Understanding Prefix Lists

When filtering and manipulating routing protocols and routing updates there are a number of options on the Cisco platforms we as engineers can take advantage of.  In a previous post I briefly discussed the use of standard ACL’s to filter updates.  ACLs filter every packet, or in this case advertised network, that falls within the range is specifies.  This is useful for all or nothing or specific inclusions but does not allow us to us easily filter or permit based on the actual prefix length, ie subnet mask length.  Enter prefix lists.

To begin the discussion lets establish a topology to throw our configuration and ideas against.  The addresses below can be summarized as 10.0.0.0 – 10.0.3.255 aka a prefix of 10.0.0.0/22 or 10.0.0.0 255.255.252.0.  It’s all one in the same.  You will notice, however, the address space has been chopped into smaller subnets.  While the subnets may not all be particularly practical they do give us a wonderful set of prefixes to experiment on!

prefix_list_topo Chances are if you’re reading this I don’t need to dump the entire config here for you to understand what I’m doing.  The general idea is that all loopbacks on R1 are being advertised into EIGRP and sent over to R2.

R1
router eigrp 100
 network 10.0.0.0 0.0.3.255
 network 192.168.1.0 0.0.0.3
 no auto-summary
R2#sh ip route
     10.0.0.0/8 is variably subnetted, 11 subnets, 9 masks
D       10.0.2.0/24 [90/156160] via 192.168.1.1, 00:00:02, FastEthernet0/0
D       10.0.3.0/25 [90/156160] via 192.168.1.1, 00:00:02, FastEthernet0/0
D       10.0.0.0/24 [90/156160] via 192.168.1.1, 00:00:02, FastEthernet0/0
D       10.0.1.0/24 [90/156160] via 192.168.1.1, 00:00:02, FastEthernet0/0
D       10.0.3.128/26 [90/156160] via 192.168.1.1, 00:00:02, FastEthernet0/0
D       10.0.3.192/27 [90/156160] via 192.168.1.1, 00:00:02, FastEthernet0/0
D       10.0.3.224/28 [90/156160] via 192.168.1.1, 00:00:04, FastEthernet0/0
D       10.0.3.248/30 [90/156160] via 192.168.1.1, 00:00:04, FastEthernet0/0
D       10.0.3.252/31 [90/156160] via 192.168.1.1, 00:00:04, FastEthernet0/0
D       10.0.3.254/32 [90/156160] via 192.168.1.1, 00:00:04, FastEthernet0/0
D       10.0.3.240/29 [90/156160] via 192.168.1.1, 00:00:04, FastEthernet0/0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, FastEthernet0/0

As you can see all routes are advertised.  Now, let’s start filtering!

Prefix lists are always named.  They consist of permit and deny statements and always end with an implicate deny like an ACL.  They can also be sequenced and descriptions can be added.  Finally prefix lists can be applied as distribution lists, used in redistribution, and in route maps.  In the examples I will use distribution-list configuration as it is probably the simplest way to illustrate.

To get started lets first create a prefix list to allow only the 10.0.0.0/24 subnet through and apply the list to the EIGRP configuration.

R2(config)# ip prefix-list LIST1 permit 10.0.0.0/24
R2(config)# router eigrp 100
R2(config-router)# distribute-list prefix LIST1 in
R2#show ip route
     10.0.0.0/24 is subnetted, 1 subnets
D       10.0.0.0 [90/156160] via 192.168.1.1, 00:02:13, FastEthernet0/0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, FastEthernet0/0

 

As you can see the list did exactly what it was told to do; allow updates containing 10.0.0.0/24 and nothing else.  Next, let’s try to add any addresses that falls in the range 10.0.3.0/24.  You can simply update the list without changing the EIGRP configuration.  You will, however, need to bounce the neighbor relationship with the exception of more recent code (15.1 or later I believe) where it will resync on it own.

