How to configure Prefix-List on Cisco Router

I have been going crazy trying to figure this out the past 24 hours. Finally figured out that I was leaving out the keyword ‘prefix’ in my “distribute-list” command syntax. Basically the distribute-list was looking for an ACL (that never existed) because I didn’t specify ‘prefix’ in the command. A little more tricky since leaving out ‘prefix’ is an acceptable command. It’s working as it should now :grinning:

4 Likes

I do things like this all the time XD

1 Like

Hello Alex!

Great to hear that you solved the issue on your own. Thanks very much for sharing your solution with us, it means so much for the community to have active and responsive participants. It helps us all when we share our experiences in this way.

Laz

Thanks for sharing! I couldn’t figure out at first as well. but why did you use “192.168.0.0/16”? I thought this is a class c /24 or higher?

Hello Rene,

I am new to this Forum, Your lessons are helping me a lot, the way of explanation is very simple.
But I have a doubt:
I didn’t get the point for below 2 statments why we use Le 27 for class A and ge 17 for class B

R1(config)#ip prefix-list CLASSA permit 0.0.0.0/1 le 27
R1(config)#ip prefix-list CLASSB permit 128.0.0.0/2 ge 17

Thanks

Hello Minali

In the first case, the 0.0.0.0/1 subnet is all addresses from 0.0.0.0 to 127.255.255.255. This is the class A range of addresses. The le 27 keywords indicate that each subnet matched by the prefix will have a subnet mask less than or equal to 27. So this prefix list matches things like 10.10.10.32/27, 86.52.14.64/26 and 100.100.128.128/25 and any other class A subnet with a prefix less than or equal to /27.

On the other hand, the second prefix list is 128.0.0.0/2 which contains all addresses from 128.0.0.0 to 191.255.255.255, which are class B addresses. The ge 17 keywords indicate that each subnet matched by the prefix will have a subnet mask greater than or equal to 17. So this prefix list matches things like 132.0.0.0/17, 144.144.128.0/18, and 152.55.55.0/24 and any other class B subnet with a prefix greater than or equal to /17.

I hope this has been helpful!

Laz

2 Likes

Rene,

Why in this example did you add the permit statement, but in the others you didn’t? You said the permit statement was like a permit any any statement in an ACL, so I guess I’m not clear why you didn’t use this permit statement in every example.

R1(config)#ip prefix-list FILTERTHIS seq 5 deny 172.16.1.0/24
R1(config)#ip prefix-list FILTERTHIS seq 10 permit 0.0.0.0/0 le 32

Hello Andy

It really depends on what you want to achieve. In the specific example you are referring to, Rene is filtering out anything that matches the first statement, that is, anything within the 172.16.1.0/24 network. This means he is denying traffic matching this statement. You must remember that like access lists, prefix lists have an implicit deny statement at the end. This means that if the prefix list had only the first statement then, anything matching the 172.16.1.0/24 network would be denied, and then, everything else would be denied as well.

For this reason, the second statement was included, permitting everything. Now this statement is only necessary when you want to deny traffic that matches a very specific criteria, as is the case in this example. If your purpose is to permit traffic for a very specific range of addresses, as Rene did in a later example, then you don’t need the permit statement at the end. Indeed you mustn’t include it, otherwise your prefix list wouldn’t work correctly. For example, take a look at this prefix list:

R1(config)#ip prefix-list RENETEST permit 10.0.0.0/8 le 19

It is used to permit only networks that fall within the 10.0.0.0/8 range and have a subnet mask of /19 or less. Everything else must be denied, and everything else is denied because of the implicit deny everything at the end of a prefix list.

I hope this has been helpful!

Laz

2 Likes

Hi,
Can you explain how the below works

ip prefix-list 0.0.0.0/0  -for default route

ip prefix-list 0.0.0.0/0 le 32 - for all routes

Thanks

Hello Sims

Remember that unlike an access list, a prefix-list will give you a list of prefixes to match A prefix is composed of a network address with a subnet mask.

Let’s look at the second one first:

ip prefix-list 0.0.0.0/0 le 32

This will give you a list of prefixes that are composed of 0.0.0.0 and can have subnet masks ranging from 0 to 32. So:

0.0.0.0/0
0.0.0.0/1
0.0.0.0/2
0.0.0.0/3

0.0.0.0/32

So this essentially states that this prefix list matches all networks (signified by 0.0.0.0) with any subnet mask (signified by le 32).

For the first one, this prefix list will match anything that has a subnet mask of /0. So only the default route will be matched. Any other network/subnet mask combination, such as 192.168.1.0/24 for example, will not be matched.

I hope this has been helpful!

Laz

Hi Rene,

There is an option in IOS where multiple prefix-list can be matched with one statement.

As an example,

match ip address prefix-list satellite_default dmvpn_default

As indicated above satellite_default and dmvpn_default are separate prefix-list

Please explain how this works

Thanks

Hello Talha

When applying a match statement specifically for matching an IP address within a route map, you are able to specify more than one prefix list. Actually, you can specify even more than two. For example:

Router(config-route-map)#$dress prefix-list list1 list2 list3 list4 ?
  WORD  IP prefix-list name
  <cr>

You can see from the above output that after four lists have been entered, there is the option to add an additional one.

The IOS will attempt to match the IP address to the prefix lists in the order they are indicated.
In other words, it will interpret this as a single list that is composed of the concatenated prefix lists, and will go through the statements within those lists in order. Once a match is found, it will not look further.

You are able to do this with access lists as well. See the CLI output below:

Router(config-route-map)#match ip address ACL1 ACL2 ACL3 ACL4 ?
  <1-199>      IP access-list number
  <1300-2699>  IP access-list number (expanded range)
  WORD         IP access-list name
  <cr>

So this is not a characteristic of prefix lists, but of the match statements made within a route-map.

I hope this has been helpful!

Laz

Hello,

is it more appropriate to use the deny in a prefix list or in the route map?

Example:

ip prefix-list TEST seq 10 deny 1.2.3.4/32
ip prefix-list TEST seq 15 permit 0.0.0.0/0 le 32

route-map TEST permit 10 
 match ip address prefix-list TEST

Or:

ip prefix-list TEST seq 10 permit 1.2.3.4/32

route-map TEST deny 10 
 match ip address prefix-list TEST
route-map TEST permit 20 

Thanks a lot.

Regards,

Lukas

Hello Lukas

Both configurations should bring about the same results, and I believe both are acceptable. In my personal opinion, it is preferable to include the detail of what to permit and what to deny in the “lowest level entity” in the configuration. In this case, this would be the prefix list. In other words, since the route-map calls upon the prefix list to define traffic, the route-map is at a higher level of the configuration.

This makes it easier to modify in the future. All of the permit/deny combinations you want are found within the prefix-list, and you only have to edit this list in order to modify the behaviour. Otherwise, you may have to edit both the prefix-list and the route-map.

I hope this has been helpful!

Laz

1 Like

Great answer :slight_smile: Thanks

1 Like

How can i calculate the range in binary ??.

ip prefix-list permit 123.0.0.0/4 le 7
ip prefix-list permit 1.1.0.0/11 ge 15

Hello Narad

Let’s take a look at the first prefix list. The address 123.0.0.0 represented in binary is:

01111011.00000000.00000000.00000000

I included the dots for clarity. Now, the prefix list is essentially saying that this matches prefixes with the following characteristics:

  1. it matches all prefixes within the 123.0.0.0/4 range
  2. it matches all prefixes that have a subnet mask less than 7

Looking at this in binary, it says that:

  1. It will match all prefixes that begin with 0111, that is the first four bits of the prefix. In other words it will match any prefix from 01110000.00000000.00000000.00000000 to 01111111.11111111.11111111.11111111. In decimal that is from 112.0.0.0 to 127.255.255.255.
  2. The prefix must also match any subnet mask less than 7.

You can also approach the second prefix-list in the same manner.

I hope this has been helpful!

Laz

Hi Dear, One question. how and why prefix list is more powerful than access list?

Hello Zahid

An access list can be used to define a specific range of IP addresses. A prefix list can be used to define a specific range of prefixes. Prefix lists include the subnet mask in their matching mechanisms.

For example, let’s say you want to define a list of prefixes that fall within the range of 192.168.0.0/16 but have a subnet mask between /25 and /27. To do this with an access list, it would be quite complicated. With a prefix list, you only need a single line:

ip prefix-list MY_LIST permit 192.168.0.0/16 ge 25 le 27

Remember that access lists will filter specific addresses, prefix lists will filter prefixes (which define a range of addresses since they include subnet masks).

I hope this has been helpful!

Laz

Thanks for the help dear

1 Like