Dec
26

Prefix-lists are used to match on prefix and prefix-length pairs. Normal prefix-list syntax is as follows:

ip prefix-list LIST permit w.x.y.z/len

Where w.x.y.z is your exact prefix
And where len is your exact prefix-length

“ip prefix-list LIST permit 1.2.3.0/24″ would be an exact match for the prefix 1.2.3.0 with a subnet mask of 255.255.255.0. This does not match 1.2.0.0/24, nor does it match 1.2.3.4/32, nor anything in between.

When you add the keywords “GE” and “LE” to the prefix-list, the “len” value changes its meaning. When using GE and LE, the len value specifies how many bits of the prefix you are checking, starting with the most significant bit.

ip prefix-list LIST permit 1.2.3.0/24 le 32

This means:
Check the first 24 bits of the prefix 1.2.3.0
The subnet mask must be less than or equal to 32

This equates to the access-list syntax:

access-list 1 permit 1.2.3.0 0.0.0.255
ip prefix-list LIST permit 0.0.0.0/0 le 32

This means:
Check the first 0 bits of the prefix 0.0.0.0
The subnet mask must be less than or equal to 32
This equates to anything

ip prefix-list LIST permit 0.0.0.0/0

This means:
The exact prefix 0.0.0.0, with the exact prefix-length 0.
This is matching a default route.

ip prefix-list LIST permit 10.0.0.0/8 ge 21 le 29

This means:
Check the first 8 bits of the prefix 10.0.0.0
The subnet mask must be greater than or equal to 21, and less than or
equal to 29.

ip prefix-list CLASS_A permit 0.0.0.0/1 ge 8 le 8

This matches all class A addresses with classful masks. It means:
Check the first bit of the prefix, it must be a 0.
The subnet mask must be greater than or equal to 8, and less than or equal to 8. ( It is exactly 8 )

When using the GE and LE values, you must satisfy the condition:

Len < GE <= LE

Therefore “ip prefix-list LIST permit 1.2.3.0/24 ge 8″ is not a valid list.

What you can not do with the prefix-list is match on arbitrary bits like you can in an access-list. Prefix-lists cannot be used to check if a number is even or odd, nor check if a number is divisible by 15, etc… Bit checking in a prefix-list is sequential, starting with the most significant (leftmost) bit.

About Brian McGahan, CCIE #8593, CCDE #2013::13:

Brian McGahan was one of the youngest engineers in the world to obtain the CCIE, having achieved his first CCIE in Routing & Switching at the age of 20 in 2002. Brian has been teaching and developing CCIE training courses for over 10 years, and has assisted thousands of engineers in obtaining their CCIE certification. When not teaching or developing new products Brian consults with large ISPs and enterprise customers in the midwest region of the United States.

Find all posts by Brian McGahan, CCIE #8593, CCDE #2013::13 | Visit Website


You can leave a response, or trackback from your own site.

46 Responses to “How do prefix-lists work?”

 
  1. Tim says:

    I don’t understand why you say

    “This does not match 1.2.0.0/24″

    Yes it will, won’t it?

  2. No, it has to match all 32 bits of the address and the subnet mask must be 24. It is exactly the route 1.2.3.0/24. The route 1.2.0.0/24 is a different network.

  3. [...] > CC: ccielab@groupstudy.com > > Hello Mike/Arnold, > > This should help: > http://blog.internetworkexpert.com/2007/12/26/how-do-prefix-lists-work/ > > 2009/5/18 mike arnold > > > Hi, > > > > Am not perfect in prefix-lists can anybody send me a [...]

  4. Nadeem Rafi says:

    Quite good and helpful information.

  5. Peter says:

    Very good article…
    I have been going through some sample configuration(given below) where prefix-list has been used to prevent default route out of the interface. My question is do we really need both these prefix-list statements? Can’t we omit the second line in the prefix-list to acheive this purpose?

    ip prefix-list NODEF_OUT seq 5 deny 0.0.0.0/0
    ip prefix-list NODEF_OUT seq 10 permit 0.0.0.0/0 le 32

    router eigrp 10
    network 1.2.3.0 0.0.0.255
    distribute-list prefix NODEF_OUT out Tunnel0

  6. Ciprian says:

    Thank you Brian ! Great explanations !

  7. rshah.ec says:

    What does following prefix list mean?

    ip prefix-list LIST permit 0.0.0.0/32

  8. Happy says:

    What should be the prefix list to permit prefix 172.16.1.32 255.255.255.240 ?

  9. Sumit says:

    Most concise and informative article ever on prefix-list.
    Thanks a lot.

  10. Mark says:

    So if I used to do a reverse mask like:
    permit ip 192.168.87.0 0.0.0.3 any

    It would now be:
    permit 192.168.87.0/30 le 32 ?

    thanks,

    Mark

  11. zak dandashi says:

    Would any Host within the 1.2.3.0/24 subnet with a prefix-list 1.2.3.0/24 match the prefix-list?

  12. Bikas Pandey says:

    Thanks for your great explanation.It Solve my problem.

  13. Juan Arce says:

    hey guy, when you say 0.0.0.0/1 means 0.0.0.0 with netmask 128.0.0.0 — Why did you say that it represents the Class A range?

    Thanks for your future explanation.

