IP Prefix-Lists
sidebar_position: 7 sidebar_label: IP Prefix-Lists
You can use prefix lists to permit or deny an address or range of addresses. Filtering by a prefix list involves matching the prefixes of routes or packets with the prefixes listed in the prefix list. An implicit deny is assumed if a given prefix does not match any entries in a prefix list.
You can configure multiple entries in a prefix list and permit or deny the prefixes that match the entry. Each entry has an associated sequence number that you can configure. If you do not configure a sequence number, Cisco NX-OS assigns a sequence number automatically. Cisco NX-OS evaluates prefix lists starting with the lowest sequence number. Cisco NX-OS processes the first successful match for a given prefix. Once a match occurs, Cisco NX-OS processes the permit or deny statement and does not evaluate the rest of the prefix list.
Diagram
Classes
route_control (vxlan.overlay_extensions)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
ipv4_prefix_lists | List | [ipv4_prefix_lists] | No | |
ipv6_prefix_lists | List | [ipv6_prefix_lists] | No |
ipv4_prefix_lists (vxlan.overlay_extensions.route_control)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
name | String | Regex: ^[A-Za-z0-9-_]{1,63}$ | Yes | |
description | String | No | ||
entries | List | [entries] | No |
ipv6_prefix_lists (vxlan.overlay_extensions.route_control)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
name | String | Regex: ^[A-Za-z0-9-_]{1,63}$ | Yes | |
description | String | No | ||
entries | List | [entries] | No |
entries (vxlan.overlay_extensions.route_control.ipv4_prefix_lists)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
seq_number | Integer | min: 1 , max: 4294967294 | Yes | |
operation | Choice | permit , deny | Yes | |
prefix | IP | Yes | ||
eq | Integer | min: 1 , max: 32 | No | |
ge | Integer | min: 1 , max: 32 | No | |
le | Integer | min: 1 , max: 32 | No | |
mask | IP | No |
entries (vxlan.overlay_extensions.route_control.ipv6_prefix_lists)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
seq_number | Integer | min: 1 , max: 4294967294 | Yes | |
operation | Choice | permit , deny | Yes | |
prefix | IP | Yes | ||
eq | Integer | min: 1 , max: 128 | No | |
ge | Integer | min: 1 , max: 128 | No | |
le | Integer | min: 1 , max: 128 | No | |
mask | IP | No |
Examples
These examples will create an IPv4 or IPv6 prefix list or add a prefix to an existing prefix list. The prefix-length is matched as follows:
- eq —Matches the exact prefix-length . This value must be greater than the mask length.
- ge —Matches a prefix length that is equal to or greater than the configured prefix-length.
- le —Matches a prefix length that is equal to or less than the configured prefix-length.
- mask —Specifies the bits of a prefix address in a prefix list that are compared to the bits of the prefix address used in routing protocols.
Example-1
In this example we will create one IPv4 Prefix-list named sac-prefix-list
with a description
: SAC IPv4 prefix-list
. There are 6 entries:
10
permits exact prefix41.0.0.0/24
20
permits prefix in IP range42.0.0.0/24
with CIDR between/24
to/32
.30
permits prefix in IP range43.0.0.0/24
with CIDR between/25
to/32
.40
permits prefix in IP range44.0.0.0/24
with CIDR eq to/25
. Ex. 44.0.0.0/25 and 44.0.0.128/25.50
permits prefix in IP range45.0.0.0/24
with mask/24
. So only 45.0.0.0/24 will be allow.60
denies prefix in range35.0.0.0/8
with CIDR between/24
to/32
.
This IP ACL is used in group ipv4_pfx_RCtrlGrp
, which is consumed by the switch netascode-leaf1
.
ip prefix-list sac-prefix-list description SAC IPv4 prefix-listip prefix-list sac-prefix-list seq 10 permit 41.0.0.0/24ip prefix-list sac-prefix-list seq 20 permit 42.0.0.0/24 le 32ip prefix-list sac-prefix-list seq 30 permit 43.0.0.0/24 ge 25ip prefix-list sac-prefix-list seq 40 permit 44.0.0.0/24 eq 25ip prefix-list sac-prefix-list seq 50 permit 45.0.0.0/24 mask 255.255.255.0ip prefix-list sac-prefix-list seq 60 deny 35.0.0.0/8 ge 24 le 32
---vxlan: overlay_extensions: route_control: ipv4_prefix_lists: - name: sac-ipv4_prefix-list description: 'SAC IPv4 prefix-list' entries: - seq_number: 10 operation: permit prefix: 41.0.0.0/24 - seq_number: 20 operation: permit prefix: 42.0.0.0/24 le: 32 - seq_number: 30 operation: permit prefix: 43.0.0.0/24 ge: 25 - seq_number: 40 operation: permit prefix: 44.0.0.0/24 eq: 25 - seq_number: 50 operation: permit prefix: 45.0.0.0/24 mask: 255.255.255.0 - seq_number: 60 operation: deny prefix: 35.0.0.0/8 le: 32 ge: 24 groups: - name: ipv4_pfx_RCtrlGrp ipv4_prefix_lists: - name: sac-ipv4_prefix-list switches: - name: netascode-leaf2 groups: - ipv4_pfx_RCtrlGrp
Example-2
In this example we will create one IPv6 Prefix-list named sac
with a description
: SAC IPv6 prefix-list
. There are 6 entries:
10
denies exact prefix in range2001:db8::/32
to/128
20
permits prefix only this prefix2001:db7::/64
.
ipv6 prefix-list sac description SAC IPv6 prefix-listipv6 prefix-list sac seq 10 deny 2001:db8::/32 le 128ipv6 prefix-list sac seq 20 permit 2001:db7::/64
---vxlan: overlay_extensions: route_control: ipv6_prefix_lists: - name: sac-ipv6_prefix-list description: 'SAC IPv6 prefix-list' entries: - seq_number: 10 operation: deny prefix: 2001:db8::/32 le: 128 - seq_number: 20 operation: permit prefix: 2001:db7::/64 groups: - name: ipv6_pfx_RCtrlGrp ipv6_prefix_lists: - name: sac-ipv6_prefix-list switches: - name: netascode-leaf1 groups: - ipv6_pfx_RCtrlGrp