Using IOS BGP IP prefix list we are able to provide the most powerful prefix based filtering mechanism. Like route maps, prefix lists are identified by a name (we also can use number but is rather situation).
ip prefix-list NAME seq nr [ permit | deny ] A.B.C.D / nn [ ge | le ] value
A.B.C.D - is your prefix
nn - prefix lenght
ge - greater than or equal
le - less than or equal
The lines of the list are distinguished by a sequence number (seq) that identifies each line's place in a multiple-line list. By default Cisco IOS use seq=5,10,15 etc.
We can use prefix-lists in few different ways (using ge,le parametr or skip that part)
When we have syntax :
1)
ip prefix-list TEST permit 87.0.0.0/8
means :
check first 8 bits and exact subnet mask. In this case it will check the 8 bits from left to right and will not care about the last 24 bits. Also subnet mask needs to have 8 bits
In this case :
87.1.1.1/8 it will be permit by prefix-list
87.1.1.1/16 it will be deny
BOTH the 8 bits checked and the 8 bits subnet mask must match.
2)
We can select range of subnet masks. At the beginning system ALWAYS check the first /nn bits, here is 24 bits. If it's match then system check if subnet mask is from range <24,28>. Ssubnet mask need to be less than or equal to 28 bits, in this example valid range of subnets mask are 24,25,26,27 or 28.
195.10.8.25/24 - OK
195.10.8.25.200/30 -NOT OK
3)
System is going to check the first 24 bits of network. If those are exactly the same to 172.32.16 than is going to check the subnet mask which in this case can be greater than or equal to 25 bits (25,26,27,28,29,30,31,32)
172.32.10.123/27 - NOT OK
172.32.16.123/16 - NOT OK
172.32.16.123/32 - OK
4)
Like always IOS will check the first 24 bits, if it's ok then check subnet mask. In this case subnet mask needs to be greater than or equal to 25 and less than or equal to 28 - (25,26,27,28)
Remember nn is not subnet mask it is the number of bits that need match!
5)
Let's say we have got class C network : 195.10.10.0 /24.
We would like to divide this class to 28 bits subnet mask and match all of these networks with one prefix-list.
How can we do that ?
All subnets will start with 195.10.10.x so we need to check first 24 bits.
First part of our prefix-list will be : permit 195.10.10.0/24
We need to go back to CCNA level time. Let's divide our network to subnets :
195.10.10.10.0/28
28 - 0 0 0 1 1 1 0 0
The bold one bit is 16. Our subnet will be :
195.10.10.10.0/28 195.10.10.[0-15] /28
195.10.10.10.16/28 195.10.10.[16-31] /28
195.10.10.10.32/28 195.10.10.[32-47] /28
195.10.10.10.48/28 195.10.10.[48-63] /28
195.10.10.10.64/28 195.10.10.[64-79] /28
.
.
.
195.10.10.10.240/28 195.10.10.[240-255] /28
Our prefix-list will check first 24 bits, if they are match to 195.10.10.0 then need to check if subnet mask will be ok, in this case subnet mask will be 28.
Final prefix-list which is gonna match all 195.10.10.0/28 networks is :
Greater than or equal 28 bits and less than or equal to 28 bits - the only number that works here is 28.
In this case :
87.1.1.1/8 it will be permit by prefix-list
87.1.1.1/16 it will be deny
BOTH the 8 bits checked and the 8 bits subnet mask must match.
2)
ip prefix-list TEST permit 195.10.8.0/24 le 28
We can select range of subnet masks. At the beginning system ALWAYS check the first /nn bits, here is 24 bits. If it's match then system check if subnet mask is from range <24,28>. Ssubnet mask need to be less than or equal to 28 bits, in this example valid range of subnets mask are 24,25,26,27 or 28.
195.10.8.25/24 - OK
195.10.8.25.200/30 -NOT OK
3)
ip prefix-list TEST permit 172.32.16.0/24 ge 25
System is going to check the first 24 bits of network. If those are exactly the same to 172.32.16 than is going to check the subnet mask which in this case can be greater than or equal to 25 bits (25,26,27,28,29,30,31,32)
172.32.10.123/27 - NOT OK
172.32.16.123/16 - NOT OK
172.32.16.123/32 - OK
4)
ip prefix-list TEST permit 172.32.16.0/24 ge 25 le 28
Like always IOS will check the first 24 bits, if it's ok then check subnet mask. In this case subnet mask needs to be greater than or equal to 25 and less than or equal to 28 - (25,26,27,28)
Remember nn is not subnet mask it is the number of bits that need match!
5)
Let's say we have got class C network : 195.10.10.0 /24.
We would like to divide this class to 28 bits subnet mask and match all of these networks with one prefix-list.
