Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

IP Prefix List Overview

Updated on 2024-08-19 GMT+08:00

Introduction

An IP prefix list contains prefix rules for route filtering. You can define IP prefixes and netmasks in prefix rules to match the destination addresses or next hops of routes. An IP prefix list is used to filter routes that are advertised and received by dynamic routing protocols. An IP prefix list is matched against routes using either of the following:
  • Netmask length: A netmask length, together with an IP address, identifies an IP prefix. Each IP prefix in an IP prefix list is used to filter routes with the same IP prefix.

    For example, the netmask length of 10.1.0.0/16 is 16, and the valid prefix is 10.1.0.0.

  • Netmask length range: A netmask length range can be defined in an IP prefix list to match routes with the same IP prefix or different netmask lengths within the specified range.
NOTE:

Currently, IP prefix lists only support IPv4 addresses.

IP Prefix Match Rules

An IP prefix list can contain multiple IP prefix rules. In Figure 1, routes to be filtered are matched against an IP prefix list by IP prefix rules in ascending order.
  • If a route matches a prefix rule with Action set to Allow, the route is allowed. If the prefix rule has Action set to Deny, the route is denied.
  • If a route does not match any prefix rule in the IP prefix list, the route is denied.
Figure 1 Match process

An IP prefix list filters routes by sequential match, unique match, or deny by default.

  • Sequential match: A prefix rule with a smaller number is matched first. Prefix rules in an IP prefix list can be sorted by sequence number in different orders, leading to different filtering results.
  • Unique match: If a route matches a prefix rule, it no longer tries to match other prefix rules.
  • Deny by default: By default, routes that do not match any prefix rule in an IP prefix list are denied. If an IP prefix list has one or more deny rules, you need to create a rule to allow all other routes.

IP Prefix Netmask Match Rules

An IP prefix rule consists of an IP prefix, min. netmask length, and max. netmask length, as detailed in Table 1.

Table 1 Parameters for creating a prefix rule

Parameter

Description

IP prefix

An IP prefix consists of an IP address and a netmask in the format of IP address/Netmask, for example, 10.1.0.0/16.

An IP prefix specifies the first bits of an IP address range that a route destination must match.

  • Min. netmask length
  • Max. netmask length

If a route matches a prefix rule, the netmask length of the route destination is within a specified length range. In a prefix rule:

  • The min. netmask length cannot be smaller than the netmask length of the IP prefix. For example, if the netmask length of the IP prefix is 16, the min. netmask length must be greater than or equal to 16 (for example, 18).
  • The max. netmask length cannot be smaller than the min. netmask length. For example, if the min. netmask length is 18, the max. netmask length must be from 18 to 32 (for example, 20).
A prefix rule uses min. and max. netmask lengths to filter routes based on the following:
  • If min. and max. netmask lengths are not specified, a route can only be filtered when its netmask length is the same as that of the IP prefix.
  • If only the min. netmask length is specified, a route can only be filtered when its netmask length is within [min. netmask length, 32].
  • If only the max. netmask length is specified, a route can only be filtered when its netmask length is within [IP prefix netmask length, max. netmask length].
  • If both min. and max. netmask lengths are specified, a route can only be filtered when its netmask length is within [min. netmask length, max. netmask length].

Table 2 lists example prefix rules and describes the requirements that routes to be filtered must meet.

Table 2 IP prefix rules

Prefix Rule

Route Can Be Filtered

Allowed IP Address Range

Denied IP Address Range

Example 1
  • Action: Allow
  • IP Prefix: 10.0.0.0/16
  • Min. Netmask Length: Not specified
  • Max. Netmask Length: Not specified
A route can only be filtered when it meets both of the following conditions:
  • The first 16 bits are matched.
  • Netmask length: 16

Both the two conditions are met: 10.0.0.0/16

  • Only the first 16 bits are matched:
    • 10.0.0.0/8
    • 10.0.1.0/24
    • 10.0.253.25/32
  • Only the netmask length is matched: 10.1.0.0/16

Example 2

  • Action: Allow
  • IP Prefix: 10.0.0.0/16
  • Min. Netmask Length: 18
  • Max. Netmask Length: Not specified

A route can only be filtered when it meets both of the following conditions:

  • The first 16 bits are matched.
  • Netmask length: [18, 32]

Both the two conditions are met:

