前綴列表(prefix-list)講解

 不同於用於匹配流量的IP訪問列表，IP前綴列表主要是用來指定具體的網絡可達的。前綴列表用來匹配前綴（網段）和前綴長度（子網掩碼）。前綴列表有兩個參數很難理解。

下面是普通的前綴列表的參數：

ip prefix-list [name] [permit | deny] [prefix]/[len]
name爲任意的名字或者數字，prefix是指定的路由前綴（網段），len是指定的前綴長度（子網掩碼）。例子如下：

ip prefix-list LIST permit 1.2.3.0/24

上面的例子中指定匹配網段1.2.3.0，並且指定子網掩碼爲255.255.255.0，這個列表不匹配1.2.0.0/24，也不匹配1.2.3.4/32

ip prefix-list LIST permit 0.0.0.0/0

上面的例子指定匹配網段0.0.0.0和子網掩碼0.0.0.0。這個列表用來匹配默認路由。

通常情況下，在使用前綴列表的時候加上“GE”（大於或等於）和“LE”（小於或等於）時比較容易發生混淆。這是因爲當使用“GE”和“LE”時，列表的長度(len)發生了改變。

另外一種前綴列表的參數：

ip prefix-list [name] [permit | deny] [prefix]/[len] ge [min_length] le [max_length]

name爲任意的名字或者數字，prefix是將要進行比較的路由前綴（網段），len是指從最左邊開始的比特位，min_length爲最小的子網掩碼的值，max_length爲最大的子網掩碼的值

使用GE和LE，必須滿足下面的條件：

len < GE <= LE

上面的參數很容易混淆，簡單的說就是一個匹配前綴或子網的地址的範圍。

看下面的例子：

ip prefix-list LIST permit 1.2.3.0/24 le 32

上面的例子表示前綴1.2.3.0前面的24位必須匹配。此外，子網掩碼必須小於或等於32位

ip prefix-list LIST permit 0.0.0.0/0 le 32

上面的例子意味着0位需要匹配，此外子網掩碼必須小於或等於32位。一位所有的網段的掩碼都小於或等於32位，並且一位都不用匹配，所以這句話等於permit any

ip prefix-list LIST permit 10.0.0.0/8 ge 21 le 29

上面的例子說明網段10.0.0.0的前8位必須匹配，此外子網掩碼必須在21位和29位之間。

注意：

使用前綴列表不能像訪問列表那樣匹配具體的應用流。
前綴列表也不能用來具體匹配奇數或偶數的前綴，或什麼可以被15整除的前綴
在前綴列表中，比特位必須是連續的，並且從左邊開始
ip prefix-list fuck permit 0.0.0.0/0 ge 1 表示除了默認路由外的所有路由
ip prefix-list test16 seq 5 permit 0.0.0.0/1 ge 8 le 8 配置A類地址
ip prefix-list test16 seq 10 permit 128.0.0.0/2 ge 16 le 16 配置B類地址
ip prefix-list test16 seq 15 permit 192.0.0.0/3 ge 24 le 24 配置C類地址

Exercises:

1. Construct a prefix list that permits only the 192.168.1.0/24 network.

ip prefix-list test1 seq 5 permit 192.168.1.0/24

2. Construct a prefix list that denies network 119.0.0.0, and permits all
other prefixes (including all subnets of 119.0.0.0).

ip prefix-list test2 seq 5 deny 119.0.0.0/8
ip prefix-list test2 seq 10 permit 0.0.0.0/0 le 32

3. Construct a prefix list that permits only the default route.

ip prefix-list test3 seq 5 permit 0.0.0.0/0

4. Construct a prefix list the permits everything except the default route.

ip prefix-list test4 seq 5 deny 0.0.0.0/0
ip prefix-list test4 seq 10 permit 0.0.0.0/0 le 32

5. Construct a prefix list that permits network 172.16.0.0 and any of its
subnets, and denies all other prefixes.

ip prefix-list test5 seq 5 permit 172.16.0.0/16 le 32

6. Construct a prefix list that permits only the following prefixes:
10.2.8.32/27
10.2.8.32/28
10.2.8.32/29
10.2.8.32/30

ip prefix-list test6 seq 5 permit 10.2.8.32/27 le 30

7. Construct a prefix list that:

Permits 197.25.94.128/25
Denies 197.25.94.192/26
Permits 197.25.94.224/27
Denies 197.25.94.240/28
Permits 197.25.94.248/29
Denies 197.25.94.252/30
Permits all other prefixes, except for 198.82.0.0/16

ip prefix-list test7 seq 5 deny 197.25.94.192/26
ip prefix-list test7 seq 10 deny 197.25.94.240/28
ip prefix-list test7 seq 15 deny 197.25.94.252/30
ip prefix-list test7 seq 20 deny 198.82.0.0/16
ip prefix-list test7 seq 25 permit 0.0.0.0/0 le 32

8. Construct a prefix list that permits any prefix matching the first 20
bits of 175.29.64.0 which has a mask of at least /26 but not exceeding /29,
and denies all other prefixes.

ip prefix-list test8 seq 5 permit 175.29.64.0/20 ge 26 le 29

9. Construct a prefix list that denies any prefix matching the first 19
bits of 15.26.96.0 with any mask up to and including /32, and permits any
other prefix.

ip prefix-list test9 seq 5 deny 15.26.96.0/19 le 32
ip prefix-list test9 seq 10 permit 0.0.0.0/0 le 32

10. Construct a prefix list that denies the RFC 1918 private networks and
any of their subnets, and permits everything else.

ip prefix-list test10 seq 5 deny 10.0.0.0/8 le 32
ip prefix-list test10 seq 10 deny 172.16.0.0/12 le 32
ip prefix-list test10 seq 15 deny 192.168.0.0/16 le 32
ip prefix-list test10 seq 20 permit 0.0.0.0/0 le 32

11. Construct a prefix list that permits any subnet of network 15.0.0.0
(but not the network), and denies everything else. Your router lies within
AS 65011. Place the prefix list in service in the inbound direction with
BGP neighbor 1.2.3.4.

ip prefix-list test11 seq 5 permit 15.0.0.0/8 ge 9

To place it in service:
router bgp 65011
neighbor 1.2.3.4 prefix-list test11 in

12. Construct a prefix list that denies 162.56.0.0/16 and all of its
subnets (with the exception of 162.56.209.208/29, which is permitted), and
permits all other prefixes. Your router lies within AS 65012. Place the
prefix list in service in the outbound direction with its BGP neighbor
having address 5.6.7.8.

ip prefix-list test12 seq 5 permit 162.56.209.208/29
ip prefix-list test12 seq 10 deny 162.56.0.0/16 le 32
ip prefix-list test12 seq 15 permit 0.0.0.0/0 le 32