (vxlan.overlay_extensions)

Name	Type	Constraint	Mandatory	Default Value
ipv4_prefix_lists	List	`[ipv4_prefix_lists]`	No
ipv6_prefix_lists	List	`[ipv6_prefix_lists]`	No

ipv4_prefix_lists (vxlan.overlay_extensions.route_control)

Name	Type	Constraint	Mandatory
name	String	Regex: `^[A-Za-z0-9-_]{1,63}$`	Yes
description	String		No
entries	List	`[entries]`	No

ipv6_prefix_lists (vxlan.overlay_extensions.route_control)

Name	Type	Constraint	Mandatory
name	String	Regex: `^[A-Za-z0-9-_]{1,63}$`	Yes
description	String		No
entries	List	`[entries]`	No

entries (vxlan.overlay_extensions.route_control.ipv4_prefix_lists)

Name	Type	Constraint	Mandatory
seq_number	Integer	min: `1`, max: `4294967294`	Yes
operation	Choice	`permit`, `deny`	Yes
prefix	IP		Yes
eq	Integer	min: `1`, max: `32`	No
ge	Integer	min: `1`, max: `32`	No
le	Integer	min: `1`, max: `32`	No
mask	IP		No

entries (vxlan.overlay_extensions.route_control.ipv6_prefix_lists)

Name	Type	Constraint	Mandatory
seq_number	Integer	min: `1`, max: `4294967294`	Yes
operation	Choice	`permit`, `deny`	Yes
prefix	IP		Yes
eq	Integer	min: `1`, max: `128`	No
ge	Integer	min: `1`, max: `128`	No
le	Integer	min: `1`, max: `128`	No
mask	IP		No

Examples

These examples will create an IPv4 or IPv6 prefix list or add a prefix to an existing prefix list. The prefix-length is matched as follows:

eq —Matches the exact prefix-length . This value must be greater than the mask length.
ge —Matches a prefix length that is equal to or greater than the configured prefix-length.
le —Matches a prefix length that is equal to or less than the configured prefix-length.
mask —Specifies the bits of a prefix address in a prefix list that are compared to the bits of the prefix address used in routing protocols.

Example-1

In this example we will create one IPv4 Prefix-list named sac-prefix-list with a description: SAC IPv4 prefix-list. There are 6 entries:

10 permits exact prefix 41.0.0.0/24
20 permits prefix in IP range 42.0.0.0/24 with CIDR between /24 to /32.
30 permits prefix in IP range 43.0.0.0/24 with CIDR between /25 to /32.
40 permits prefix in IP range 44.0.0.0/24 with CIDR eq to /25. Ex. 44.0.0.0/25 and 44.0.0.128/25.
50 permits prefix in IP range 45.0.0.0/24 with mask /24. So only 45.0.0.0/24 will be allow.
60 denies prefix in range 35.0.0.0/8 with CIDR between /24 to /32.

This IP ACL is used in group ipv4_pfx_RCtrlGrp, which is consumed by the switch netascode-leaf1.

ip prefix-list sac-prefix-list description SAC IPv4 prefix-list
ip prefix-list sac-prefix-list seq 10 permit 41.0.0.0/24
ip prefix-list sac-prefix-list seq 20 permit 42.0.0.0/24 le 32
ip prefix-list sac-prefix-list seq 30 permit 43.0.0.0/24 ge 25
ip prefix-list sac-prefix-list seq 40 permit 44.0.0.0/24 eq 25
ip prefix-list sac-prefix-list seq 50 permit 45.0.0.0/24 mask 255.255.255.0
ip prefix-list sac-prefix-list seq 60 deny 35.0.0.0/8 ge 24 le 32

---
vxlan:
  overlay_extensions:
    route_control:
      ipv4_prefix_lists:
        - name: sac-ipv4_prefix-list
          description: 'SAC IPv4 prefix-list'
          entries:
            - seq_number: 10
              operation: permit
              prefix: 41.0.0.0/24
            - seq_number: 20
              operation: permit
              prefix: 42.0.0.0/24
              le: 32
            - seq_number: 30
              operation: permit
              prefix: 43.0.0.0/24
              ge: 25
            - seq_number: 40
              operation: permit
              prefix: 44.0.0.0/24
              eq: 25
            - seq_number: 50
              operation: permit
              prefix: 45.0.0.0/24
              mask: 255.255.255.0
            - seq_number: 60
              operation: deny
              prefix: 35.0.0.0/8
              le: 32
              ge: 24
      groups:
        - name: ipv4_pfx_RCtrlGrp
          ipv4_prefix_lists:
            - name: sac-ipv4_prefix-list
      switches:
        - name: netascode-leaf2
          groups:
            - ipv4_pfx_RCtrlGrp

Example-2

In this example we will create one IPv6 Prefix-list named sac with a description: SAC IPv6 prefix-list. There are 6 entries:

10 denies exact prefix in range 2001:db8::/32 to /128
20 permits prefix only this prefix 2001:db7::/64.

ipv6 prefix-list sac description SAC IPv6 prefix-list
ipv6 prefix-list sac seq 10 deny 2001:db8::/32 le 128
ipv6 prefix-list sac seq 20 permit 2001:db7::/64

---
vxlan:
  overlay_extensions:
    route_control:
      ipv6_prefix_lists:
       - name: sac-ipv6_prefix-list
          description: 'SAC IPv6 prefix-list'
          entries:
            - seq_number: 10
              operation: deny
              prefix: 2001:db8::/32
              le: 128
            - seq_number: 20
              operation: permit
              prefix: 2001:db7::/64
      groups:
        - name: ipv6_pfx_RCtrlGrp
          ipv6_prefix_lists:
            - name: sac-ipv6_prefix-list
      switches:
        - name: netascode-leaf1
          groups:
            - ipv6_pfx_RCtrlGrp