How to configure Prefix-List on Cisco Router

Ok, Hi everyone just joined the site.

I want to make sure that my brain understands this. It’s like you slice and dice and hopefully everything comes out right. So say I have this already as my prefix list:

10.0.12.0/24 le 32

Now say I want to include another network. So I want the following two networks in one prefix-list.

10.0.12.0/24 and 10.0.13.0/24, I want these covered by one prefix list.

So I figure that this will fit within the scope of these two networks.

2 will be size of subnets:

0, 2, 4, 6, 8, 10
12 and 13 — this fits just right.
14, 16, 18 etc…

So I delete the old prefix and add this:
10.0.12.0/23 le 32

I’m not worried about the “le 32” as that basically means I’m accepting all addresses in the 10.0.12.x and 10.0.13.0 scope.
So do I understand this correctly?

Thank you!

1 Like

Hi Michael,

Seems you got it right yes:

10.0.12.0/24 le 32

This will match all 1.0.12.X networks that have a subnet mask of /32 or larger (like /31, /30, /29, etc.).

With this one:

10.0.12.0/23 le 32

You have everything that falls within 10.0.12.0/23 range and with a subnet mask larger than /32 (/31, /30, /29, etc.).

Rene

Thanks Rene!

I appreciate that you take the time out of your busy schedule to answer! So many sites do not.

Mike

Hi Rene,

Thanks for this great tutorial. So if I put seq 10 permit 0.0.0.0/0 before any other prefix lines, like

seq 10 permit 0.0.0.0/0
seq 20 permit 10.10.10.0/24
seq 30 permit 20.20.20.0/24

seq 20 and 30 won’t matter because the seq 10 already covered everything? Thanks!
BC

Hello Barry.

Yes you are correct.

Laz

I was so confused by this at first. I know its simple but its also a brain teaser for some reason.
first I pulled up my boson subnet tool its free tool by the way on the Boson.com (just need to create an account) website. At first I was thinking that first two bits mean the first two spots _ _ thinking it could be anything from 0 to 192 that it did not matter if it was a zero or a one. However after putting into the subnet calculator it helped me to see.

The next really helpful thing for me was when I went ahead and enabled the command with distribute-list prefix CLASSB in all of a sudden all my 10.x.x.x networks disappeared which shot my first theory to crap along with supporting the boson subnet calculator.

So seeing it in play in a lab really made sense. I think the confusion goes back to the rule on how the classes are setup. When we was learning sub-netting classes that you read and say oh ok but as time goes on you just get use to seeing the numbers themselves and that they are a certain class.

I am betting everyone that had a problem with this does not use the Class A, B, C rule anymore but instead over time have subconsciously just memorized the 1-127 is A, 128-191 is B, 192-223 is C and does not really think of the rule about class A the first bit always being 0, and class b the first two bits being set to 10, and class C having its first three bits set to 110… (hoping me explaining this in writing will actually help me remember it! lol)

So its like trying to do a math problem and finally that silly rule in math never used much is key to how the expression functions.

anyway below is some more information reinforcing Rene info.

posted the rule below in greater detail that Rene implicitly mentioned briefly in his post I am one of those type that can sometimes be slow seeing something the way it should be seen until I experience it for myself.
https://www.tutorialspoint.com/ipv4/ipv4_address_classes.htm

5 Likes

Hello rene

there is a problem with the second video ! Can u update it

thankx

Hi Yasser,

Did it not play for you? I just re-added it. Does it work now?

Rene

Rene,

I currently have set up R2 connected to R4.
R4 is advertising in EIGRP:
192.168.0.1/24
192.168.1.1/30 (255.255.255.252)
192.168.2.1/29 (255.255.255.248
192.168.3.1/28 (255.255.255.240)

I’m simply just practicing with prefix-list and wanted to filter out the /30 /29 /28 routes, and only advertise the /24

On R4 I have done:

R4(config#) ip prefix-list test deny 192.168.0.0/16 ge 28 le 30
R4(config#) ip prefix-list test permit 0.0.0.0/0 le 32

R4(config-router#) distribute-list test out serial0/0/0

However, R2 is still showing all of the above mentioned routes in its routing table. I also tried filtering the same routes IN on R2 but to no effect. Where am I going wrong?

Thank you so much!

I have been going crazy trying to figure this out the past 24 hours. Finally figured out that I was leaving out the keyword ‘prefix’ in my “distribute-list” command syntax. Basically the distribute-list was looking for an ACL (that never existed) because I didn’t specify ‘prefix’ in the command. A little more tricky since leaving out ‘prefix’ is an acceptable command. It’s working as it should now :grinning:

5 Likes

I do things like this all the time XD

1 Like

Hello Alex!

Great to hear that you solved the issue on your own. Thanks very much for sharing your solution with us, it means so much for the community to have active and responsive participants. It helps us all when we share our experiences in this way.

Laz

1 Like

Thanks for sharing! I couldn’t figure out at first as well. but why did you use “192.168.0.0/16”? I thought this is a class c /24 or higher?

Hello Rene,

I am new to this Forum, Your lessons are helping me a lot, the way of explanation is very simple.
But I have a doubt:
I didn’t get the point for below 2 statments why we use Le 27 for class A and ge 17 for class B

R1(config)#ip prefix-list CLASSA permit 0.0.0.0/1 le 27
R1(config)#ip prefix-list CLASSB permit 128.0.0.0/2 ge 17

Thanks

Hello Minali

In the first case, the 0.0.0.0/1 subnet is all addresses from 0.0.0.0 to 127.255.255.255. This is the class A range of addresses. The le 27 keywords indicate that each subnet matched by the prefix will have a subnet mask less than or equal to 27. So this prefix list matches things like 10.10.10.32/27, 86.52.14.64/26 and 100.100.128.128/25 and any other class A subnet with a prefix less than or equal to /27.

On the other hand, the second prefix list is 128.0.0.0/2 which contains all addresses from 128.0.0.0 to 191.255.255.255, which are class B addresses. The ge 17 keywords indicate that each subnet matched by the prefix will have a subnet mask greater than or equal to 17. So this prefix list matches things like 132.0.0.0/17, 144.144.128.0/18, and 152.55.55.0/24 and any other class B subnet with a prefix greater than or equal to /17.

I hope this has been helpful!

Laz

2 Likes

Rene,

Why in this example did you add the permit statement, but in the others you didn’t? You said the permit statement was like a permit any any statement in an ACL, so I guess I’m not clear why you didn’t use this permit statement in every example.

R1(config)#ip prefix-list FILTERTHIS seq 5 deny 172.16.1.0/24
R1(config)#ip prefix-list FILTERTHIS seq 10 permit 0.0.0.0/0 le 32

Hello Andy

It really depends on what you want to achieve. In the specific example you are referring to, Rene is filtering out anything that matches the first statement, that is, anything within the 172.16.1.0/24 network. This means he is denying traffic matching this statement. You must remember that like access lists, prefix lists have an implicit deny statement at the end. This means that if the prefix list had only the first statement then, anything matching the 172.16.1.0/24 network would be denied, and then, everything else would be denied as well.

For this reason, the second statement was included, permitting everything. Now this statement is only necessary when you want to deny traffic that matches a very specific criteria, as is the case in this example. If your purpose is to permit traffic for a very specific range of addresses, as Rene did in a later example, then you don’t need the permit statement at the end. Indeed you mustn’t include it, otherwise your prefix list wouldn’t work correctly. For example, take a look at this prefix list:

R1(config)#ip prefix-list RENETEST permit 10.0.0.0/8 le 19

It is used to permit only networks that fall within the 10.0.0.0/8 range and have a subnet mask of /19 or less. Everything else must be denied, and everything else is denied because of the implicit deny everything at the end of a prefix list.

I hope this has been helpful!

Laz

2 Likes

Hi,
Can you explain how the below works

ip prefix-list 0.0.0.0/0  -for default route

ip prefix-list 0.0.0.0/0 le 32 - for all routes

Thanks

Hello Sims

Remember that unlike an access list, a prefix-list will give you a list of prefixes to match A prefix is composed of a network address with a subnet mask.

Let’s look at the second one first:

ip prefix-list 0.0.0.0/0 le 32

This will give you a list of prefixes that are composed of 0.0.0.0 and can have subnet masks ranging from 0 to 32. So:

0.0.0.0/0
0.0.0.0/1
0.0.0.0/2
0.0.0.0/3

0.0.0.0/32

So this essentially states that this prefix list matches all networks (signified by 0.0.0.0) with any subnet mask (signified by le 32).

For the first one, this prefix list will match anything that has a subnet mask of /0. So only the default route will be matched. Any other network/subnet mask combination, such as 192.168.1.0/24 for example, will not be matched.

I hope this has been helpful!

Laz

Hi Rene,

There is an option in IOS where multiple prefix-list can be matched with one statement.

As an example,

match ip address prefix-list satellite_default dmvpn_default

As indicated above satellite_default and dmvpn_default are separate prefix-list

Please explain how this works

Thanks

1 Like