IP prefix lists. Why? At first glance, it may seem that this is just another way to add more math and numbers to the life of a net admin. Don’t be fooled by the first glance. Once you get used to IP prefix lists, you may like them even better than their counterpart – IP access lists. They provide more granularity of control, and allow more flexibility as well. Let’s take a look and see how they work.
We can use one well-known fact about routers and their routing decisions to make this easier to understand. When a router examines its routing table to select an exit interface, it has several criteria upon which to base its final decision. If multiple protocols are in use, then Administrative Distance (how believable is that protocol?) is commonly thought of as the deciding factor. However, more definitive than even AD is longest prefix length. For instance, let’s say a packet enters the router with a destination of 10.2.3.67. Let us also presume that a greatly compressed version of the relevant portion of the routing table looks like this:
The router would select E0/1 as the egress interface, because a 27 bit prefix is longer than the 26 bit prefix. That quick review of routing decisions is sufficient to proceed in our discussion of IP prefix lists, because when we mention prefixes, we are talking about network addresses.
The syntax of the IP prefix-list command looks like this:
a.b.c.d represents the IP prefix (network address) being examined and PL is the prefix length (that is, how many bits of the prefix are significant) under consideration. ‘Name’ is whatever you want to call your list.
Using actual numbers will solidify the syntax, so let’s see a few examples and what they mean:
Matches the network 10.1.2.0 with a subnet mask of 255.255.255.0
Does not match network 10.1.3.0
Matches the network 172.16.0.0 with a mask of 255.255.0.0
Does not match 220.127.116.11
Matches the network 0.0.0.0 with prefix-length of zero, which means
match exactly a default route
There is more to this command, so let’s investigate some options you have when you use it.
If you examine the full features of the command on Cisco’ Command Reference Page, you will note that there are optional aspects of this command that I have not as yet addressed.
The full syntax is as follows:
So you can use a number for your list rather than a name, but a descriptive name is oh so helpful later when you are trying to remember what you did three weeks ago. The optional aspects of the command are in square brackets  to set them apart from the required pieces. You can select a sequence number if you wish, but if you choose not to do so, the IOS will start with the number five and increment by fives. You must select either permit or deny – you have to tell the IOS what you want, after all. The last brackets add the coolness to this command! The ge means greater than or equal to. The le keyword means less than or equal to. These keywords, used alone or in conjunction with each other, can be used to fine-tune your filtering. If you imagine that you want to match a prefix and a range of subnet mask lengths, then the ge piece indicates the “from” part and the le indicates the “to” part. The ‘x’ represents the number of bits in the subnet mask that are significant.
Once again, it will help to see them in examples with numbers. Let’s take a look:
|10.0.0.0/8 ge 17 le 19||Check the first 8 bits of network 10.0.0.0 – it must equal 10 to match. The subnet mask value must be greater than or equal to 17 and less than or equal to 19. So 18.104.22.168 would fail to match immediately. 10.2.0.0 with mask of 255.255.255.0 would also fail to match as the mask is too long.|
|0.0.0.0/1 ge 8 le 8||Check to first bit of the prefix. It must be a 0. In binary, the first octet would look like this: 0 x x x x x x x. If the first bit is locked at 0, it matches the definition of a Class A address, as the remaining bits can range from values of 0 to 127. The rest of the list means that a matching network must have a subnet mask that is greater than or equal to AND less than or equal to 8, or exactly 8 bits in the mask. This means that all classful Class A networks will match this list (subnet mask 255.0.0.0).|
|0.0.0.0/0 le 32||Check the first 0 bits of 0.0.0.0. This seems quite wide open and it is. If there is a limiting factor, or filter, it will be in the remainder of the command. Let’s check that. Any mask value less than or equal to 32 will match. That includes everything. So this is the cool way to match ANY network.|
One other thing to include for this command to be valid syntactically is to discuss what values can be used in conjunction with one another. To write it mathematically:
That is, the prefix length can’t be less than the ‘greater than or equal to,’ or ‘from’ value.
What this means is that you can’t do this:
10.1.0.0/16 ge 8 because the ge value of 8 (the ‘from’ value) is less than the number of bits the router is supposed to check in the prefix, or network. To see why, imagine that you are the router trying to interpret this command. Here is what the reasoning would look like: I am trying to look at, or match, the first 8 bits of a network address where the first sixteen bits ‘belong’ to the network. So you are telling me that it must begin with 10.1, but I am only supposed to look at the 10. You see why it doesn’t work?
Once you get used to the results you can achieve with well-written ip prefix-lists, you will enjoy the raw power they provide. In a future blog, I will discuss how you can use prefix lists to filter which routes are redistributed from one routing protocol to another.
I hope this clears up some of the misunderstandings associated with this very useful Cisco command!
Until next time….