Prefix-lists are used to match on prefix and prefix-length pairs.

Normal prefix-list syntax is as follows:

ip prefix-list LIST permit w.x.y.z/len

Where w.x.y.z is your exact prefix And where len is your exact prefix-length ip prefix-list L !" permit #.$.%.&'$() would *e an exact match for the prefix #.$.%.& with a su*net mas+ of $,,.$,,.$,,.&. "his does not match #.$.&.&'$(- nor does it match #.$.%.('%$- nor anything in *etween. When you add the +eywords ./0 and L/0 to the prefix-list- the len0 1alue changes its meaning. When using ./ and L/- the len 1alue specifies how many *its of the prefix you are chec+ing- starting with the most significant *it.
ip prefix-list LIST permit 1.2.3.0/24 le 32

"his means: 2hec+ the first $( *its of the prefix #.$.%.& "he su*net mas+ must *e less than or e3ual to %$ "his e3uates to the access-list syntax:
access-list 1 permit 1.2.3.0 0.0.0.255 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

&.&.&.&'& le %$ 4--- "his matches AN5 route. 6asically the logic here is 7& *its must match AN8 the su*net mas+ can *e anything 49 %$ *its :anything &.&.&.&'& 4--- "his matches ;NL5 the default route. "he logic here is that we are matching /<A2"L5 &.&.&.& with a mas+ of &.&.&.&. Nothing morenothing less. &.&.&.&'%$ 4--- Logically- this would match /<A2"L5 &.&.&.& with a mas+ of $,,.$,,.$,,.$,,. =rom my testing this does >N;"> match e1ery route.

??????????????????????????????

"his e3uates to anything

ip prefix-list LIST permit 0.0.0.0/0

"his means: "he exact prefix &.&.&.&- with the exact prefix-length &. "his is matching a default route. ???????????????????????
ip prefix-list LIST permit 10.0.0.0/ !e 21 le 2"

"his means: 2hec+ the first @ *its of the prefix #&.&.&.& "he su*net mas+ must *e greater than or e3ual to $#- and less than or e3ual to $A. ??????????????????????????????
ip prefix-list #L$SS%$ permit 0.0.0.0/1 !e le

"his matches all class A addresses with classful mas+s. t means: 2hec+ the first *it of the prefix- it must *e a &. "he su*net mas+ must *e greater than or e3ual to @- and less than or e3ual to @. : t is exactly @ B ?????????????????????????????? When using the ./ and L/ 1alues- you must satisfy the condition: Len 4 ./ 49 L/ "herefore ip prefix-list L !" permit #.$.%.&'$( ge @) is not a 1alid list. What you can not do with the prefix-list is match on ar*itrary *its li+e you can in an access-list. Prefix-lists cannot *e used to chec+ if a num*er is e1en or odd- nor chec+ if a num*er is di1isi*le *y #,- etcC 6it chec+ing in a prefix-list is se3uential- starting with the most significant :leftmostB *it.

???????????????????????????????????????

ip prefix-list provides the most powerful prefix based filtering mechanism

A normal access-list CANNOT check the subnet mask of a network. It can onl check bits to make sure the match! nothing more. A prefix-list has an advantage over an access-list in that it CAN check "OT# bits and subnet mask - both would have to match for the network to be either permitted or denied. $or checking bits a prefix list A%&A'( goes from left to right and CANNOT skip an bits. A basic example would be this) *+,.*-.../0,1 If there is onl a 0 after the network 2no le or ge3 then the number after the 0 is "OT# bits checked and subnet mask. (o in this case it will check the ,1 bits from left to right 2won4t care about the last . bits3 AN5 it will make sure that it has a ,1 bit mask. "OT# the ,1 bits checked and the ,1 bit subnet mask must match for the network to be permitted or denied. No we can do a range of subnet masks also that could be permitted or den ed) *+,.*-.../0,1 ge ,6 If we use either the le or ge 2or both le and ge3 after the 0! then the number directl after the 0 becomes ON%' bits checked and the number after the ge or le 2or both3 is the subnet mask. (o in this case we are still going to check the first ,1 bits of the network from left to right. If those match we are then going to check the subnet mask! which in this case can be 789AT98 T#AN O8 9:;A% TO ,6 bits - meaning that as long as the first ,1 bits of the network match the subnet mask could be ,6!,-!,+!,.!,<!=/!=*!or =, bits. The would all match. &e can also do) *+,.*-.../0,1 le ,. Again this will check the first ,1 bits of the network to make sure that the match. Then it will check to make sure that the subnet mask is %9(( T#AN O8 9:;A% TO ,. bits. Now this isn4t going to be ,. bits down to / bits! the subnet mask can4t be an lower than the bits we are checking. (o the valid range of subnet masks for this one would be ,. bits down to ,1 bits 2,1!,6!,-!,+!and ,.3. All of those would match. &e can also do both ge and le) *+,.*-.../0,1 ge ,6 le ,+ #ere again we are checking the first ,1 bits to make sure the match. Then our subnet mask must be 789AT98 T#AN O8 9:;A% TO ,6 bits %9(( T#AN O8 9:;A% TO ,+ bits. >eaning that ,6!,-!and ,+ bit subnet masks would match.

