7/11/24, 4:05 PM Understanding IP prefix lists - PacketLife.

net

(/)

(https://github.com/netbox-community/netbox/)

The premiere source of truth powering network automation. Open and extensible, trusted by thousands.

(https://netboxlabs.com)

NetBox is now available as a managed cloud solution! Stop worrying about your tooling and get back to
building networks.

Understanding IP prefix lists

By stretch () | Monday, February 1, 2010 at 4:38 a.m. UTC

IOS prefix lists

(http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_i2gt.html#wp1112138) work like
access lists for route advertisements (prefixes). While extended (and to a limited extent, standard) access lists
can be employed to match prefix announcements, prefix lists are generally more graceful. Prefix lists work very
similarly to access lists; a prefix list contains one or more ordered entries which are processed sequentially. As
with access lists, the evaluation of a prefix against a prefix list ends as soon as a match is found.

Assume you wanted to prevent a route for 10.0.0.0/24 from being redistributed from OSPF to BGP. One way to
accomplish this would be to define an extended ACL matching this prefix and reference it from the BGP
redistribution route map:

https://packetlife.net/blog/2010/feb/1/understanding-ip-prefix-lists/ 1/9
7/11/24, 4:05 PM Understanding IP prefix lists - PacketLife.net

router ospf 1
router-id 2.2.2.2
log-adjacency-changes
!
router bgp 65100
no synchronization
bgp router-id 2.2.2.2
bgp log-neighbor-changes
redistribute ospf 1 route-map OSPF->BGP
neighbor 172.16.23.3 remote-as 65100
no auto-summary
!
ip access-list extended OSPF_Redist
deny ip host 10.0.0.0 host 255.255.255.0
permit ip any any
!
route-map OSPF->BGP permit 10
match ip address OSPF_Redist

The above configuration prevents the exact prefix 10.0.0.0/24 from being advertised by denying the 10.0.0.0
network ("source" address) with a mask of 255.255.255.0 ("destination" address). All other prefixes are allowed
by the permit ip any any statement.

This can be accomplished more intuitively by employing a prefix list:

router ospf 1
router-id 2.2.2.2
log-adjacency-changes
!
router bgp 65100
no synchronization
bgp router-id 2.2.2.2
bgp log-neighbor-changes
redistribute ospf 1 route-map OSPF->BGP
neighbor 172.16.23.3 remote-as 65100
no auto-summary
!
ip prefix-list OSPF_Redist seq 5 deny 10.0.0.0/24
ip prefix-list OSPF_Redist seq 10 permit 0.0.0.0/0 le 32
!
route-map OSPF->BGP permit 10
match ip address prefix-list OSPF_Redist

As you can see, there are two entries in the prefix list defined above. These accomplish the same tasks as the
two access list entries in the earlier example: deny 10.0.0.0/24 denies the exact prefix 10.0.0.0/24, and
permit 0.0.0.0/0 le 32 allows all other prefixes.

https://packetlife.net/blog/2010/feb/1/understanding-ip-prefix-lists/ 2/9
7/11/24, 4:05 PM Understanding IP prefix lists - PacketLife.net

The second prefix list entry warrants some explanation. Two keywords can be optionally appended to a prefix
list entry: le (less than or equal to) and ge (greater than or equal to). Without either, an entry will match an
exact prefix. The le parameter can be included to match all more-specific prefixes within a parent prefix up to
a certain length. For example, 10.0.0.0/24 le 30 will match 10.0.0.0/24 and all prefixes contained therein
with a length of 30 or less.

We can use le to create an entry to match "any" prefix: 0.0.0.0/0 le 32 matches any prefix with a length
between 0 and 32 bits (inclusive). This matches all possible IPv4 prefixes.

The ge parameter works similarly to le but in the opposite direction; it specifies a minimum prefix length
whereas le specifies a maximum length. For example, 10.0.0.0/8 ge 16 will match all prefixes within the
10.0.0.0/8 network that are at least 16 bits in length. The length specified by ge should naturally be longer
than the length of the initial prefix as it is impossible to match anything larger than the initial prefix.

le and ge can also be combined. Continuing the ge example, 10.0.0.0/8 ge 16 le 24 will match all
prefixes within the 10.0.0.0/8 network having a mask both a) greater than or equal to 16 bits, and b) less than
or equal to 24 bits in length. For instance, 10.42.0.0/18 would be matched, because its length is between 16
and 24 (inclusive), but neither 10.16.0.0/12 nor 10.123.77.128/25 would be matched.

Prefix lists take some getting used to, but can be very helpful in expressing routing policy within IOS
configuration once you've gotten the hang of them.
Posted in Routing (/blog/category/routing/)

Comments

dnewstat
February 1, 2010 at 5:15 a.m. UTC
Very informative Stretch. For disaster recovery, I need the same IP brought up in another subnet so I use
mobile ARP to move it (Local Area Mobility). I use route-maps and prefix lists to redistribute IP addresses of
hosts that I need to move into the other subnet in BGP. I create a route map for a neighbor in BGP outbound,
and use the prefix list to permit what IP addresses to move. It works out pretty nice.

Colby
February 1, 2010 at 1:00 p.m. UTC
Good stuff.

hunter_thom
February 1, 2010 at 3:07 p.m. UTC
Nice! I must say, my favorite Cisco exam so far was BGP; and maybe my favorite topic was prefix lists,
community lists, route maps, and AS path lists.

Alex
February 2, 2010 at 7:43 p.m. UTC
Thanks! This cleared things up a lot for me

https://packetlife.net/blog/2010/feb/1/understanding-ip-prefix-lists/ 3/9
7/11/24, 4:05 PM Understanding IP prefix lists - PacketLife.net

Marcelo
February 4, 2010 at 10:56 a.m. UTC
In terms of cpu process, ¿wich has the higher cost? ACL or Prefix List? Sorry for my english.

PS: Great site stretch.

Addy
April 22, 2010 at 5:53 a.m. UTC
Thanks a lot

keithdew
May 13, 2010 at 3:34 p.m. UTC
Good info... Interesting though is how the "default" route 0.0.0.0/0 handled if you wanted to do an exact match
on that specific prefix for filtering? The match all possible example looks close to how I thought it would be
written?

Ashish
July 28, 2010 at 2:35 a.m. UTC
Good Stuff..!! Easy to understand.

Thanks,
Ashish

randy
August 26, 2010 at 7:00 p.m. UTC
great stuff, really made prefix-list clearer to me. thanx man!

balister kumar
December 17, 2010 at 12:39 p.m. UTC
many many thanks

very informative for the Beginner. specially permit 0.0.0.0/0 le 32

Robert
December 29, 2010 at 9:09 a.m. UTC
1. an extended acl for toute filtering is nonsense
2. the acl entry is also nonsense:

ip access-list extended OSPF_Redist

deny ip host 10.0.0.0 host 255.255.255.0
permit ip any any

should be:

https://packetlife.net/blog/2010/feb/1/understanding-ip-prefix-lists/ 4/9
7/11/24, 4:05 PM Understanding IP prefix lists - PacketLife.net

ip access-list extended OSPF_Redist

deny ip 10.0.0.0 0.0.0.255
permit ip any any

but even better:

ip access-list standard OSPF_Redist

deny 10.0.0.0 0.0.0.255
permit any

:)

Rahil
January 14, 2011 at 8:36 p.m. UTC
Gud One

Piter
February 14, 2011 at 4:37 p.m. UTC
Thanks!

mokhtar
February 22, 2011 at 8:37 a.m. UTC
thank you all

erodrie
May 18, 2011 at 2:33 p.m. UTC
graaacias!

moz006
January 13, 2012 at 1:04 p.m. UTC
muchas muchas

mark
March 21, 2012 at 4:54 p.m. UTC
Hi Jeremy ,

At Your Statement " but neither 10.8.0.0/12"

There is no network 10.8.0.0/12

There is 10.0.0.0/12, 10.16.0.0/12 , 10.32.0.0/12, 10.48.0.0/12, 10.64.0.0/12 etc,

Maybe you meant 10.8.0.0/13 ?

https://packetlife.net/blog/2010/feb/1/understanding-ip-prefix-lists/ 5/9
7/11/24, 4:05 PM Understanding IP prefix lists - PacketLife.net

Just want some clarity on that, Please CMIIW

gunny_4you
April 23, 2012 at 4:10 a.m. UTC
Got the confusion cleared.

Thanks Jeremy

Dan
July 16, 2012 at 2:08 a.m. UTC
thanks

f0rgiv3n
August 20, 2012 at 10:29 p.m. UTC
Nicely explained. Thank you. The question I have is this:

Could you also do 255.255.255.255/32 ge 0 ?

Why might I ask this? No reason, just curious.

kakou31
September 12, 2012 at 7:59 a.m. UTC
Merci Jeremy, c'est très clairement expliqué!

f0rgiv3n
September 19, 2012 at 4:36 p.m. UTC
Hey just to follow up on my question with regards to the twisted logic above... I tried to use 255.255.255.255/32
ge 0. There are two problems:
1. The second prefix value cannot be 0, it has to be 1-32
2. Even if you set it to 1, you get an error stating that the first prefix value needs to be less than the second
prefix value at all times.

winder
April 23, 2013 at 9:53 a.m. UTC
Hi stretch,
I dont understand the first exmaple you provided using route-map to block 10.0.0.0/24 redistribution.
if you use "route-map OSPF->BGP permit 10" with access-list OSPF_Redist's entries "deny ip host 10.0.0.0
host 255.255.255.0", would the route-map block 10.0.0.0/24??? I think it will only take the "permit" networks
and ignore all "deny" ones, right?

winder
April 24, 2013 at 2:50 a.m. UTC
pls ignore the last comment, I think I have figured it out myself.

https://packetlife.net/blog/2010/feb/1/understanding-ip-prefix-lists/ 6/9
7/11/24, 4:05 PM Understanding IP prefix lists - PacketLife.net

Roger Perkin (http://www.rogerperkin.co.uk/ccie)

May 13, 2013 at 9:51 p.m. UTC
Great post Stretch,

Just to let you know the prefix-list link to cisco is broken at the start of the article.

Roger

aanyoti77
August 21, 2013 at 9:58 a.m. UTC
Thanks so much! Made it easy for me to understand.

Goncalo
October 25, 2013 at 12:03 p.m. UTC
To Robert (guest) commented on Wednesday, December 29, 2010 at 9:09 a.m. UTC

Before Prefix List were invented the way of filtering routes was using ACLs (extended/standard).

The use of extended ACL is fine although superseded by Prefix list. It works, config may looks a little stange
but it is valid. On extended ACLs, source host=network and destination host=subnet mask.

Tks

Goncalo

Mo
April 18, 2014 at 5:16 a.m. UTC
How do you interpret this? access-list 100 permit ip any host 0.0.0.0

Does that mean "any source ip with destination of any" or does that mean "any source ip with mask of 0.0.0.0?"

Secondly, how do you interpret this? access-list 100 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0

Does that mean "any source ip with mask of /0" with destination of "any"

I am kind of lost here. I can interpret ACLs just fine for traditional processing but I get confused when I have to
interpret them in terms of route advertisement/prefix matching.

Any help will be HIGHLY appreciated.

SM
July 4, 2014 at 10:05 a.m. UTC
a) greater than or equal to 16 bits, and b) less than or equal to 24 bits in length. I always assume this is true but
I was creating a prefix list and by mistake i type X.X.X.X/23 ge 22. The error I got include "len < ge-val <<= le".

https://packetlife.net/blog/2010/feb/1/understanding-ip-prefix-lists/ 7/9
7/11/24, 4:05 PM Understanding IP prefix lists - PacketLife.net

Abigail (http://abigailabanilla.com/)
September 22, 2014 at 9:25 a.m. UTC
This is very helpful. I'm reading about OSPF Route Filtering and found one option to use prefix list and I totally
forgot about prefix-lists.. This quick read helped me regain my memory lol. Great and helpful blog!

Milan
October 17, 2014 at 8:02 a.m. UTC
Thanks a lot!

Ibby
December 3, 2014 at 3:43 p.m. UTC
As Robert mentioned above, The ACL statement seems to be wrong: ip access-list extended OSPF_Redist
deny ip host 10.0.0.0 host 255.255.255.0 permit ip any any That statement would block packets only with a
source IP of 10.0.0.0 sending to a host with a destination IP of 255.255.255.0. It would not deal with subnets.

But Robert is also Wrong. Robert is writing a Standard ACL not an Extended one.

It should be as follows: ip access-list extended OSPF_Redist deny ip 10.0.0.0 0.0.0.255 any permit ip any any

mark
April 10, 2015 at 2:51 a.m. UTC
nice explanation sir!

M Farooq Vayani
May 9, 2015 at 5:29 p.m. UTC
Great explanation...thanks..

Jastin
June 15, 2015 at 7:17 p.m. UTC
Good explanation,

korman
September 18, 2015 at 4:38 a.m. UTC
We use 2 MPLS providers with BGP peering in regional sites. Local preference is used to make Default route
preferred for Carrier 2 ( back hauling internet over secondary carrier)

ip prefix-list DEFAULT-ROUTE seq 5 permit 0.0.0.0/0

route-map MPLS-02-INBOUND, permit, sequence 10 Match clauses: ip address prefix-lists: DEFAULT-ROUTE

On occasion we also use the secondary provider for other workloads like replicating san data. The SAN
replication subnet is on 172.16.30.0/24 Can I we use a 2nd Prefix list with an OR match instead of adding the
subnet to the DEFAULT-ROUTE prefix list

https://packetlife.net/blog/2010/feb/1/understanding-ip-prefix-lists/ 8/9
7/11/24, 4:05 PM Understanding IP prefix lists - PacketLife.net

ip prefix-list PREFER-MPLS2 seq 5 permit 172.16.30.0/24

route-map MPLS-02-INBOUND, permit, sequence 10 Match clauses: ip address prefix-lists: DEFAULT-ROUTE

PREFER-MPLS2

Jh0nh
October 14, 2015 at 6:43 p.m. UTC
Thanks for the post

ishantha
September 29, 2016 at 12:50 a.m. UTC
good work, much appreciated

Comments have closed for this article due to its age.

Home (/) | Blog (/blog/) | Cheat Sheets (/library/cheat-sheets/) | Captures (/captures/) | Toolbox (/toolbox/)
| Bookshelf (/bookshelf/) | About (/about/)

More cool stuff

NetBox (https://github.com/netbox-community/netbox/) | NetBox Labs (https://netboxlabs.com/) |
r/Networking (https://www.reddit.com/r/networking/) |
Network Engineering @ StackExchange (https://networkengineering.stackexchange.com/)

https://packetlife.net/blog/2010/feb/1/understanding-ip-prefix-lists/ 9/9