How can we do that ?
All subnets will start with 195.10.10.x so we need to check first 24 bits.
First part of our prefix-list will be : permit 195.10.10.0/24
We need to go back to CCNA level time. Let's divide our network to subnets :
195.10.10.10.0/28
28 - 0 0 0 1 1 1 0 0
The bold one bit is 16. Our subnet will be :
195.10.10.10.0/28 195.10.10.[0-15] /28
195.10.10.10.16/28 195.10.10.[16-31] /28
195.10.10.10.32/28 195.10.10.[32-47] /28
195.10.10.10.48/28 195.10.10.[48-63] /28
195.10.10.10.64/28 195.10.10.[64-79] /28
.
.
.
195.10.10.10.240/28 195.10.10.[240-255] /28
Our prefix-list will check first 24 bits, if they are match to 195.10.10.0 then need to check if subnet mask will be ok, in this case subnet mask will be 28.
Final prefix-list which is gonna match all 195.10.10.0/28 networks is :
ip prefix-list TEST permit 195.10.10.0/24 ge 28 le 28
Greater than or equal 28 bits and less than or equal to 28 bits - the only number that works here is 28.
6) CLASSFUL NETWORKS
We could also match only the classful networks using prefix-list.
We know range of addresses in classful networks:
Class A
0.0.0.0 - 127.255.255.255
Class B
128.0.0.0 - 191.255.255.255
Class C
192.0.0.0 - 223.255.255.255
Class D
224.0.0.0 - 239.255.255.255
Class E
240.0.0.0 - 255.255.255.255
CLASS A)
For Class A the range of first octet is between 0 - 127 and subnet mask - 8 bits
0 - 0 0 0 0 0 0 0 0
127 - 0 1 1 1 1 1 1 1
only the first bit is the same and it has to be 0.
We need to tell to our prefix list that it need to check only first bit and it alway needs to be 0. Also subnet mask of Class A is always 8 (255.0.0.0) so our prefix-list need to check this as well :
ip prefix-list CLASS_A permit 0.0.0.0/1 ge 8 le 8
This kind of prefix lists are commolny use by Service Providers.
CLASS B)
For Class B the range of first octet is between 128 - 191 and subnet mas - 16 bits
128 - 1 0 0 0 0 0 0 0
191 - 1 0 1 1 1 1 1 1
only the 2 bits are the same and the value is 1 0 = 128.
Prefix list needs to check first 2 bits and it needs to be 1 0 = 128
Subnet mask cant be different than 16 bits
ip prefix-list CLASS_B permit 128.0.0.0/2 ge 16 le16
CLASS C)
For Class C the range of first octet is between 192 - 223 and subnet mas - 24 bits
192 - 1 1 0 0 0 0 0 0
223 - 1 1 0 1 1 1 1 1
only the 3 bits are the same and the value is 1 1 0 = 192.
Prefix list needs to check first 3 bits and it needs to be 1 1 0 = 192
Subnet mask cant be different than 24 bits
Subnet mask cant be different than 24 bits
7) PRIVATE RANGE ADDRESSip prefix-list CLASS_C permit 192.0.0.0/3 ge 24 le 24
10.0.0.0 - 10.255.255.255
ip prefix-list TEST permit 10.0.0.0/8 le 32
172.16.0.0 - 172.31.255.255
ip prefix-list TEST permit 172.16.0.0/12 le 32
192.168.0.0 - 192.168.255.255
ip prefix-list TEST permit 192.168.0.0/16 le 32
169.254.0.0 - 169.254.255.55
ip prefix-list TEST permit 169.254.0.0/16 le 32
127.0.0.0 - 127.255.255.255
ip prefix-list TEST permit 127.0.0.0/8 le 32
Permit ANY)
We need to remember that prefix-list works like access-list, they do have an implicit deny at the end.
Let's create simple filter that will deny all private range address and permit anything else.
This config based on CISCO IOS :
ip prefix-list BGP_IN seq 5 deny 10.0.0.0/8 le 32
ip prefix-list BGP_IN seq 10 deny 172.16.0.0/12 le 32
ip prefix-list BGP_IN seq 15 deny 192.168.0.0/16 le 32
ip prefix-list BGP_IN seq 20 deny 169.254.0.0/16 le 32
ip prefix-list BGP_IN seq 25deny 127.0.0.0/8 le 32
ip prefix-list BGP_IN seq 30 permit 0.0.0.0/0 le 32
Very usefull comand to test your prefix list :
show ip bgp prefix-list NAME
This command will show what prefix are match by your prefix list. Is very usefull because before apply your filter to your production you can check what prefixes will be deny or permit.
Great job! Thanks very much, very well explained.