Now for a couple of examples) If we have the following networks) *+,.*-.../0,. *+,.*-...*-0,. *+,.*-...=,0,. *+,.*-...1.0,. *+,.*-...-10,. &e could permit all of these networks with on prefix-list statement) *+,.*-.../0,1 ge ,. le ,. This will check the first ,1 bits to make sure the match. All of these networks have *+,.*-.. as the first ,1 bits! and it won4t care what is in the last . bits. Then it will check to make sure that the subnet mask is 789AT98 T#AN O8 9:;A% TO ,. bits %9(( T#AN O8 9:;A% TO ,. bits - the onl number that works for this is ,. bits. (o the first ,1 bits in the network must match and it has to have a ,. bit subnet mask. All 6 of our networks would match for this. &e could be even more precise with this and use) *+,.*-.../0,6 ge ,. le ,. If we take a look at our 1th octects we will see that for all of them the *,. bit is off so we can check that bit also 2,6 bits total we are checking3. / -- / / / / / / / / *- - / / / * / / / / =, - / / * / / / / / 1. - / / * * / / / / -1 - / * / / / / / / This would be closer to permitting the 6 networks that we have. &e could also permit onl the classful networks. The first thing that we need to do is figure out exactl what a classful network is. $or a class A network we know that it has to have an . bit mask and must be between / and *,+ in the first octect. If we break down / and *,+ we get) / --- / / / / / / / / *,+ - / * * * * * * * $or the first octect of a class A network the first bit has to be a /! it must be off. (o we can do a prefix-list like this) /./././0* ge . le . In our first octet the first bit is a / 2which is what it would need to be to be class A3! with the 0* we have we are ON%' checking the first bit to make sure it4s a /

2meaning it would be a class A network / - *,+3. &e are then making sure that this class A network actuall has a class A subnet mask of . bits! and onl . bits would match. $or the class "4s we need to make sure that the have a *- bit subnet mask and that the are in the range of *,. - *<* in the first octet. If we break down *,. and *<* we get) *,. - * / / / / / / / *<* - * / * * * * * * The first two bits are what we are going to care about. &e need to make sure that the first two bits in the first octet are * / . The first number that we can use as our standard we are checking against is *,. *,. has a * / as the first two bits in its first octet. *,../././0, ge *- le *(o we are checking the first two bits to make sure the network has a * /! meaning that it must be in the range of *,. - *<*. &e are then going to check to make sure that it has the classful *- bit mask! and ON%' a *- bit mask. $inall we have the class C networks. Class C networks are in the range of *<, - ,,= and the must have a ,1 bit mask. If we break down *<, and ,,= we get) *<, - * * / / / / / / ,,= - * * / * * * * * The first = bits in the first octet are what we care about. *<, would be the first number we can put in that first octect that will have * * / as its first = bits. *<,./././0= ge ,1 le ,1 &e are going to check the first = bits of the octet and make sure that its * * / meaning that it has to be in the range of *<, - ,,= being class C! then we are going to check to make sure it has a class C classful subnet of ,1 bits. $inall how to permit or den an could be ver helpful since a ?refix-list @ust like an Access-list has an implicit den at the end) /./././0/ le =, This is 4an 4 for a prefix-list. It sa s check / bitsA I don4t care what an of the bits are. It also sa s that the subnet mask can be =, bits or less 2down to the number of bits we are checking3 down to /. (o we aren4t going to check an bits and the network can have a subnet mask of an thing between / and =, bits. This would be 4an 4. Now for our ?refix-list) In the =rd Octet we have *! 1! and 6. &e4ll break these down to binar to see if we

can summariBe these into one line) *-///////* 1-/////*// 6-/////*/* $or a ?refix-list we need to go from the left to the right and we can4t skip bits. (o for these three networks we would need to stop at the . bit since it is the last bit from left to right that is the same. This would give us = bits that are different! or . possible networks. &e onl have = of the . possible networks and we should not permit or den more than we actuall have. &e should be as specific as possible. If we leave the <*..-.*./0,1 alone b itself it will give us a ?refix-list of) <*..-.*./0,1 This will check the first ,1 bits from left to right to make sure that the match! and it will also check to make sure that it has a ,1-bit subnet mask. $or the 1 and 6 networks we can permit or den both of those with one line. If we take a look at 1 and 6 again we can see that all of the bit4s match down to the , bit. This would leave * bit that doesn4t match! which would give us , possible networks! both of which we have. The ?refix-list to permit or den both 1 and 6 would be) <*..-.1./0,= ge ,1 le ,1 This will check the first ,= bits from left to right. The ,1th bit could either be off! which would give us 1! or it could be on which would give us 6. (ince we have the ge and le involved the 0,= is onl bits checked. The ge and le specif that our subnet mask must be greater than or eCual to ,1-bits and less than or eCual to ,1-bits which means that the subnet mask must be ,1-bits for both possible networks.

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

ip prefix-list
had to loo+ at prefix-lists again a *it more in detail and how matching is done. "here are se1eral +ey words that need to *e understood for mathing the right addresses. At first the most simple match is the: ip prefix-list PD/E$& permit $&.&.&.&'$( which does Fust match for the first $( *it in the address and nothing else.

f in case you ha1e to match more addresses- may*e a range from su*nets with a specific prefix- you can match it with ge0 or le0. ge0 means greater or e3ual le0 means less or e3ual !o if you want to match the following su*nets: 20.0.&.&'#G 20.1.&.&'#G 5ou could create an prefix list with the following match: ip prefix-list PD/E$& permit $&.&.&.&'#, ge #G le #G "his means- that first the matching is done one the su*net that is the same for all su*nets: $&.&.&.&'#,- that can include $&.&.&.& and $&.#.&.&. Here we already summarized the *est match for *oth addresses. !o this part is the same for all addresses. "hen- since we donIt want to match the $&.&.&.&'#, or the $&.#.&.&'#,we ha1e to tell the prefix list- how to extend the 1aria*le match for addresse- that should *e included in the match. !e we want specially matches greater or e3ual '#G and maximal '#G. "hat means: ip prefix-list PD/E$& permit $&.&.&.&'#, ge #G le #G f we want to include for example only: 20.0.0.&'$( 20.0.1.&'$( 20.0.2.&'$( 20.0.3.&'$( ip prefix-list PD/E$$ permit $&.&.&.&'$$ ge $( le $( Another example would *e to match a range of su*nets with le0 ip prefix-list $&.&.&.&'#G le #@

Would match: 20.0.&.&'#G 20.0.&.&'#J 20.0.&.&'#@ Where the $&.&. prefix must *e in all networ+ ranges at a minimum and e1ery address with a maximum of '#@ would match if 20.0. is in the prefix.

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

1. 2onstruct a prefix list that permits only the #A$.#G@.#.&'$( networ+. 2. 2onstruct a prefix list that denies networ+ ##A.&.&.&- and permits all other prefixes :including all su*nets of ##A.&.&.&B. 3. 2onstruct a prefix list that permits only the default route. 4. 2onstruct a prefix list the permits e1erything except the default route. 5. 2onstruct a prefix list that permits networ+ #J$.#G.&.& and any of its su*nets- and denies all other prefixes. 6. 2onstruct a prefix list that permits only the following prefixes:

#&.$.@.%$'$J #&.$.@.%$'$@ #&.$.@.%$'$A #&.$.@.%$'%&

7. 2onstruct a prefix list that:

Permits #AJ.$,.A(.#$@'$, 8enies #AJ.$,.A(.#A$'$G Permits #AJ.$,.A(.$$('$J 8enies #AJ.$,.A(.$(&'$@ Permits #AJ.$,.A(.$(@'$A 8enies #AJ.$,.A(.$,$'%& Permits all other prefixes- except for #A@.@$.&.&'#G

8. 2onstruct a prefix list that permits any prefix matching the first $& *its of #J,.$A.G(.& which has a mas+ of at least '$G *ut not exceeding '$A- and denies all other prefixes. 9. 2onstruct a prefix list that denies any prefix matching the first #A *its of #,.$G.AG.& with any mas+ up to and including '%$- and permits any other prefix. 10. 2onstruct a prefix list that denies the D=2 #A#@ pri1ate networ+s and any of their su*nets- and permits e1erything else. 11. 2onstruct a prefix list that permits any su*net of networ+ #,.&.&.& :*ut not the networ+B- and denies e1erything else. 5our router lies within A! G,&##. Place the prefix list in ser1ice in the in*ound direction with 6.P neigh*or #.$.%.(. 12. 2onstruct a prefix list that denies #G$.,G.&.&'#G and all of its su*nets :with the exception of #G$.,G.$&A.$&@'$A- which is permittedB- and permits all other prefixes. 5our router lies within A! G,&#$. Place the prefix list in ser1ice in the out*ound direction with its 6.P neigh*or ha1ing address ,.G.J.@. 13. Construct a prefix list that permits the CI ! "loc# containin$ the thirt%-t&o class C net&or#s "e$innin$ &ith 200.202.160.0'24( an) )enies e*er%thin$ else. +our router is &ithin ,- 65013. .lace the prefix list in ser*ice in the in"oun) )irection &ith /0. peer-$roup 12uc#%3131. 14. 2onstruct a prefix list that denies any prefix for which the most-significant four *its are 7&##&7- and permits e1erything else. 15. 2onstruct a prefix list that permits the host address of 72at!pace7- and denies e1erything else.

Extra Credit Exercises

16. 2onstruct a prefix list that permits only classful networ+s- and denies e1erything else. 17. 2onstruct a prefix list that denies only supernets- and permits e1erything else. 18. 2onstruct a prefix list that permits only su*nets- and denies e1erything else. 19. Construct a prefix list that permits onl% CI ! "loc#s encompassin$ at least 32 class-C e4ui*alents. 20. 2onstruct a prefix list that permits only the D=2 #A#@ pri1ate networ+s and their su*nets- and configure D P to use this prefix list for out*ound routing ad1ertisements.

,ns&ers
1. "he prefix list is:
ip prefix-list test1 se& 5 permit 1"2.1' .1.0/24

2. "he prefix list is:

ip prefix-list test2 se& 5 (eny 11".0.0.0/ ip prefix-list test2 se& 10 permit 0.0.0.0/0 le 32

3. "he prefix list is:

ip prefix-list test3 se& 5 permit 0.0.0.0/0

4. "he prefix list is:

ip prefix-list test4 se& 5 (eny 0.0.0.0/0 ip prefix-list test4 se& 10 permit 0.0.0.0/0 le 32

5. "he prefix list is:

ip prefix-list test5 se& 5 permit 1)2.1'.0.0/1' le 32

6. "he prefix list is:

ip prefix-list test' se& 5 permit 10.2. .32/2) le 30

7. "he prefix list is:

ip ip ip ip ip prefix-list prefix-list prefix-list prefix-list prefix-list test) test) test) test) test) se& se& se& se& se& 5 (eny 1").25."4.1"2/2' 10 (eny 1").25."4.240/2 15 (eny 1").25."4.252/30 20 (eny 1" . 2.0.0/1' 25 permit 0.0.0.0/0 le 32

8. "he prefix list is:

ip prefix-list test se& 5 permit 1)5.2".'4.0/20 !e 2' le 2"

9. "he prefix list is:

ip prefix-list test" se& 5 (eny 15.2'."'.0/1" le 32 ip prefix-list test" se& 10 permit 0.0.0.0/0 le 32

10. "he prefix list is:

ip ip ip ip prefix-list prefix-list prefix-list prefix-list test10 test10 test10 test10 se& se& se& se& 5 (eny 10.0.0.0/ le 32 10 (eny 1)2.1'.0.0/12 le 32 15 (eny 1"2.1' .0.0/1' le 32 20 permit 0.0.0.0/0 le 32

11. "he prefix list is:

ip prefix-list test11 se& 5 permit 15.0.0.0/ !e "

"o place it in ser1ice:

r*+ter ,!p '5011 nei!-,*r 1.2.3.4 prefix-list test11 in

12. "he prefix list is:

ip prefix-list test12 se& 5 permit 1'2.5'.20".20 /2" ip prefix-list test12 se& 10 (eny 1'2.5'.0.0/1' le 32 ip prefix-list test12 se& 15 permit 0.0.0.0/0 le 32

"o place it in ser1ice:

r*+ter ,!p '5012 nei!-,*r 5.'.). prefix-list test12 *+t

13. "he prefix list is:

ip prefix-list test13 se& 5 permit 200.202.1'0.0/1"

"o place it in ser1ice:

r*+ter ,!p '5013 nei!-,*r L+c.y%13 prefix-list test13 in

14. "he prefix list is:

ip prefix-list test14 se& 5 (eny "'.0.0.0/4 le 32 ip prefix-list test14 se& 10 permit 0.0.0.0/0 le 32

15. "he 7hardest7 part of this pro*lem :and it isnKt 1ery hardLB is determining the P address of 72at!pace7. "he easiest way to do that is to either 7ping7 or 7trace7 to 7www.catspace.com7 from any nternet-connected host- and let 8N! resol1e the address :which turns out to *e G(.@$.#&&.GJB. "he prefix list is therefore:
ip prefix-list test15 se& 5 permit '4. 2.100.')/32

Extra Credit Answers

16. "he prefix list is:
ip prefix-list test1' se& 5 permit 0.0.0.0/1 !e le

ip prefix-list test1' se& 10 permit 12 .0.0.0/2 !e 1' le 1' ip prefix-list test1' se& 15 permit 1"2.0.0.0/3 !e 24 le 24

17. A 7supernet7 is any *loc+ that contains more than one classful networ+. "he prefix list is:
ip ip ip ip prefix-list prefix-list prefix-list prefix-list test1) test1) test1) test1) se& se& se& se& 5 (eny 0.0.0.0/1 le 10 (eny 12 .0.0.0/2 15 (eny 1"2.0.0.0/3 20 permit 0.0.0.0/0 ) le 15 le 23 le 32

18. "he prefix list is:

ip prefix-list test1 ip prefix-list test1 ip prefix-list test1 se& 5 permit 0.0.0.0/1 !e " se& 10 permit 12 .0.0.0/2 !e 1) se& 15 permit 1"2.0.0.0/3 !e 25

19. !ince a 7class-2 e3ui1alent7 prefix has a 7'$(7 mas+- a *loc+ of thirty-two of them would ha1e a 7'#A7 mas+ :mo1ed fi1e *its to the leftB. "he default route is not considered a 72 8D *loc+7. "he prefix list is:
ip prefix-list test1" se& 5 (eny 0.0.0.0/0 ip prefix-list test1" se& 10 permit 0.0.0.0/0 le 1"

20. "he prefix list is:

ip prefix-list test20 se& 5 permit 10.0.0.0/ le 32 ip prefix-list test20 se& 10 permit 1)2.1'.0.0/12 le 32 ip prefix-list test20 se& 15 permit 1"2.1' .0.0/1' le 32

"o place it in effect for out*ound D P updates:

r*+ter rip (istri,+te-list prefix test20 *+t

Note: My testing showed that prefix lists wor+ed as expected with 6.P- / .DP- .DP and D P. "he results with !- ! and ;!P= 1aried *y ;! 1ersion.

???????????????????????????????

12.2.3 -ho&in$ ip prefix-list

N 2ommand: sho& ip prefix-list 8isplay all P prefix lists. N 2ommand: sho& ip prefix-list name

!how P prefix list can *e used with a prefix list name. N 2ommand: sho& ip prefix-list name se4 num !how P prefix list can *e used with a prefix list name and se3uential num*er. N 2ommand: sho& ip prefix-list name a.b.c.d/m f the command longer is used- all prefix lists with prefix lengths e3ual to or longer than the specified length will *e displayed. f the command first match is used- the first prefix length match will *e displayed. N 2ommand: sho& ip prefix-list name a.b.c.d/m lon$er N 2ommand: sho& ip prefix-list name a.b.c.d/m first-match N 2ommand: sho& ip prefix-list summar% N 2ommand: sho& ip prefix-list summar% name N 2ommand: sho& ip prefix-list )etail N 2ommand: sho& ip prefix-list )etail name
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

2onfigure a prefix-list that denies all pri1ate P addresses :as defined in D=2#A#@B. "he prefix list should also- in selected address ranges- deny small su*nets according to these guidelines: n address range #A%.&.&.& O #A%.$,,.$,,.$,,- do not accept prefixes with su*net mas+s longer than '$&. n address range #$@.&.&.& O #A#.$,,.$,,.$,,- do not accept prefixes with su*net mas+s longer than '#@. n address range &.&.&.& O G%.$,,.$,,.$,,- do not accept prefixes with su*net mas+s longer than '#$. Ne1er accept prefixes longer than '$(. Answer: ip prefix-list ip prefix-list ip prefix-list ip prefix-list ip prefix-list ip prefix-list ip prefix-list ncoming se3 , deny #&.&.&.&'@ le %$ ncoming se3 #& deny #J$.#G.&.&'#$ le %$ ncoming se3 #, deny #A$.#G@.&.&'#G le %$ ncoming se3 $& deny #A%.&.&.&'@ ge $# ncoming se3 $, deny #$@.&.&.&'$ ge #A ncoming se3 %& deny &.&.&.&'$ ge #% ncoming se3 %, permit &.&.&.&'& le $(

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD