How to configure Prefix-List on Cisco Router


(syed h) #37

Hi Rene,

First of all thanks for making all topics easy with nice explanation.

I have some doubt on this prefix-list even after going through all Topic and QnA.

First,
How Prefix-list differentiate between Network and Host. Does it differentiate like ACL or deal these two in different more suitable manner.
Like in ACL if I am writing permit 10.0.0.0/8 it includes 10.0.0.0 to 10.255.255.255. Is it same in Prefix-list ?

Second,
As prefix-list says it is exact match.
ip prefix-list test1 permit 10.0.0.0/8
will it allow only a single IP 10.0.0.0 like in ACL HOST 10.0.0.0 command does or it will allow 10.0.0.0 to 10.255.255.255 like ACL 10.0.0.0/8 does.

Third,
ip prefix-list test2 permit 10.0.0.0/16 ge 24
In first condition it matches 1st and 2nd actate, second condition it matches /24, /25 ,/26 , /27 , /28 , /29 , /30 , /31 , /32 ignoring any value (0-255 ) in fourth octate. How it treats with the value of 3rd octate , does it deny any value between 1-255.

Fourth,
ip prefix-list test3 permit 0.0.0.0/0 le 32 - It says permit any route
ip prefix-list test4 permit 0.0.0.0/0 - It says permit default route
Default route it self says permit any route so why it is different here in command.

Fifth,
If I want to permit 192.0.0.0 IP only then , will I write 192.0.0.0/2 or 192.0.0.0/8, what is difference between two.
ip prefix-list test5 permit 192.0.0.0/2 ge 23 le 24
ip prefix-list test5 permit 192.0.0.0/8 ge 23 le 24
will these two Prefix-list serves the same output, if not then what are the IPs covered separately in these two.

Thanks in advance…


(Andrew P) #38

Syed,

  1. Prefix lists are a bit more specialized than ACLs. With the exception of /32, prefix lists aren’t really concerned about network versus host. Instead it is concerned about routes (subnets). In the example of prefix-list PREFIX permit 10.0.0.0/8, this would match the route 10.0.0.0 255.0.0.0 exactly. 10.0.1.0 255.255.255.0 would NOT be matched for example.

The power of prefix lists comes in when you start adding the GE or LE options. At that point you can match a range of different subnet masks. So, for example, 10.0.0.0/8 le 10 would match 10.0.0.0 255.0.0.0.0, 10.0.0.0 255.128.0.0, and 10.0.0.0 255.192.0.0

  1. As mentioned in #1, a prefix-list of 10.0.0.0/8 matches the route 10.0.0.0 255.0.0.0 exactly. It is not a single IP, but a single route. If you wanted to match the 10.0.0.0 IP exactly, it would be 10.0.0.0/32 (which would probably be rejected because of the last zero).

  2. 10.0.0.0/16 ge 24, has two conditions for a match: A) the route must be within the 10.0.0.0 255.255.0.0 boundary and B) the route must have a mask length of between 24 and 32. Let’s do some examples (I chose 88 for the third octet at random):

10.0.88.0/28 = Matched - both conditions satisfied
10.1.88.0/28 = Not Match - Condition A NOT satisfied
10.0.88.0/22 = Not Match - Condition B NOT satisfied

So to answer your question, the prefix list doesn’t care about the 3rd octet value so long as conditions A and B are met.

  1. A default route is not the same thing as any route. A default route is a route of last resort if there isn’t any more specific route. In the case of prefix-lists, permit 0.0.0.0/0 this means something very specific–namely 0.0.0.0 0.0.0.0 exactly.

  2. You will need to clarify what you mean by “192.0.0.0 IP only.” Are you talking about 192.0.0.0 255.255.255.255? If so, this would be 192.0.0.0/32
    If you wrote 192.0.0.0/2, then only the specific route of 192.0.0.0 mask 192.0.0.0 would be permitted. Likewise, for 192.0.0.0/8 would allow only the exact route of 192.0.0.0 255.0.0.0

For your last two questions, read my answer for #3 above, and I think you will have enough information to figure those out. Give it a try and reply with your answers.


(Networklessons Admin) split this topic #39

19 posts were merged into an existing topic: How to configure Prefix-List on Cisco Router


(Stuart G) #40

Hi Rene,

I notice something odd on the router output:

     172.16.0.0/24 is subnetted, 4 subnets
D       172.16.0.0 [90/156160] via 192.168.12.2, 00:06:11, FastEthernet0/0
D       172.16.1.0 [90/156160] via 192.168.12.2, 00:00:35, FastEthernet0/0
D       172.16.2.0 [90/156160] via 192.168.12.2, 00:06:11, FastEthernet0/0
D       172.16.3.0 [90/156160] via 192.168.12.2, 00:06:11, FastEthernet0/0

Why does it say 172.16.0.0/24 is subnetted as opposed to 172.16.0.0/16 is subnetted

Stuart


(khalid a) #41

Hello Rene,

for the command:

Nancy(config)#ip prefix-list DEFAULTROUTE permit 0.0.0.0/0

When you say it’s only permitting the default route. Is this command means all traffic to any destination will be permitted?

Thank you


(Rene Molenaar) #42

@Stuart it will show up like this if all subnets in the 172.16.0.0 range have a /24 subnet mask. If all of them have a /25, it will show up as 172.16.0.0/25. If you have three with a /24 mask and one with a /25 mask…it will show up as 172.16.0.0/16 (classful).

