Can someone explain with an example whats the difference between an access list and prefix list.
Cisco – Difference Between Access List and Prefix List
aclciscorouting
Related Solutions
By "router leg" they mean a (directly) connected route (and use a strange way of putting it).
What is a connected route compared to a static route?
Connected route (router leg)
A connected route is a route that points to an interface. For example if you configure 10.0.0.1/24
on (ethernet) interface Gi0/1
the directly connected route (the "router leg") is 10.0.0.0/24
.
If the router wants to send a packet to a host in the 10.0.0.0/24
network it will do a L2 (Layer2) lookup (ARP for IPv4, ND for IPv6) on the Gi0/1
interface to find the MAC address of the host. It will then send the packet to the MAC address.
One-liner: Connected routes point to an interface, next-hop for packet will be resolved at L2 by ARP/ND on the respective interface.
Static route
A static route points to an IP address. For example you could have route 10.0.0.0/24
pointing to 10.0.2.1
. The router will send packets for hosts in the 10.0.0.0/24
network to 10.0.2.1
.
For this to work 10.0.2.1
itself must be part of a connected route so that the router can find the right L2 next-hop for the packets.
One-liner: Static routes point to an IP next-hop. The IP next-hop itself will be resolved by L2 lookup on the interface the connected route for the next-hop points to.
One thing you should ask your vendor: If the specs are for IPv4 and for IPv6, and if not how many IPv6 routes you can have for each of the different types.
ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel0
This line defines DELEGATED_PREFIX
. It automatically calculates the IPv6 prefix based on the 6rd settings of the Tunnel0
interface.
ipv6 address DELEGATED_PREFIX ::/128 anycast (on int Tunnel 0)
This line sets an IPv6 address on the Tunnel0
interface using the DELEGATED_PREFIX
defined before. It tells the router to take the prefix, leave the other bits zero (::
) and configure it as a single anycast address. The anycast
flag tells the router that the address may be used on multiple devices at the same time. It will therefore not perform any Duplicate Address Detection (not really relevant for a tunnel interface) and it will not use that address as a source address (because the return traffic might end up at one of the other anycast nodes).
ipv6 address DELEGATED_PREFIX ::/64 eui-64 (on int Ethernet 0)
This does the same for the Ethernet0
interface. It uses the DELEGATED_PREFIX
to give an address to the interface. One problem is that you're using the same subnet on the tunnel interface. You should use separate subnets for different interfaces. The eui-64
flag tells the router to generate the last 64 bits of the interface address based on its MAC address.
An example to (hopefully) make things clearer:
Let's take the 6rd settings from the example:
- 6rd IPv4 prefix: 10.0.0.0/8
- 6rd IPv6 prefix: 2001:db80::/28
Then if your router has IPv4 address 10.0.0.10
you will get IPv6 prefix 2001:db80:0:a000::/52
. The /8
in the IPv4 prefix means that the first 8 bits are fixed. So when constructing the IPv6 prefix it will only use the last 24 (32 - 8) bits from the IPv4 address. These have binary value 0000 0000 0000 0000 0000 1010
. When written in hexadecimal that is 00 00 0a
. This is appended to the /28
IPv6 prefix, giving a /52
(28 + 24).
So DELEGATED_PREFIX
will get value 2001:db80:0:a000::/52
. Therefore the Tunnel0
interface will get address 2001:db80:0:a000::/128
and the Ethernet0
interface will get something like 2001:db80:0:a000:1234:56ff:fe78:90ab/64
(assuming MAC address 12.34.56.78.90.ab
).
It would be better to give the ethernet interface an address from a different subnet, like:
ipv6 address DELEGATED_PREFIX 0:0:0:1::/64 eui-64
That would result in 2001:db80:0:a001:1234:56ff:fe78:90ab/64
. And if you don't want to make the address dependent on the MAC address you can also just give it a fixed address:
ipv6 address DELEGATED_PREFIX 0:0:0:1::1/64
That would result in 2001:db80:0:a001::1/64
.
Best Answer
Here's the history of how they came into being (and why they are the way they are):
So: access list = packet filter.
Later (but still decades ago) people started running multiple routing protocols on the same box and wanted to redistribute information between them. Not a problem, but you wouldn't want ALL the information you have propagated into the other routing protocol - you need ROUTE FILTERS. As is usually the case, everything looks like a nail if you happen to have a hammer, and thus Cisco's engineers implemented route filters with the object they already had - access lists.
At this point: access list = packet filter (and sometimes route filter)
With the advent of classless routing (yeah, it's that long ago - does anyone still remember the days of Class A, Class B and Class C addresses), people wanted to redistribute prefixes of certain size between routing protocols. For example: advertise all /24s from OSPF into BGP, but not the /32s. Impossible to do with access lists. Time for a new kludge: let's use extended access list and let's pretend the source IP address in the packet filter represents network address (actually prefix address) and the destination IP address in the same line of the packet filter represents subnet mask.
This far: access lists = packet filters. Simple access lists also serve as route filters (matching only on network addresses) and extended access lists serve as route filters matching addresses and subnet masks.
Fortunately someone retained a shred of reason at that time and started wondering what exactly the brilliant minds that decided reusing extended ACLs for route filters makes sense were smoking when they got that brilliant idea.
End result: Cisco IOS got prefix lists, which are (almost) identical in functionality to extended access lists acting as route filters, but displayed in a format that a regular human being has a chance of understanding.
Today: use access lists for packet filters and prefix lists for route filters. You can still use access lists as route filters but don't do it.
Makes sense?