R2(config)#ip prefix-list LIST1 permit 10.0.3.0/24
R2# clear ip eigrp 100 neighbors
R2#show ip route
     10.0.0.0/24 is subnetted, 1 subnets
D       10.0.0.0 [90/156160] via 192.168.1.1, 00:05:38, FastEthernet0/0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, FastEthernet0/0

So no update?  What gives!?  This is actually working exactly as it should.  R1 might be advertising all addresses from the 10.0.3.0/24 space but not 10.0.3.0/24 specifically.  So, how do we actually include this mess of subnets?  One of two ways.  First, we could create specific prefix list entries for each.  For example if we started adding entries like this:

ip prefix-list LIST1 seq 15 permit 10.0.3.0/25
ip prefix-list LIST1 seq 20 permit 10.0.3.128/26
etc…

Or, much more preferably, you can use the extended flexibility of prefix lists to match the networks.  I am going to remove all prefix list entries and start over this list at this point.  Let’s check out some of our options:

R2(config)#ip prefix-list LIST1 permit 10.0.3.0/24 ?
  ge  Minimum prefix length to be matched
  le  Maximum prefix length to be matched
  <cr>

As you noticed there are two options we can add, “ge” or “le”.  The first, “ge” or “great than or equal to” is for matching prefixes equal or longer in length than X where X is the next argument you add.  Huh?  Let’s do try an example.  We would like to include any routes in the range of 10.0.3.0/24 with a prefix length of 26 or greater.  Essentially any advertised route that’s a /26,/27,/28,/29,/30,/31,or /32.

R2(config)#ip prefix-list LIST1 permit 10.0.3.0/24 ge 26
R2#clear ip eigrp 100 neighbors
R2#sh ip route
     10.0.0.0/8 is variably subnetted, 7 subnets, 7 masks
D       10.0.3.128/26 [90/156160] via 192.168.1.1, 00:00:17, FastEthernet0/0
D       10.0.3.192/27 [90/156160] via 192.168.1.1, 00:00:17, FastEthernet0/0
D       10.0.3.224/28 [90/156160] via 192.168.1.1, 00:00:17, FastEthernet0/0
D       10.0.3.248/30 [90/156160] via 192.168.1.1, 00:00:17, FastEthernet0/0
D       10.0.3.252/31 [90/156160] via 192.168.1.1, 00:00:17, FastEthernet0/0
D       10.0.3.254/32 [90/156160] via 192.168.1.1, 00:00:17, FastEthernet0/0
D       10.0.3.240/29 [90/156160] via 192.168.1.1, 00:00:19, FastEthernet0/0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, FastEthernet0/0

As you can see we are now collecting the desired routing information.  Like the  “gr” option the “le” or “less than or equal to” option has a similar effect but in reverse.   After clearing the list and creating the rule below the results are as follows:

R2(config)#ip prefix-list LIST1 permit 10.0.3.0/24 le 26
R2(config)#do clear ip eigrp neighbor
R2(config)#do sh ip route
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D       10.0.3.0/25 [90/156160] via 192.168.1.1, 00:00:02, FastEthernet0/0
D       10.0.3.128/26 [90/156160] via 192.168.1.1, 00:00:02, FastEthernet0/0
192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, FastEthernet0/0

The example configuration above will include /24, /25 and /26 prefixes falling inside the 10.0.3.0/24 range of networks.

The final consideration is using each of the options.

R2(config)#ip prefix-list LIST1 permit 10.0.3.128/25 ge 25 le 28
% Invalid prefix range for 10.0.3.128/25, make sure: len < ge-value <= le-value
R2(config)#ip prefix-list LIST1 permit 10.0.3.128/25 ge 26 le 28
R2(config)#do sh ip route
10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
D       10.0.3.128/26 [90/156160] via 192.168.1.1, 00:00:11, FastEthernet0/0
D       10.0.3.192/27 [90/156160] via 192.168.1.1, 00:00:11, FastEthernet0/0
D       10.0.3.224/28 [90/156160] via 192.168.1.1, 00:00:11, FastEthernet0/0
192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, FastEthernet0/0

In this example we permitted anything in the range of 10.0.3.128/25 with a prefix length of /26, /27 or /28.  You will notice that I initially tried a 25 bit prefix that generated an error.  This is because a 25 bit mask is specified along with a prefix length so why allow a match of its self?

I hope you found this breif discussion of prefix lists helpful!  As always please comment with questions, comments, etc!

 

This entry was posted in Networking and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *