Updated on 2024-08-19 GMT+08:00

IP Prefix List Overview

Introduction

An IP prefix list contains prefix rules for route filtering. You can define IP prefixes and netmasks in prefix rules to match the destination addresses or next hops of routes. An IP prefix list is used to filter routes that are advertised and received by dynamic routing protocols. An IP prefix list is matched against routes using either of the following:
  • Netmask length: A netmask length, together with an IP address, identifies an IP prefix. Each IP prefix in an IP prefix list is used to filter routes with the same IP prefix.

    For example, the netmask length of 10.1.0.0/16 is 16, and the valid prefix is 10.1.0.0.

  • Netmask length range: A netmask length range can be defined in an IP prefix list to match routes with the same IP prefix or different netmask lengths within the specified range.

Currently, IP prefix lists only support IPv4 addresses.

IP Prefix Match Rules

An IP prefix list can contain multiple IP prefix rules. In Figure 1, routes to be filtered are matched against an IP prefix list by IP prefix rules in ascending order.
  • If a route matches a prefix rule with Action set to Allow, the route is allowed. If the prefix rule has Action set to Deny, the route is denied.
  • If a route does not match any prefix rule in the IP prefix list, the route is denied.
Figure 1 Match process

An IP prefix list filters routes by sequential match, unique match, or deny by default.

  • Sequential match: A prefix rule with a smaller number is matched first. Prefix rules in an IP prefix list can be sorted by sequence number in different orders, leading to different filtering results.
  • Unique match: If a route matches a prefix rule, it no longer tries to match other prefix rules.
  • Deny by default: By default, routes that do not match any prefix rule in an IP prefix list are denied. If an IP prefix list has one or more deny rules, you need to create a rule to allow all other routes.

IP Prefix Netmask Match Rules

An IP prefix rule consists of an IP prefix, min. netmask length, and max. netmask length, as detailed in Table 1.

Table 1 Parameters for creating a prefix rule

Parameter

Description

IP prefix

An IP prefix consists of an IP address and a netmask in the format of IP address/Netmask, for example, 10.1.0.0/16.

An IP prefix specifies the first bits of an IP address range that a route destination must match.

  • Min. netmask length
  • Max. netmask length

If a route matches a prefix rule, the netmask length of the route destination is within a specified length range. In a prefix rule:

  • The min. netmask length cannot be smaller than the netmask length of the IP prefix. For example, if the netmask length of the IP prefix is 16, the min. netmask length must be greater than or equal to 16 (for example, 18).
  • The max. netmask length cannot be smaller than the min. netmask length. For example, if the min. netmask length is 18, the max. netmask length must be from 18 to 32 (for example, 20).
A prefix rule uses min. and max. netmask lengths to filter routes based on the following:
  • If min. and max. netmask lengths are not specified, a route can only be filtered when its netmask length is the same as that of the IP prefix.
  • If only the min. netmask length is specified, a route can only be filtered when its netmask length is within [min. netmask length, 32].
  • If only the max. netmask length is specified, a route can only be filtered when its netmask length is within [IP prefix netmask length, max. netmask length].
  • If both min. and max. netmask lengths are specified, a route can only be filtered when its netmask length is within [min. netmask length, max. netmask length].

Table 2 lists example prefix rules and describes the requirements that routes to be filtered must meet.

Table 2 IP prefix rules

Prefix Rule

Route Can Be Filtered

Allowed IP Address Range

Denied IP Address Range

Example 1
  • Action: Allow
  • IP Prefix: 10.0.0.0/16
  • Min. Netmask Length: Not specified
  • Max. Netmask Length: Not specified
A route can only be filtered when it meets both of the following conditions:
  • The first 16 bits are matched.
  • Netmask length: 16

Both the two conditions are met: 10.0.0.0/16

  • Only the first 16 bits are matched:
    • 10.0.0.0/8
    • 10.0.1.0/24
    • 10.0.253.25/32
  • Only the netmask length is matched: 10.1.0.0/16

Example 2

  • Action: Allow
  • IP Prefix: 10.0.0.0/16
  • Min. Netmask Length: 18
  • Max. Netmask Length: Not specified

A route can only be filtered when it meets both of the following conditions:

  • The first 16 bits are matched.
  • Netmask length: [18, 32]

Both the two conditions are met:

