Difference between access list and prefix list?

  • Can someone explain with an example whats the difference between an access list and prefix list.

  • ioshints

    ioshints Correct answer

    9 years ago

    Here's the history of how they came into being (and why they are the way they are):

    • In the very early days of the Internet, people started asking for packet filters (aka access lists).
    • Cisco implemented simple access lists first (filtering on destination host addresses, augmented by wildcard masks), but of course they weren't good enough to block (for example) SMTP, so they created extended access lists, which can match on source and destination IP addresses (with wildcards bits on both - these bits allow you to match whole prefixes), protocols, port numbers ...

    So: access list = packet filter.

    Later (but still decades ago) people started running multiple routing protocols on the same box and wanted to redistribute information between them. Not a problem, but you wouldn't want ALL the information you have propagated into the other routing protocol - you need ROUTE FILTERS. As is usually the case, everything looks like a nail if you happen to have a hammer, and thus Cisco's engineers implemented route filters with the object they already had - access lists.

    At this point: access list = packet filter (and sometimes route filter)

    With the advent of classless routing (yeah, it's that long ago - does anyone still remember the days of Class A, Class B and Class C addresses), people wanted to redistribute prefixes of certain size between routing protocols. For example: advertise all /24s from OSPF into BGP, but not the /32s. Impossible to do with access lists. Time for a new kludge: let's use extended access list and let's pretend the source IP address in the packet filter represents network address (actually prefix address) and the destination IP address in the same line of the packet filter represents subnet mask.

    This far: access lists = packet filters. Simple access lists also serve as route filters (matching only on network addresses) and extended access lists serve as route filters matching addresses and subnet masks.

    Fortunately someone retained a shred of reason at that time and started wondering what exactly the brilliant minds that decided reusing extended ACLs for route filters makes sense were smoking when they got that brilliant idea.

    End result: Cisco IOS got prefix lists, which are (almost) identical in functionality to extended access lists acting as route filters, but displayed in a format that a regular human being has a chance of understanding.

    Today: use access lists for packet filters and prefix lists for route filters. You can still use access lists as route filters but don't do it.

    Makes sense?

    "For example: advertise all /24s from OSPF into BGP, but not the /32s. Impossible to do with access lists" -not impossible but tedious

    Impossible to do with standard access lists if you really want to match on the subnet mask. Yeah, you could pretend that matching on zero host field is the same ;)

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used