Only the NBMA and Ethernet segments will be used for quick demonstrations and clarity, unless R4 or R5 is needed for demonstration.
Now the idea of a Prefix-List in comparison to an Access-List may be hard to follow, but I will try to explain it.
An Access-List at its most specific (Extended) matches only on source and destination networks, and also filter protocols between the two – This is essential what they should be considered is Protocol Filters.
A Prefix-List uses the Permit and Deny like an access-list, but only uses the actual Network Prefix and how far to match it (ex: 172.12.123.0/27) to Filter Routes only – This should only be considered a Route Filter and should only be used to Filter Routes.
There is no overhead of writing out masks and allowing protocols, just a simple this is what I need, and how far I need it matched to in the 32 bit Prefix (with a permit or deny).
Now that we understand exactly the difference between those, some fundamentals:
- Prefix lists generally use names, but can use numbers as well
- Prefix lists can use subnet masks (not wildcard), or cider notation
- Prefix lists have an implicit deny at the end (discards any non-allowed traffic for whatever it is applied to)
- Uses Sequence numbers that by default increments by 5, for later use in case you need to add new lines to it
- Prefix lists are configured at the global level like an access-list
- Prefix lists go from the top down looking for a match until the implicit deny discards the packet
Now to understand a prefix-list, you must understand the concepts that at its base form of prefix/mask, it matches on the EXACT mask and no variations of it, for example:
ip prefix-list TEST seq 10 permit 172.12.123.0/24
ip prefix-list TEST seq 15 permit 3.3.3.3/32
Say this simple prefix-list is defined in the Distribute-List (later to be configured), and you get route updates from a neighbor as such:
172.12.123.64/26
172.12.123.32/27
172.12.123.16/30
None of these routes will be learned, because if the was that a Prefix-List operates. The top line:
prefix-list TEST 5 permit 172.12.123.0/24
This means it will match on and ONLY allow prefixes matching this exact IP Prefix, meaning both the IP address and the Subnet Mask, it will not allow variations (small subnets within the larger network) to be permitted and will move down the list as can be seen eventually being discarded after not being matched and hitting the implicit deny.
This is a very important detail to understand.
An ACL will match a network / prefix up to the subnets number, and allow any traffic beyond that subnet by, while Prefixes are very exact with how they match IP Prefixes.
So the only match for the example list, is the network 172.12.123.0/24 and that’s it. This is also where the power of Prefix-Lists come in, because it can be so exact, and is why it is the best option for Route Filtering.
There is one more concept, but I am getting bored with typing, so lets see it live:
Now, because these addresses spaces overlap with the NBMA network address, I had to bring in R5 with some loopbacks to save the day, however I am not taking the time to alter the above Topology as its late and my brain is getting exhausted:
R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#router eigrp 100
R5(config-router)#network 172.12.15.0 0.0.0.255
R5(config-router)#
*Apr 1 00:42:18.301: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.12.15.1 (FastEthernet0/1) is up: new adjacency
R5(config-router)#^Z
R5#
*Apr 1 00:42:38.915: %SYS-5-CONFIG_I: Configured from console by console
R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#int lo10
R5(config-if)#
*Apr 1 00:42:58.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10, changed state to up
R5(config-if)#ip add 172.12.123.65 255.255.255.192
R5(config-if)#int lo20
*Apr 1 00:43:36.345: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback20, changed state to up
R5(config-if)#ip add 172.12.123.33 255.255.255.224
R5(config-if)#int lo30
R5(config-if)#
*Apr 1 00:43:51.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback30, changed state to up
R5(config-if)#ip add 172.12.123.17 255.255.255.252
R5(config-if)#router eigrp 100
R5(config-router)#network 172.12.123.64 0.0.0.63
R5(config-router)#network 172.12.123.33 0.0.0.31
R5(config-router)#network 172.12.123.16 0.0.0.3
R5(config-router)#
If you are wondering if that was hard to figure out and get right on the first try for all those discontiguous networks and get right the first time, I assure you, it was.
So now on R1 lets verify what we are seeing both in the Topology and Route table:
The Topology Table
R1#sh ip eigrp top
EIGRP-IPv4 Topology Table for AS(100)/ID(1.1.1.1)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status
P 11.11.11.11/32, 1 successors, FD is 128256
via Connected, Loopback11
P 172.12.123.0/24, 1 successors, FD is 2169856
via Connected, Serial0/0/0
P 172.12.15.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/1
P 172.12.23.0/24, 2 successors, FD is 2173416
via 172.12.123.2 (2173416/29160), Serial0/0/0
via 172.12.123.3 (2173416/29160), Serial0/0/0
P 2.2.2.2/32, 1 successors, FD is 2297856
via 172.12.123.2 (2297856/128256), Serial0/0/0
via 172.12.123.3 (2300416/156160), Serial0/0/0
P 172.12.123.16/30, 1 successors, FD is 156160
via 172.12.15.5 (156160/128256), FastEthernet0/1
P 172.12.123.64/26, 1 successors, FD is 156160
via 172.12.15.5 (156160/128256), FastEthernet0/1
P 172.12.123.32/27, 1 successors, FD is 156160
via 172.12.15.5 (156160/128256), FastEthernet0/1
P 3.3.3.3/32, 1 successors, FD is 2297856
via 172.12.123.3 (2297856/128256), Serial0/0/0
via 172.12.123.2 (2300416/156160), Serial0/0/0
R1#
The EIGRP IP Route Table
R1#sh ip route eigrp
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/2297856] via 172.12.123.2, 00:57:01, Serial0/0/0
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/2297856] via 172.12.123.3, 00:56:50, Serial0/0/0
172.12.0.0/16 is variably subnetted, 8 subnets, 5 masks
D 172.12.23.0/24 [90/2173416] via 172.12.123.3, 00:56:50, Serial0/0/0
[90/2173416] via 172.12.123.2, 00:56:50, Serial0/0/0
D 172.12.123.16/30
[90/156160] via 172.12.15.5, 00:05:33, FastEthernet0/1
D 172.12.123.32/27
[90/156160] via 172.12.15.5, 00:05:55, FastEthernet0/1
D 172.12.123.64/26
[90/156160] via 172.12.15.5, 00:06:22, FastEthernet0/1
The IP Route Table
R1#sh ip route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback1
2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/2297856] via 172.12.123.2, 00:57:58, Serial0/0/0
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/2297856] via 172.12.123.3, 00:57:47, Serial0/0/0
11.0.0.0/32 is subnetted, 1 subnets
C 11.11.11.11 is directly connected, Loopback11
172.12.0.0/16 is variably subnetted, 8 subnets, 5 masks
C 172.12.15.0/24 is directly connected, FastEthernet0/1
L 172.12.15.1/32 is directly connected, FastEthernet0/1
D 172.12.23.0/24 [90/2173416] via 172.12.123.3, 00:57:47, Serial0/0/0
[90/2173416] via 172.12.123.2, 00:57:47, Serial0/0/0
C 172.12.123.0/24 is directly connected, Serial0/0/0
L 172.12.123.1/32 is directly connected, Serial0/0/0
D 172.12.123.16/30
[90/156160] via 172.12.15.5, 00:06:30, FastEthernet0/1
D 172.12.123.32/27
[90/156160] via 172.12.15.5, 00:06:52, FastEthernet0/1
D 172.12.123.64/26
[90/156160] via 172.12.15.5, 00:07:19, FastEthernet0/1
R1#
Now, if we want to keep our 172.12.123.0/x (non-/24) subnets learned by the router, but we don’t want to type in every single prefix as we’re not sure what may be learned but want to allow a range we know will be sending subnetted Prefixes – We use LE and GE at the end of our prefix-list statements!
For absolutely clear example directly from the command line:
R1(config)#ip prefix-list TEST seq 10 permit 172.12.123.0/24 ?
ge Minimum prefix length to be matched
le Maximum prefix length to be matched
“ge” and “le” means that it will match up to a minimum or maximum variation of the prefix length that is configured (172.12.123.0/24), however it CANNOT be equal to or lower than the Prefix length configured in the command. This means that neither value can be 24 or less, because that is an impossible range to configure.
That is a very important detail to watch for.
Now I will configure this command to match our needed Prefix-lengths, and apply it to EIGRP, and we’ll see what happens to try to wrap this explanation up:
R1(config)#ip prefix-list TEST seq 10 permit 172.12.123.0/24 ge 25 le 30
%Insertion failed – seq # exists with different policy: 10
R1(config)#
Oh snap. I couldn’t over-write an existing prefix-list line as we see here, so I will just override it by making it sequence 5 (and this is why you leave yourself space between sequence numbers in Route-Maps / Prefix-Lists / Everything):
R1(config)#ip prefix-list TEST seq 5 permit 172.12.123.0/24 ge 25 le 30
R1(config)#router eigrp 100
R1(config-router)#exit
Verification of current prefix-list, looking good
R1(config)#do sh ip prefix-list
ip prefix-list TEST: 3 entries
seq 5 permit 172.12.123.0/24 ge 25 le 30
seq 10 permit 172.12.123.0/24
seq 15 deny 3.3.3.3/32
Now to configure in EIGRP using ?’s to guide the way
R1(config)#router eigrp 100
R1(config-router)#distribute-list ?
<1-199> IP access list number
<1300-2699> IP expanded access list number
WORD Access-list name
gateway Filtering incoming address updates based on gateway
prefix Filter prefixes in address updates
route-map Filter prefixes based on the route-map
R1(config-router)#distribute-list prefix ?
WORD Name of an IP prefix-list
R1(config-router)#distribute-list prefix TEST ?
gateway Filtering incoming address updates based on gateway
in Filter incoming service updates
out Filter outgoing service updates
R1(config-router)#distribute-list prefix TEST in
R1(config-router)#
*May 11 05:35:36.327: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.15.5 (FastEthernet0/1) is resync: route configuration changed
*May 11 05:35:36.327: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.123.2 (Serial0/0/0) is resync: route configuration changed
*May 11 05:35:36.327: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.123.3 (Serial0/0/0) is resync: route configuration changed
R1(config-router)#
I highlighted some commands in Red in case they are getting hard to follow, as in my tired state they sure are (the pain hurts so good), however if there is a Cisco angel watching over me right now I should see all routes in my Topology table EXCEPT for 3.3.3.3/32:
R1(config-router)#do sh ip eigrp top
EIGRP-IPv4 Topology Table for AS(100)/ID(1.1.1.1)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status
P 11.11.11.11/32, 1 successors, FD is 128256
via Connected, Loopback11
P 172.12.123.0/24, 1 successors, FD is 2169856
via Connected, Serial0/0/0
P 172.12.15.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/1
P 172.12.123.16/30, 1 successors, FD is 156160
via 172.12.15.5 (156160/128256), FastEthernet0/1
P 172.12.123.64/26, 1 successors, FD is 156160
via 172.12.15.5 (156160/128256), FastEthernet0/1
P 172.12.123.32/27, 1 successors, FD is 156160
via 172.12.15.5 (156160/128256), FastEthernet0/1
R1(config-router)#
Ha! I forgot the “implicit deny” at the end caught 2.2.2.2/32 as well, another casualty on the filtering of routing updates in EIGRP, however the command worked exactly as it should have an even laughably underscored that implicit deny at the end.
***One last subject to cover which is default routes in Prefix-Lists, and how the “ge” and “le” at the ends of them can completely effect how they work***
- The Prefix-List entry “0.0.0.0/0” effects all Prefix/Length matches, or networks
- The prefix-List entry “0.0.0.0/0 gr 32 le 32” effects all host routes, but NOT Prefix/Length matches aka Networks!
So if you just looking at the two bullet points above, if you put a deny statement in front of 0.0.0.0/0 you would be blocking any and all networks from being learned by EIGRP, however if you put a permit in front of the second line that would then allow any and all “host” routes to be learned via EIGRP but does not include network prefixes.
So that’s it, my brain is toast, I’m going to find a white wall to stare at and let the drool run out of my mouth onto my t-shirt. Until next time!
The DEVNET GRIND! 
One thought on “EIGRP: DEEP Dive into Prefix-List configurations, Access-list vs Prefix-list, using Prefix-Lists to Filter EIGRP routes with Distribute-Lists!”