  • 10.0.1.0/24
  • 10.0.253.25/32
  • Only the first 16 bits are matched:
    • 10.0.0.0/8
    • 10.0.0.0/16
  • Only the netmask length is matched: 10.1.0.0/20

Example 3

  • Action: Allow
  • IP Prefix: 10.0.0.0/16
  • Min. Netmask Length: Not specified
  • Max. Netmask Length: 24

A route can only be filtered when it meets both of the following conditions:

  • The first 16 bits are matched.
  • Netmask length: [16, 24]

Both the two conditions are met:

  • 10.0.0.0/16
  • 10.0.0.0/20
  • 10.0.1.0/24
  • Only the first 16 bits are matched:
    • 10.0.0.0/8
    • 10.0.253.25/32
  • Only the netmask length is matched: 10.1.0.0/20
Example 4
  • Action: Allow
  • IP Prefix: 10.0.0.0/16
  • Min. Netmask Length: 18
  • Max. Netmask Length: 24
A route can only be filtered when it meets both of the following conditions:
  • The first 16 bits are matched.
  • Netmask length: [18, 24]
Both the two conditions are met:
  • 10.0.0.0/20
  • 10.0.1.0/24
  • Only the first 16 bits are matched:
    • 10.0.0.0/8
    • 10.0.0.0/16
    • 10.0.253.25/32
  • Only the netmask length is matched: 10.1.0.0/20

When the first four octets in an IP prefix are set to 0.0.0.0:

  • If the IP prefix netmask length is specified, all routes with the netmask length are allowed or denied.
  • If both min. and max. netmask lengths are specified, all routes with netmask lengths in the range are allowed or rejected.

Table 3 describes the route matching rules if 0.0.0.0 used.

Table 3 Route matching rules if 0.0.0.0 used

Min. and Max. Netmask Lengths

IP Prefix

Matching Rule

  • Min. Netmask Length: Not specified
  • Max. Netmask Length: Not specified

IP Prefix: 0.0.0.0/0

Matches only the default route (destination: 0.0.0.0/0).

Example: Only default route (destination: 0.0.0.0/0) is allowed or denied.

IP Prefix: 0.0.0.0/X (X is not 0)

Matches all routes with the netmask length of X.

Example: If X is 8, all routes with the netmask length of 8 are allowed or denied.

  • Min. Netmask Length: Specified
  • Max. Netmask Length: Not specified

IP Prefix: 0.0.0.0/0

Matches all the routes with netmask lengths within [min. netmask length, 32].

Example: If the min. netmask length is 20, all the routes with the netmask lengths from 20 to 32 are allowed or denied.

IP Prefix: 0.0.0.0/X (X is not 0)

Matches all the routes with netmask lengths within [min. netmask length, 32].

Example: If X is 8 and the min. netmask length is 20, all the routes with the netmask lengths from 20 to 32 are allowed or denied.

  • Min. Netmask Length: Not specified
  • Max. Netmask Length: Specified

IP Prefix: 0.0.0.0/0

Matches all the routes with netmask lengths within [0, max. netmask length].

Example: If the max. netmask length is 28, all the routes with the netmask lengths from 0 to 28 are allowed or denied.

IP Prefix: 0.0.0.0/X (X is not 0)

Matches all the routes with netmask lengths within [X, max. netmask length].

Example: If X is 8 and the max. netmask length is 28, all the routes with the netmask lengths from 8 to 28 are allowed or denied.

  • Min. Netmask Length: Specified
  • Max. Netmask Length: Specified

IP Prefix: 0.0.0.0/0

Matches all the routes with netmask lengths within [min. netmask length, max. netmask length].

Example: If min. and max. netmask lengths are 20 and 28, all the routes with the netmask lengths from 20 to 28 are allowed or denied.

IP Prefix: 0.0.0.0/X (X is not 0)

Matches all the routes with netmask lengths within [min. netmask length, max. netmask length].

Example: If X, min. and max. netmask lengths are 8, 20, and 28, all the routes with the netmask lengths from 20 to 28 are allowed or denied.

Notes and Constraints

  • By default, an account can have up to five IP prefix lists.
  • By default, each IP prefix list can have up to 100 prefix rules.
  • Changing an IP prefix list will also change the associated routes and traffic routing. To reduce the impact on network performance, a prefix list can only be changed once within 40 seconds.