  • 10.0.1.0/24
  • 10.0.253.25/32
  • Only the first 16 bits are matched:
    • 10.0.0.0/8
    • 10.0.0.0/16
  • Only the netmask length is matched: 10.1.0.0/20

Example 3

  • Action: Allow
  • IP Prefix: 10.0.0.0/16
  • Min. Netmask Length: Not specified
  • Max. Netmask Length: 24

A route can only be filtered when it meets both of the following conditions:

  • The first 16 bits are matched.
  • Netmask length: [16, 24]

Both the two conditions are met:

  • 10.0.0.0/16
  • 10.0.0.0/20
  • 10.0.1.0/24
  • Only the first 16 bits are matched:
    • 10.0.0.0/8
    • 10.0.253.25/32
  • Only the netmask length is matched: 10.1.0.0/20
Example 4
  • Action: Allow
  • IP Prefix: 10.0.0.0/16
  • Min. Netmask Length: 18
  • Max. Netmask Length: 24
A route can only be filtered when it meets both of the following conditions:
  • The first 16 bits are matched.
  • Netmask length: [18, 24]
Both the two conditions are met:
  • 10.0.0.0/20
  • 10.0.1.0/24
  • Only the first 16 bits are matched:
    • 10.0.0.0/8
    • 10.0.0.0/16
    • 10.0.253.25/32
  • Only the netmask length is matched: 10.1.0.0/20

When the first four octets in an IP prefix are set to 0.0.0.0:

  • If the IP prefix netmask length is specified, all routes with the netmask length are allowed or denied.
  • If both min. and max. netmask lengths are specified, all routes with netmask lengths in the range are allowed or rejected.

Table 3 describes the route matching rules if 0.0.0.0 used.

Table 3 Route matching rules if 0.0.0.0 used

Min. and Max. Netmask Lengths

IP Prefix

Matching Rule

  • Min. Netmask Length: Not specified
  • Max. Netmask Length: Not specified

IP Prefix: 0.0.0.0/0

Matches only the default route (destination: 0.0.0.0/0).

Example: Only default route (destination: 0.0.0.0/0) is allowed or denied.

IP Prefix: 0.0.0.0/X (X is not 0)

Matches all routes with the netmask length of X.

Example: If X is 8, all routes with the netmask length of 8 are allowed or denied.

  • Min. Netmask Length: Specified
  • Max. Netmask Length: Not specified

IP Prefix: 0.0.0.0/0

Matches all the routes with netmask lengths within [min. netmask length, 32].

Example: If the min. netmask length is 20, all the routes with the netmask lengths from 20 to 32 are allowed or denied.

IP Prefix: 0.0.0.0/X (X is not 0)

Matches all the routes with netmask lengths within [min. netmask length, 32].

Example: If X is 8 and the min. netmask length is 20, all the routes with the netmask lengths from 20 to 32 are allowed or denied.

  • Min. Netmask Length: Not specified
  • Max. Netmask Length: Specified

IP Prefix: 0.0.0.0/0

Matches all the routes with netmask lengths within [0, max. netmask length].

Example: If the max. netmask length is 28, all the routes with the netmask lengths from 0 to 28 are allowed or denied.

IP Prefix: 0.0.0.0/X (X is not 0)

Matches all the routes with netmask lengths within [X, max. netmask length].

Example: If X is 8 and the max. netmask length is 28, all the routes with the netmask lengths from 8 to 28 are allowed or denied.

  • Min. Netmask Length: Specified
  • Max. Netmask Length: Specified

IP Prefix: 0.0.0.0/0

Matches all the routes with netmask lengths within [min. netmask length, max. netmask length].

Example: If min. and max. netmask lengths are 20 and 28, all the routes with the netmask lengths from 20 to 28 are allowed or denied.

IP Prefix: 0.0.0.0/X (X is not 0)

Matches all the routes with netmask lengths within [min. netmask length, max. netmask length].

Example: If X, min. and max. netmask lengths are 8, 20, and 28, all the routes with the netmask lengths from 20 to 28 are allowed or denied.

Notes and Constraints

  • By default, an account can have up to five IP prefix lists.
  • By default, each IP prefix list can have up to 100 prefix rules.
  • Changing an IP prefix list will also change the associated routes and traffic routing. To reduce the impact on network performance, a prefix list can only be changed once within 40 seconds.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback