How to configure Prefix-List on Cisco Router

Hi Hussein,

It’s just like an access-list, it allows you to have multiple statements in one prefix-list. Also, when you edit it later you can delete a certain sequence number or insert something in a specific position.

Rene

Thanks Rene,

Now it’s clear.

I have tow more question :-
1 - What is the effect of “ip prefix-list sequence-number” command ?
2 - Can we use prefix-list to check for source and destination IP addresses and also layer 4 information like TCP or UDP port numbers just like extended access-list ?

Hi Hussein,

You can use it to insert a statement in a specific position of your existing prefix-list.

Prefix-lists can only be used for prefixes, that’s it.

Rene

Thanks Rene,

Can you give me a complete example about insert a statement in a specific position of existing prefix-list by using “ip prefix-list sequence-number” command, because I did not understand completely how to do it ?

Hi Hussein,

Here’s an example, first we create some statements in a prefix-list:

R1(config)#ip prefix-list TEST permit 192.168.1.0/24
R1(config)#ip prefix-list TEST permit 192.168.2.0/24
R1(config)#ip prefix-list TEST permit 192.168.3.0/24

Here’s what it looks now:

R1#show ip prefix-list TEST
ip prefix-list TEST: 3 entries
seq 5 permit 192.168.1.0/24
seq 10 permit 192.168.2.0/24
seq 15 permit 192.168.3.0/24

Let’s get rid of the statement in the middle:

R1(config)#no ip prefix-list TEST seq 10 permit 192.168.2.0/24

Now we only have two statements left:

R1#show ip prefix-list TEST
ip prefix-list TEST: 2 entries
seq 5 permit 192.168.1.0/24
seq 15 permit 192.168.3.0/24

If you want, you can add something in between the two statements, just specify the sequence number where you want it to be:

R1(config)#ip prefix-list TEST seq 10 permit 192.168.4.0/24

R1#show ip prefix-list TEST
ip prefix-list TEST: 3 entries
seq 5 permit 192.168.1.0/24
seq 10 permit 192.168.4.0/24
seq 15 permit 192.168.3.0/24

And there it is…

1 Like

Thanks Rene,

When I configure prefix-list and use it in the distribute-list inside EIGRP configuration I notice that we have three options:

  • gateway Filtering incoming address updates based on gateway
  • in Filter incoming service updates
  • out Filter outgoing service updates
 

The last two are clear but I did not understand the first one ? Can you explain it to me please ?

Hi Hussein,

With the “gateway” option you can use filter prefixes from one particular EIGRP neighbor. This could be useful on a multi-access segment. Let’s say you have three EIGRP routers in the 192.168.1.0 /24 subnet:

  • R1 uses 192.168.1.1
  • R2 uses 192.168.1.2
  • R3 uses 192.168.1.3
 

Let’s say you want to filter prefixes on R1 but only from a particular EIGRP neighbor. With the gateway option you could filter prefixes from R2 only while still accepting everything from R3.

Rene

Thanks Rene,

At first I thought just like you said, but when I try to apply that on a lab I can not because it requires writing another prefix-list name not a gateway of neighbor router ?

R3(config-router)#distribute-list prefix TEST gateway ?
  WORD  Name of an IP prefix-list

And I notice when I write any prefix-list name I was asked to choose between IN or OUT :-

R3(config-router)#distribute-list prefix TEST gateway TEST  ?
  in   Filter incoming service updates
  out  Filter outgoing service updates

Can you please explain to me with an example how I can filtering incoming address updates based on gateway ?

Hi Hussein,

Here’s an example:

router eigrp 12
distribute-list prefix MY_PREFIX gateway R2 in

ip prefix-list MY_PREFIX seq 5 permit 2.2.2.0/24
ip prefix-list R2 seq 5 permit 192.168.12.2/32

This will only permit prefix 2.2.2.0/24 from EIGRP neighbor 192.168.12.2, everything else is denied.

Rene

Regarding the prefix that are covered in 128.0.0.0/3 & 128.0.0.0/5.
Why does it stop at subnet #6 for /3 and #19 for /5

256 – 224 = 32 subnets
256 – 248 = 8 subnets

So for /3 it looks like this:

Subnet #1: 0.0.0.0/3
Subnet #2: 32.0.0.0/3
Subnet #3: 64.0.0.0/3
Subnet #4: 96.0.0.0/3
Subnet #5: 128.0.0.0/3
Subnet #6: 160.0.0.0/3
And for /5:

Subnet #1: 0.0.0.0/5
Subnet #2: 8.0.0.0/5
Subnet #3: 16.0.0.0/5
Subnet #4: 24.0.0.0/5
Subnet #5: 32.0.0.0/5
Subnet #6: 40.0.0.0/5
Subnet #7: 48.0.0.0/5
Subnet #8: 56.0.0.0/5
Subnet #9: 64.0.0.0/5
Subnet #10: 72.0.0.0/5
Subnet #11: 80.0.0.0/5
Subnet #12: 88.0.0.0/5
Subnet #13: 96.0.0.0/5
Subnet #14: 104.0.0.0/5
Subnet #15: 112.0.0.0/5
Subnet #16: 120.0.0.0/5
Subnet #17: 128.0.0.0/5
Subnet #18: 136.0.0.0/5
Subnet #19: 144.0.0.0/5

Hi Lawrence,

If you use 128.0.0/3 in a prefix-list (without GE and LE operators) then it will only match 128.0.0.0/3, that’s it. If we use it as a summary or in combination with GE/LE then it’s different.

128.0.0.0/3 is the same as 128.0.0.0 224.0.0.0

When you use a subnet mask of 224.0.0.0, it means that each “block” has 32 addresses in it. A quick way to find this is to take the number 256 - subnet mask:

256 - 224 = 32

So we got blocks of 32:

Subnet #1: 0.0.0.0/3
Subnet #2: 32.0.0.0/3
Subnet #3: 64.0.0.0/3
Subnet #4: 96.0.0.0/3
Subnet #5: 128.0.0.0/3
Subnet #6: 160.0.0.0/3

We are looking for 128.0.0.0/3, the 6th subnet 160.0.0.0/3 falls out of our scope. Everything between 128.0.0.0 and 159.255.255.255 falls in the 128.0.0.0/3 range.

128.0.0.0/5 is the same as 128.0.0.0 248.0.0.0:

256 - 248 = 8

So here are the different subnets that we have:

Subnet #1: 0.0.0.0/5
Subnet #2: 8.0.0.0/5
Subnet #3: 16.0.0.0/5
Subnet #4: 24.0.0.0/5
Subnet #5: 32.0.0.0/5
Subnet #6: 40.0.0.0/5
Subnet #7: 48.0.0.0/5
Subnet #8: 56.0.0.0/5
Subnet #9: 64.0.0.0/5
Subnet #10: 72.0.0.0/5
Subnet #11: 80.0.0.0/5
Subnet #12: 88.0.0.0/5
Subnet #13: 96.0.0.0/5
Subnet #14: 104.0.0.0/5
Subnet #15: 112.0.0.0/5
Subnet #16: 120.0.0.0/5
Subnet #17: 128.0.0.0/5
Subnet #18: 136.0.0.0/5
Subnet #19: 144.0.0.0/5

We were interested in 128.0.0.0/5, you can see this is subnet #17. Subnet #18 (136.0.0.0/5) is the next one and outside of our scope.

Everything between 128.0.0.0 and 135.255.255.255 matches our 128.0.0.0/3.

Another way to look at it is in binary:

128.0.0.0/3 in binary looks like this:

128.0.0.0 = 10000000 00000000 00000000 00000000

With the /3 we are saying that the first 3 bits have to be 100:

128.0.0.0 = 10000000 00000000 00000000 00000000

What is the highest number we can create if the first three bits have to be 100?

159.255.255.255 = 10011111 11111111 11111111 11111111

So everything between 128.0.0.0 and 159.255.255.255 matches 128.0.0.0/3.

Does this make sense? :slight_smile:

128.0.0.0/3 is anything within 128.0.0.0 - 159.255.255.255

and

128.0.0.0/5 is any within 128.0.0.0 - 135.255.255.255

I was confused initially because i thought all the subnets listed were covered by the Prefix list.
I got it now, thanks Rene.

You are simply great, no words :slight_smile:

Hi Rene,
I would like to fiter some routes 10.50.3.0/24, 10.50.4.0/24 , 1050.50/24 out the range 10.50.0.0/24 - 10.50.10.0/24, However I end up doing the following with prefix-list:

R1(config)#do sh ip prefix-list 
ip prefix-list deny3to5: 4 entries
   seq 10 deny 10.50.3.0/24
   seq 20 deny 10.50.4.0/24
   seq 25 deny 10.50.5.0/24
   seq 30 permit 10.50.0.0/16 le 24
R1(config)#
R2#clear ip route *
R2#sh ip route rip | beg Gateway
Gateway of last resort is not set

      10.0.0.0/24 is subnetted, 8 subnets
R        10.50.0.0 [120/1] via 192.168.1.1, 00:00:03, Serial1/0
R        10.50.1.0 [120/1] via 192.168.1.1, 00:00:03, Serial1/0
R        10.50.2.0 [120/1] via 192.168.1.1, 00:00:03, Serial1/0
R        10.50.6.0 [120/1] via 192.168.1.1, 00:00:03, Serial1/0
R        10.50.7.0 [120/1] via 192.168.1.1, 00:00:03, Serial1/0
R        10.50.8.0 [120/1] via 192.168.1.1, 00:00:03, Serial1/0
R        10.50.9.0 [120/1] via 192.168.1.1, 00:00:03, Serial1/0
R        10.50.10.0 [120/1] via 192.168.1.1, 00:00:03, Serial1/0
R2#

Question: is there any better way with the prefix-list instead of having those many sequences in the prefix-list of R1?
Thank you,
Muktar

Muktar,
You could save one line by doing the following

ip prefix-list deny3to5: 3 entries
seq 10 deny 10.50.3.0/24
seq 20 deny 10.50.4.0/23
seq 30 permit 10.50.0.0/16 le 24

Thanks Andrew and the team.

Hi Rene,

First of all thanks for making all topics easy with nice explanation.

I have some doubt on this prefix-list even after going through all Topic and QnA.

First,
How Prefix-list differentiate between Network and Host. Does it differentiate like ACL or deal these two in different more suitable manner.
Like in ACL if I am writing permit 10.0.0.0/8 it includes 10.0.0.0 to 10.255.255.255. Is it same in Prefix-list ?

Second,
As prefix-list says it is exact match.
ip prefix-list test1 permit 10.0.0.0/8
will it allow only a single IP 10.0.0.0 like in ACL HOST 10.0.0.0 command does or it will allow 10.0.0.0 to 10.255.255.255 like ACL 10.0.0.0/8 does.

Third,
ip prefix-list test2 permit 10.0.0.0/16 ge 24
In first condition it matches 1st and 2nd actate, second condition it matches /24, /25 ,/26 , /27 , /28 , /29 , /30 , /31 , /32 ignoring any value (0-255 ) in fourth octate. How it treats with the value of 3rd octate , does it deny any value between 1-255.

Fourth,
ip prefix-list test3 permit 0.0.0.0/0 le 32 - It says permit any route
ip prefix-list test4 permit 0.0.0.0/0 - It says permit default route
Default route it self says permit any route so why it is different here in command.

Fifth,
If I want to permit 192.0.0.0 IP only then , will I write 192.0.0.0/2 or 192.0.0.0/8, what is difference between two.
ip prefix-list test5 permit 192.0.0.0/2 ge 23 le 24
ip prefix-list test5 permit 192.0.0.0/8 ge 23 le 24
will these two Prefix-list serves the same output, if not then what are the IPs covered separately in these two.

Thanks in advance…

Syed,

  1. Prefix lists are a bit more specialized than ACLs. With the exception of /32, prefix lists aren’t really concerned about network versus host. Instead it is concerned about routes (subnets). In the example of prefix-list PREFIX permit 10.0.0.0/8, this would match the route 10.0.0.0 255.0.0.0 exactly. 10.0.1.0 255.255.255.0 would NOT be matched for example.

The power of prefix lists comes in when you start adding the GE or LE options. At that point you can match a range of different subnet masks. So, for example, 10.0.0.0/8 le 10 would match 10.0.0.0 255.0.0.0.0, 10.0.0.0 255.128.0.0, and 10.0.0.0 255.192.0.0

  1. As mentioned in #1, a prefix-list of 10.0.0.0/8 matches the route 10.0.0.0 255.0.0.0 exactly. It is not a single IP, but a single route. If you wanted to match the 10.0.0.0 IP exactly, it would be 10.0.0.0/32 (which would probably be rejected because of the last zero).

  2. 10.0.0.0/16 ge 24, has two conditions for a match: A) the route must be within the 10.0.0.0 255.255.0.0 boundary and B) the route must have a mask length of between 24 and 32. Let’s do some examples (I chose 88 for the third octet at random):

10.0.88.0/28 = Matched - both conditions satisfied
10.1.88.0/28 = Not Match - Condition A NOT satisfied
10.0.88.0/22 = Not Match - Condition B NOT satisfied

So to answer your question, the prefix list doesn’t care about the 3rd octet value so long as conditions A and B are met.

  1. A default route is not the same thing as any route. A default route is a route of last resort if there isn’t any more specific route. In the case of prefix-lists, permit 0.0.0.0/0 this means something very specific–namely 0.0.0.0 0.0.0.0 exactly.

  2. You will need to clarify what you mean by “192.0.0.0 IP only.” Are you talking about 192.0.0.0 255.255.255.255? If so, this would be 192.0.0.0/32
    If you wrote 192.0.0.0/2, then only the specific route of 192.0.0.0 mask 192.0.0.0 would be permitted. Likewise, for 192.0.0.0/8 would allow only the exact route of 192.0.0.0 255.0.0.0

For your last two questions, read my answer for #3 above, and I think you will have enough information to figure those out. Give it a try and reply with your answers.

19 posts were merged into an existing topic: How to configure Prefix-List on Cisco Router

Hi Rene,

I notice something odd on the router output:

     172.16.0.0/24 is subnetted, 4 subnets
D       172.16.0.0 [90/156160] via 192.168.12.2, 00:06:11, FastEthernet0/0
D       172.16.1.0 [90/156160] via 192.168.12.2, 00:00:35, FastEthernet0/0
D       172.16.2.0 [90/156160] via 192.168.12.2, 00:06:11, FastEthernet0/0
D       172.16.3.0 [90/156160] via 192.168.12.2, 00:06:11, FastEthernet0/0

Why does it say 172.16.0.0/24 is subnetted as opposed to 172.16.0.0/16 is subnetted

Stuart