The power of prefix lists

Prefix lists are used in route maps and route filtering operations and can be used as an alternative to access lists in many route filtering commands.

The most notable and important difference is that a prefix-list allows you to filter networks based on their subnet mask. ACLs used in distribute list filter networks only by network addresses but they do not perform matching on subnet mask; in other words, for an ACL used in distribute list, the networks 192.168.100.0/24 and 192.168.100.0/28 are indistinguishable. Moreover, the prefix-list also allows you to specify networks in much more natural format that ACLs.

Prefix list syntax is:

ip prefix-list list-name deny | permit network/len [ge ge-value] [le le-value]

For instance, to block 200.200.200.0/24 network, the command would be:

ip prefix-list Ciscozine-PL deny 200.200.200.0/24

The power of the prefix list happens when you use the “ge” or/and “le” keyword.

Example #1: Permit all the prefix

ip prefix-list Ciscozine-PL permit 0.0.0.0/0 le 32

This check the first 0 bits of the prefix 0.0.0.0 and the subnet mask must be less than or equal to 32: it permits all the network.

Example #2: Block the prefix 10.0.0.0/24

ip prefix-list Ciscozine-PL deny 10.0.0.0/24

due to the implicit deny of the prefix list, a second line is required to permit the other networks:

ip prefix-list Ciscozine-PL permit 0.0.0.0/0 le 32

Note: the first line can be written like:

ip prefix-list Ciscozine-PL deny 10.0.0.0/24 ge 24 le 24

Example #3: Permit only the default route

ip prefix-list Ciscozine-PL permit 0.0.0.0/0

this match only the network 0.0.0.0 with the prefix length 0.

Example #4: Permit all prefixes in the 10.0.0.0/16 with subnet mask less or equal /30

ip prefix-list Ciscozine-PL permit 10.0.0.0/16 le 30

this check the first 16 bits of the prefix 10.0.0.0, where the subnet mask must be less than or equal to 30.

So, if you have these networks:

10.0.0.0/24
10.10.10.0/24
10.0.10.128/30
10.0.0.10/32

Only the first and the third are valid. The second is not valid due to different prefix, while the fourth due to a greater subnet mask.

Example #5: Permits all prefixes in the 192.168.0.0/24 with subnet mask between 26 and 30 bits

ip prefix-list Ciscozine-PL permit 192.168.0.0/24 ge 26 le 30

So, if you have these networks:

192.168.123.0/24
192.168.0.0/30
192.168.0.0/16
192.168.0.0/8

Only the second statement is valid; the third and fourth are not valid due to lesser subnet mask and the first one is not valid due the different network.

Example #6: Deny all the loopback network (/32)

ip prefix-list Ciscozine-PL deny 0.0.0.0/0 ge 32 le 32

ip prefix-list Ciscozine-PL permit 0.0.0.0/0 le 32

The first line block all the network with subnet mask /32, while the last line permit any.

Remember:

  • le – less than or equal to
  • ge – greater than or equal to

The-power-of-prefix-lists

When using the “ge” (greater than or equal to) and “le”(less than or equal to) values, you must satisfy the condition: Len < ge <= le.

6 COMMENTS

  1. If I have subnets

    192.168.10.0/24
    192.168.11.0/25
    192.168.15.0/27
    192.168.20.0/24

    So if I write the prefix list 192.168.0.0/16 le 28 then which subnets will be matched by the router here ?

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.