Cisco is the world leader in the networking business. The networking equipment that they manufacture is used the world over, by businesses as well as individuals. Their router software can be reprogrammed to increase network efficiency and provide network security. The IP Prefix-list command is part of their router configuration suite, and lets you control network traffic based on its subnet address. We walk you through the details of what IP Prefix is and how to use it. We assume you have a basic understanding of TCP/IP networks. If not, you can take this easy video training to understand the basics of TCP/IP.
In this tutorial, we’ll explain what exactly prefix lists are, and the subnet mask they are linked to. You need to get a good understanding of these networking concepts to understand the ip prefix-list command. You may want to first take this course to make sure your fundamentals about IPv4 are clear.
Prefix lists let you deny traffic based on the subnet mask of the incoming connection. A prefix list is generally used with a route map to filter out traffic that you don’t want, or which poses a security risk, from the network.
Prefix lists are different from access lists. Access lists can be used to control traffic on the basis of several additional parameters, like ports, destination and source. Access lists can only check for bits, but not the subnet mask of the incoming request. Prefix lists can check for both bits as well as subnet masks, giving them an edge over access lists in most cases.
A subnet mask is the number that separates (or masks) the IP address. An IP address has two parts: the host address (client) and the network address (server). The subnet mask divides the IP address into these two components.
The subnet mask is a 32-bit number. Different network classes (Network Class A, B and C to classless networks) are assigned different subnet masks. Separating an IP address is done for reorganization (efficiency) and security purposes.
The IP Prefix-List Command
The ip prefix-list command only permits traffic that matches specified criteria into the network. The command is used to create a prefix list:
You can specify certain parameters to the command, if necessary:
ip prefix-list ID sequence value permit/deny network/subnetlength gelength lelength
This command can be used to both deny and allow traffic with the specified IPV4 address. The ID can be a random string or character, or integer, sequence. The sequence value parameter will be generated automatically, and will not need to be specified unless you turn off automatic generation. You can either deny the traffic (specify deny) or permit the traffic (specify permit) that matches the IP address in the following parameter. The network parameter is where you will specify the IP address.The subnet length parameter will contain the length of the subnet mask (which is a number, as we explained earlier). This integer number can be anything from 0 to 32.
The gelength and lelength parameters are optional. If they aren’t specified, both the specified number of bits (subnetlength) and the subnet mask itself will be checked. If the gelength parameter is specified, it will check if the IPV4 address matches the specified prefix address and the subnetlength (greater than or equal to). This value cannot be greater than the value of le if specified. If the lelength parameter is specified, it will check if the IPV4 address is less than or equal to the network parameter. This course shows you more about setting up your own IP network.
Let’s take a small example to help you understand it better:
ip prefix-list EXAM seq 5 permit 22.214.171.124/24
This will check if the incoming traffic matches 24 bits (from left to right) to the given network address. If it does, it will be permitted. If it doesn’t, it will be denied.
ip prefix-list EXAM seq 5 permit 126.96.36.199/24 ge 26
Now, let’s use the gelength parameter. In this case, it will check 24 bits of the network. It will then check if the value of the subnet mask is greater or equal to 26 bits. If it is less than that, the traffic will be denied. You can use both le and ge at the same time, of course.
The ip prefix-list command will let you control and structure a network. If you’re looking to become a certified networking professional, you will need know about IP routing, router configuration, prefix lists and access lists in general. This course can help you get acquainted with these aspects of networking.