A simple example explaining why we need Prefix-List in addition to simple Access-List (ACL) on Cisco IOS

My example is: assume we want to filter out "all possible subnets/prefixes inside 192.168.1.0/24" from rushing into our router.

Red House Theater, at the West Gate of Taipei Wall (西門紅樓、紅樓劇場). 

We can first visualize what subnets are to be filtered in the following, but incomplete list:

192.168.1.0/24

192.168.1.0/25
192.168.1.128/25

192.168.1.0/26
192.168.1.64/26
192.168.1.128/26
192.168.1.192/26

(and even more ...)

If we only have plain, old, simple Access Control List, then the commands would be something like this:

access-list 100 deny ip host 192.168.1.0 host 255.255.255.0
access-list 100 deny ip host 192.168.1.0 host 255.255.255.128
access-list 100 deny ip host 192.168.1.128 host 255.255.255.128
access-list 100 deny ip host 192.168.1.0 host 255.255.255.192
access-list 100 deny ip host 192.168.1.64 host 255.255.255.192
access-list 100 deny ip host 192.168.1.128 host 255.255.255.192
access-list 100 deny ip host 192.168.1.192 host 255.255.255.192
(and even more ...)
access-list 100 permit ip any any

router eigrp X
 distribute-list 100 in

Very tedious, isn't it!

So, Cisco defined new object named Prefix-Lists to simplify configurations for similar requirements.


Let's Focus on Two Parts of Prefix Lists

An prefix list can be viewed as of 2 parts.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/iproute/command/reference/fiprrp_r/1rfbgp1.html#wp1215231

ip prefix-list {list-name | list-number} [seq number] {deny network/length | permit network/length} [ge ge-length] [le le-length]

Part 1: What base range of addresses we are talking about.

In this example, we are talking about all the IP addresses inside 192.168.1.0/24, so Part 1 should be exactly "192.168.1.0/24".


Part 2: What range of prefix lengths we are interested in.

In this example, we are interested in "All possible subnets, all possible prefix lengths". They are "anything shorter than 32", so Part 2 should be "le 32".

To combine Part 1 and Part 2 together, we can say this prefix list line is active on "within the address base range of Part 1, any possible prefix lengths within Part 2".


To achieve the same result with Prefix Lists, the commands now look like these simpler lines.

ip prefix-list ALL-SUBNETS deny 192.168.1.0/24 le 32
ip prefix-list ALL-SUBNETS permit 0.0.0.0/0 le 32

router eigrp X
 distribute-list prefix ALL-SUBNETS in

This way is much simpler, isn't it!


One more thing…

There is a common command phrase in Prefix List command: "0.0.0.0/0 le 32". This line says, "within the whole internet address base range, any prefixes shorter than 32".

In other word, this command phrase is exactly "any possible subnets".

If we somehow forget to add "le 32", then it would  be active only on "0.0.0.0/0" and nothing else. This is to pick the "default route" only, and this is not correct for the example in this post.