Prefix-lists can be used to filter prefixes and are far more powerful than simple access-lists. Let’s say I want to filter all prefixes that fall within the 10.0.0.0 range and that have a subnet mask between /24 and /28. Do you think you could do this with an access-list? It won’t be easy, right…with a prefix-list this is very easy to do!
Most CCNP students find prefix-lists difficult to understand so in this lesson I’ll show you how prefix-lists work by using them as route filters.
I will show you different scenarios and different filters. Here is the topology that we will use:
Above you see two routers called “R1” and “R2”. On R2, we have a couple of loopback interfaces with prefixes that we will advertise in EIGRP. I’m doing this, so we have several prefixes to play with. Here is the configuration:
R1(config)#router eigrp 12
R1(config-router)#no auto-summary
R1(config-router)#network 192.168.12.0
R2(config)#router eigrp 12
R2(config-router)#no auto-summary
R2(config-router)#network 192.168.12.0
R2(config-router)#network 172.16.0.0 0.0.3.255
EIGRP is configured, so all networks are advertised.
R1#show ip route eigrp
172.16.0.0/24 is subnetted, 4 subnets
D 172.16.0.0 [90/156160] via 192.168.12.2, 00:01:07, FastEthernet0/0
D 172.16.1.0 [90/156160] via 192.168.12.2, 00:01:07, FastEthernet0/0
D 172.16.2.0 [90/156160] via 192.168.12.2, 00:01:07, FastEthernet0/0
D 172.16.3.0 [90/156160] via 192.168.12.2, 00:01:07, FastEthernet0/0
If we look at the routing table of R1 we can see all those networks on the loopback interfaces as they should be. Now we’ll see if we can do some filtering. Let’s start with a simple prefix-list that filters 172.16.1.0 /24 but permits everything else:
R1(config)#ip prefix-list FILTERTHIS seq 5 deny 172.16.1.0/24
R1(config)#ip prefix-list FILTERTHIS seq 10 permit 0.0.0.0/0 le 32
By using the ip prefix-list
command, you can create prefix lists. As you can see it looks a bit similar to my access-list but instead of typing wildcards we just specify the number of bits. The first line denies 172.16.1.0/24 and the second line permits 0.0.0.0/0 (all networks) if they have a subnet mask of /32 or smaller…in other words “everything”. This line is the equivalent of permit ip any any
.
Let’s enable it on R1 to see what the result is:
R1(config)#router eigrp 12
R1(config-router)#distribute-list prefix FILTERTHIS in
And we’ll enable the new prefix-list.
R1#show ip route eigrp
172.16.0.0/24 is subnetted, 3 subnets
D 172.16.0.0 [90/156160] via 192.168.12.2, 00:01:54, FastEthernet0/0
D 172.16.2.0 [90/156160] via 192.168.12.2, 00:01:54, FastEthernet0/0
D 172.16.3.0 [90/156160] via 192.168.12.2, 00:01:54, FastEthernet0/0
As you can see, 172.16.1.0/24 has been filtered, and all the other networks are permitted.
The true power of the prefix list is in the ge (Greater than or Equal to) and le (less than or equal to) operators. Let’s look at some examples:
R1(config)#ip prefix-list RENETEST permit 10.0.0.0/8 le 19
In this example, I’m using the le operator. This prefix-list statement says that all networks that fall within the 10.0.0.0/8 range AND that have a subnet mask of /19 or less are permitted.
If I have a network with 10.0.0.0 /21, it will be denied by this prefix list. It falls within the 10.0.0.0 /8 range, but it has a subnet mask of /21. I’m using the le operator, which says that the subnet mask should be /19 or smaller.
Let’s say I have another network with 10.0.0.0 /17 then it will be permitted by this prefix-list. It falls within the 10.0.0.0/8 range and has a subnet mask that is smaller than /19.
Are you following me here? Let me give you an example on our routers:
R2(config)#interface loopback 10
R2(config-if)#ip address 10.1.1.1 255.255.0.0
R2(config-if)#interface loopback 11
R2(config-if)#ip address 10.2.2.2 255.255.128.0
R2(config-if)#interface loopback 12
R2(config-if)#ip address 10.3.3.3 255.255.192.0
R2(config-if)#interface loopback 13
R2(config-if)#ip address 10.4.4.4 255.255.224.0
R2(config-if)#interface loopback 14
R2(config-if)#ip address 10.5.5.5 255.255.240.0
R2(config-if)#interface loopback 15
R2(config-if)#ip address 10.6.6.6 255.255.248.0
First, we’ll add a couple of loopback interfaces on R2. If you look closely, you can see I’m using different subnet masks.
R2(config)#router eigrp 12
R2(config-router)#network 10.0.0.0
And I’ll advertise them in EIGRP.
R1(config)#router eigrp 12
R1(config-router)#no distribute-list prefix FILTERTHIS in
Let’s get rid of the prefix-list on R1…
R1#show ip route eigrp
172.16.0.0/24 is subnetted, 4 subnets
D 172.16.0.0 [90/156160] via 192.168.12.2, 00:06:11, FastEthernet0/0
D 172.16.1.0 [90/156160] via 192.168.12.2, 00:00:35, FastEthernet0/0
D 172.16.2.0 [90/156160] via 192.168.12.2, 00:06:11, FastEthernet0/0
D 172.16.3.0 [90/156160] via 192.168.12.2, 00:06:11, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 6 subnets, 6 masks
D 10.2.0.0/17 [90/156160] via 192.168.12.2, 00:02:22, FastEthernet0/0
D 10.3.0.0/18 [90/156160] via 192.168.12.2, 01:14:57, FastEthernet0/0
D 10.1.0.0/16 [90/156160] via 192.168.12.2, 00:06:11, FastEthernet0/0
D 10.6.0.0/21 [90/156160] via 192.168.12.2, 01:02:35, FastEthernet0/0
D 10.4.0.0/19 [90/156160] via 192.168.12.2, 01:14:46, FastEthernet0/0
D 10.5.0.0/20 [90/156160] via 192.168.12.2, 01:02:35, FastEthernet0/0
Now we see all the networks that fall within the 172.16.0.0/16 and 10.0.0.0/8 range. Time to enable that prefix-list I just created:
R1(config)#router eigrp 12
R1(config-router)#distribute-list prefix RENETEST in
This is how we activate it, and this is what we end up with:
Hello,
in the lesson is:
What about 10.60.0.0 /19? It falls within the 10.0.0.0 /8 range but it is not permitted because it has a subnet mask of /23…our ge operator says it should be /20 or larger.
But the network has mask of /19 and not /23 so it should be “it has a subnet mask of /19…”
Hi Towdie,
You are totally right, just fixed this typo. Thanks for pointing it out!
Rene
Rene i really like the way you explain.Thank you so much…
Yes if you use a prefix-list without GE or LE then it’s just the prefix that you matched. For example, 172.16.1.0/24 is the same as 172.16.1.0 0.0.0.255 in an access-list.
Rene- Its crisp & Clear explanation…however can you help me to understand what prefixes are covered for 128.0.0.0/3 & 128.0.0.0/5…?