@Khalid This 0.0.0.0/0 entry in the prefix-list really only matches the default route.


(Networklessons Admin) split this topic #43

19 posts were merged into an existing topic: How to configure Prefix-List on Cisco Router


(Michael D) #44

Ok, Hi everyone just joined the site.

I want to make sure that my brain understands this. It’s like you slice and dice and hopefully everything comes out right. So say I have this already as my prefix list:

10.0.12.0/24 le 32

Now say I want to include another network. So I want the following two networks in one prefix-list.

10.0.12.0/24 and 10.0.13.0/24, I want these covered by one prefix list.

So I figure that this will fit within the scope of these two networks.

2 will be size of subnets:

0, 2, 4, 6, 8, 10
12 and 13 — this fits just right.
14, 16, 18 etc…

So I delete the old prefix and add this:
10.0.12.0/23 le 32

I’m not worried about the “le 32” as that basically means I’m accepting all addresses in the 10.0.12.x and 10.0.13.0 scope.
So do I understand this correctly?

Thank you!


(Rene Molenaar) #45

Hi Michael,

Seems you got it right yes:

10.0.12.0/24 le 32

This will match all 1.0.12.X networks that have a subnet mask of /32 or larger (like /31, /30, /29, etc.).

With this one:

10.0.12.0/23 le 32

You have everything that falls within 10.0.12.0/23 range and with a subnet mask larger than /32 (/31, /30, /29, etc.).

Rene


(Michael D) #46

Thanks Rene!

I appreciate that you take the time out of your busy schedule to answer! So many sites do not.

Mike


(Barry C) #47

Hi Rene,

Thanks for this great tutorial. So if I put seq 10 permit 0.0.0.0/0 before any other prefix lines, like

seq 10 permit 0.0.0.0/0
seq 20 permit 10.10.10.0/24
seq 30 permit 20.20.20.0/24

seq 20 and 30 won’t matter because the seq 10 already covered everything? Thanks!
BC


(Lazaros Agapides) #48

Hello Barry.

Yes you are correct.

Laz


(Brian C) #49

I was so confused by this at first. I know its simple but its also a brain teaser for some reason.
first I pulled up my boson subnet tool its free tool by the way on the Boson.com (just need to create an account) website. At first I was thinking that first two bits mean the first two spots _ _ thinking it could be anything from 0 to 192 that it did not matter if it was a zero or a one. However after putting into the subnet calculator it helped me to see.

The next really helpful thing for me was when I went ahead and enabled the command with distribute-list prefix CLASSB in all of a sudden all my 10.x.x.x networks disappeared which shot my first theory to crap along with supporting the boson subnet calculator.

So seeing it in play in a lab really made sense. I think the confusion goes back to the rule on how the classes are setup. When we was learning sub-netting classes that you read and say oh ok but as time goes on you just get use to seeing the numbers themselves and that they are a certain class.

I am betting everyone that had a problem with this does not use the Class A, B, C rule anymore but instead over time have subconsciously just memorized the 1-127 is A, 128-191 is B, 192-223 is C and does not really think of the rule about class A the first bit always being 0, and class b the first two bits being set to 10, and class C having its first three bits set to 110… (hoping me explaining this in writing will actually help me remember it! lol)

So its like trying to do a math problem and finally that silly rule in math never used much is key to how the expression functions.

anyway below is some more information reinforcing Rene info.

posted the rule below in greater detail that Rene implicitly mentioned briefly in his post I am one of those type that can sometimes be slow seeing something the way it should be seen until I experience it for myself.
https://www.tutorialspoint.com/ipv4/ipv4_address_classes.htm


(yasser t) #50

Hello rene

there is a problem with the second video ! Can u update it

thankx


(Rene Molenaar) #51

Hi Yasser,

Did it not play for you? I just re-added it. Does it work now?

Rene


(Alex D) #52

Rene,

I currently have set up R2 connected to R4.
R4 is advertising in EIGRP:
192.168.0.1/24
192.168.1.1/30 (255.255.255.252)
192.168.2.1/29 (255.255.255.248
192.168.3.1/28 (255.255.255.240)

I’m simply just practicing with prefix-list and wanted to filter out the /30 /29 /28 routes, and only advertise the /24

On R4 I have done:

R4(config#) ip prefix-list test deny 192.168.0.0/16 ge 28 le 30
R4(config#) ip prefix-list test permit 0.0.0.0/0 le 32

R4(config-router#) distribute-list test out serial0/0/0

However, R2 is still showing all of the above mentioned routes in its routing table. I also tried filtering the same routes IN on R2 but to no effect. Where am I going wrong?

Thank you so much!


(Alex D) #53

I have been going crazy trying to figure this out the past 24 hours. Finally figured out that I was leaving out the keyword ‘prefix’ in my “distribute-list” command syntax. Basically the distribute-list was looking for an ACL (that never existed) because I didn’t specify ‘prefix’ in the command. A little more tricky since leaving out ‘prefix’ is an acceptable command. It’s working as it should now :grinning:


(Kevin W) #54

I do things like this all the time XD


(Lazaros Agapides) #55

Hello Alex!

Great to hear that you solved the issue on your own. Thanks very much for sharing your solution with us, it means so much for the community to have active and responsive participants. It helps us all when we share our experiences in this way.

Laz


(Trust_the P) #56

Thanks for sharing! I couldn’t figure out at first as well. but why did you use “192.168.0.0/16”? I thought this is a class c /24 or higher?