    • Kleine says:

      Juan,

      I think you’re right, the correct will be:

      ip prefix-list CLASS_A permit 0.0.0.0/1 ge 2 le 8

      instead of:

      ip prefix-list CLASS_A permit 0.0.0.0/1 ge 8 le 8

      to match the entire class A.

      Please, let me know if its wrong.

      Thanks.

  14. Juan Arce says:

    ok ok, I’ve got it. Don’t worry, just take it easy!

  15. Frank says:

    Actually:

    ip prefix-list LIST permit 1.2.3.0/24 le 32

    equates to:

    access-list 100 permit 1.2.3.0 0.0.0.255 255.255.255.0 0.0.0.255

    A std-access-list can not match on netmasks

  16. Leo says:

    CCNP guide v 3.2, 3-54

    Requirement: The ISP will not accept routes with subnet masks longer than /24; subnet masks from class B address space will be no longer than /20.

    Alegedly the solution is…

    ip prefix-list Peer seq 5 permit 128.0.0.0/2 le 20
    ip prefix-list Peer seq 10 permit 0.0.0.0/0 le 24

    I tried it with 128.0.0.0/21 and it works, the route is permitted and in bgp table. I believe the second statement should permit it. and I think their solution is wrong.
    Can you guys please confirm this?

    Thanks for help guys

    Leo

  17. Mark says:

    I found this in a prefix list… my question is, due to seq 20, would seq 25-70 be redundant?

    seq 20 permit 30.0.0.0/8 le 32
    seq 25 permit 30.9.20.0/24
    seq 30 permit 30.196.52.0/24
    seq 35 permit 30.202.50.0/24
    seq 40 permit 30.194.22.0/24
    seq 45 permit 30.205.176.0/24
    seq 50 permit 30.205.171.0/24
    seq 55 permit 30.205.242.0/24
    seq 60 permit 30.205.136.0/24
    seq 65 permit 30.2.252.0/23
    seq 70 permit 30.217.24.0/23

    Per seq 20, match the first 8 bits… yes, they all do. Subnet mask has to be less than or equal to 32, so… anything in the 30-dot network is covered, right?

  18. Dragos says:

    What’s happening when I have to following:

    ip prefix-list LIST permit 167.16.4.1/32?

    The all traffic will be denied or only the traffic from host 167.16.4.1 will be permitted?

    • It depends on how you are applying it. Remember prefix-list are used for route filtering or matching, not for filtering traffic like an access-list. If your case the prefix-list with match only the host route 167.16.4.1/32.

  19. [...] to filter BGP Updates by Ivan Pepelnjak Using Extended ACLs for BGP Filtering by Brian Dennis How do prefix-lists work? by Brian McGahan Share this:TwitterFacebookLike this:Like Loading… Categories cisco ios, [...]

  20. Basile says:

    Hello,

    What’s happening when I have:

    seq 10 deny 192.168.0.0/15 ge 16
    seq 15 deny 172.0.0.0/11 ge 12
    seq 20 deny 10.0.0.0/7 ge 8
    seq 25 deny 126.0.0.0/7 ge 8
    seq 35 permit 0.0.0.0/0 ge 1

    It’ll accept just: 192.168.0.0/15, 172.0.0.0/11, 10.0.0.0/7, 126.0.0.0/7?

    Thank you for your help.

  21. Basile says:

    Hello,

    In fact, i have this configuration in a Cisco Router but i can’t understand it as well. For my example, what is accepted?

    seq 10 deny 192.168.0.0/15 ge 16
    seq 15 deny 172.0.0.0/11 ge 12
    seq 20 deny 10.0.0.0/7 ge 8
    seq 25 deny 126.0.0.0/7 ge 8
    seq 35 permit 0.0.0.0/0 ge 1

    Thank you again,

  22. Priya says:

    Hi All,

    While filtering out the prefixes

    router ospf 1
    area 1 filter-list prefix 10 in

    ip prefix-list 10 seq 20 permit 0.0.0.0/0 le 32

    what difference it makes if i apply

    ip prefix-list 10 seq 20 permit 0.0.0.0/0 le 8 instead of 32 ?

    Could you please explain…Thanks in advance.

  23. Manuel says:

    If I want to allow any subnet inside 150.0.0.0/8
    Is it enough to use 150.0.0.0/8 or should it be 150.0.0.0/8 le 8?
    Thanks

  24. mohammed says:

    hi brain,
    if you want to prevent telneting between two different routing domains with traffic coming from 10.0.0.0/8 ge 16 le 24

    how can we do that ?

  25. Pradeep says:

    awaesome.Now i can imagine prifixes bit wise and can apply easliy on my project defense project

  26. Kumar Rishikesh says:

    Can we deny Class A and Class B in a single “ip prefix-list” statement?

    This is my assignment question. Kindly help.

  27. Chris says:

    This is excellent thank you!!!!!!

  28. Jon Isunza says:

    Thank you! Your explanation made sense to me.

  29. Ditmar says:

    I am wondering how can we match the default-route.
    I want to receive all the routes from the neighbor except the default-route

    I tried
    IP prefix-list NAME 0.0.0.0/0

    but this didn’t work.

 

Leave a Reply

Categories

CCIE Bloggers