How to test an IP against a prefix list on JUNOS CLI

clijuniper-junosprefix

One can find routes matching an IP using show route 192.0.2.123. What is the equivalent way to find matching prefixes, if any, in a long prefix list? … to determine quickly and conclusively whether or not an IP matches a prefix list? … to generate a list of all prefix lists that an IP matches?

Best Answer

In Junos you have the command:

test policy <<POLICY-NAME>> <<Prefix>>

however, it doesn't do quite what you are asking.

Firstly, create your prefix-list and match it in a policy:

policy-options {
    prefix-list SOME-PREFIXES {
        172.16.10.1/32;
        172.16.10.32/27;
        172.16.10.50/32;
        172.16.10.96/29;
        172.16.10.104/29;
        172.16.10.128/27;
    }
    policy-statement ACCEPT-PREFIXES {
        term MATCH-PREFIXES {
            from {
                prefix-list SOME-PREFIXES;
            }
            then accept;
        }
        then reject;
    }
}

Now, given the following routes in inet.0:

bdale@0ffnet-lab-gw> show route 172.16.10.0/24 

inet.0: 98 destinations, 100 routes (98 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.10.0/24     *[Direct/0] 6d 05:39:58
                    > via vlan.10
172.16.10.21/32    *[Access-internal/12] 6d 05:31:47
                    > to 172.16.10.254 via vlan.10
172.16.10.22/32    *[Access-internal/12] 6d 05:39:43
                    > to 172.16.10.254 via vlan.10
172.16.10.23/32    *[Access-internal/12] 6d 05:39:42
                    > to 172.16.10.254 via vlan.10
172.16.10.24/32    *[Access-internal/12] 5d 21:25:31
                    > to 172.16.10.254 via vlan.10
172.16.10.25/32    *[Access-internal/12] 6d 05:38:15
                    > to 172.16.10.254 via vlan.10
172.16.10.28/32    *[Access-internal/12] 6d 05:39:26
                    > to 172.16.10.254 via vlan.10
172.16.10.32/32    *[Access-internal/12] 15:13:51
                    > to 172.16.10.254 via vlan.10
172.16.10.34/32    *[Access-internal/12] 14:51:36
                    > to 172.16.10.254 via vlan.10
172.16.10.37/32    *[Access-internal/12] 14:50:48
                    > to 172.16.10.254 via vlan.10
172.16.10.50/32    *[Access-internal/12] 6d 05:39:32
                    > to 172.16.10.254 via vlan.10
172.16.10.51/32    *[Access-internal/12] 6d 05:39:28
                    > to 172.16.10.254 via vlan.10
...

run the test:

bdale@0ffnet-lab-gw> test policy ACCEPT-PREFIXES 172.16.10.0/24 

inet.0: 98 destinations, 100 routes (98 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.10.50/32    *[Access-internal/12] 6d 05:43:06
                    > to 172.16.10.254 via vlan.10

Policy ACCEPT-PREFIXES: 1 prefix accepted, 21 prefix rejected

And you'll see you only get one match.

The prefix you enter into the test command basically says "show me all the routes that match this prefix or longer" - in a similar to the way a show route command works.

However, when matching a prefix list, prefixes are matched exactly, so even though our prefix list has a covering prefix (eg: 172.16.10.32/27) that doesn't cause a match because that exact prefix isn't in the routing table.

Related Topic