Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

6 week online course

reserve a seat
back to overview

The Difference between Access Lists and Prefix Lists

A while ago someone asked what the difference between access and prefix lists is on the Network Engineering Stack Exchange web site (a fantastic resource brought to life primarily by sheer persistence of Jeremy Stretch, who had to fight troves of naysayers with somewhat limited insight claiming everything one would want to discuss about networking falls under server administration web site).

The question triggered a lengthy wandering down the memory lane … and here's the history of how the two came into being (and why they are the way they are).

In the very early days of the Internet, engineers realized it might be a good idea to limit access to valuable resources and started asking for packet filters. Cisco responded by implementing simple ("standard") access lists first (filtering on source host addresses, augmented by wildcard masks), but of course they weren't good enough to block (for example) SMTP, so they added extended access lists in IOS release 8.3. These access lists can match on source and destination IP addresses (with wildcards bits on both - these bits allow you to match whole prefixes), protocols, port numbers ...

So far: access list = packet filter.

Later (but still decades ago) people started running multiple routing protocols on the same box and wanted to redistribute information between them. Not a problem, but you wouldn't want all the information you got from your neighbors propagated into the other routing protocol - you need route filters. As is usually the case, everything looks like a nail if you happen to have a hammer, and thus Cisco's engineers implemented route filters with the object they already had - access lists that you could use as distribute lists.

At this point: access list = packet filter (and sometimes route filter)

With the advent of classless routing (yeah, it's that long ago – does anyone still remember the days of Class A, Class B and Class C addresses?), people wanted to redistribute prefixes of certain size between routing protocols. For example: advertise all /24s from OSPF into BGP, but not the /32s. Impossible to do with access lists.

Time for a new kludge: let's use extended access list and let's pretend the source IP address in the extended access list represents network address (actually prefix address) and the destination IP address in the same line of the extended access list represents subnet mask (other parameters like protocol and port numbers are ignored).

At that point: access lists = packet filters and route filters. Simple access lists also serve as route filters matching on network addresses, and extended access lists serve as route filters matching addresses and subnet masks.

Fortunately someone regained a shred of reason at that time and started wondering what exactly the brilliant minds deciding it makes sense reusing extended ACLs for route filters were smoking when they got that idea.

End result: Cisco IOS got prefix lists, which are (almost) identical in functionality to extended access lists acting as route filters, but displayed in a format that a regular human being has a chance of understanding.

Today: use access lists for packet filters and prefix lists for route filters. You can probably still use access lists as route filters (because there still might be a router or two out there using them, even though prefix lists were introduced more than a decade ago) but don't do it.

6 comments:

  1. I like your history leasons :)

    I´am way to young for that stuff...

    ReplyDelete
  2. Thanks for the great article. I had started using prefix-list whenever I could, but I love reading about the history

    ReplyDelete
  3. Actually I'm old enough to know that with extended ACLs you can do some funky stuff which you can't easily do with prefix-lists, I.e. you can pick all odd combinations of prefixes which are not bound by prefix-lenght (you can also do this with prefix-list by cherry picking but you don't have an automated - bit wise - way to pick every forth prefix within a /24. But I don't miss any of these ;)

    ReplyDelete
    Replies
    1. Forgot to sign:
      Rodrigo

      Delete
  4. superb blog to learn different things apart from regular knowledge....thnx Ivan

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Sidebar