I’ve personally seen and experienced how playing with prefix-lists can be a mess, so let me try to break it down to simple pieces and then see how we collect these pieces together to have our required behavior.
A normal access-list CANNOT check the subnet mask of a network. It can only check bits to make sure they match, nothing more. A prefix-list has an advantage over an access-list in that it CAN check BOTH bits and subnet mask – both would have to match for the network to be either permitted or denied by the prefix-list statement.
Three key players control the prefix-list statement behavior, the length; written as the number after the “/”, greater than; written as a number after the “ge”, and less than; written as a number after the “le”.
If “/” AKA “len” is used alone then this number describes both the bit match and the subnet mask match.
Example: “192.168.1.0/24”, the number after the / is used for BOTH bit match and subnet mask match. So in this case it will check the 24 bits from left to right (won’t care about the last 8 bits) AND it will make sure that it has a 24 bit mask. BOTH the 24 bits checked and the 24 bit subnet mask must match for the network to be permitted or denied.
While if using “le” and “ge”, then the “/” will be used to do bit match manipulation while the “le” and the “ge” do the subnet mask manipulation, lets see how “le” and “ge” are used, then lets make things more complex.
In the case of using “le” with the “/”, the “/” will act as both the bit matcher and the lower limit of the subnet mask, as the subnet mask can’t be any lower than the bits we are checking, which is extremely logical, while the number after the “le” will act as the upper limit for the subnet mask.
Example: “192.168.1.0/24 le 28”, this matches the first 24 bits, and a subnet mask starting from /24 up to /28.
In the case of using “ge” with the “/”, the “/” will act as the bit matcher, while the subnet mask can be anything starting from the “ge” value up to 32.
Example: “192.168.1.0/24 ge 28”, this matches the first 24 bits, and a subnet mask starting from /28 up to /32.
In the case of using both “le” and “ge”, the “/” does the bit match, and the “le” and “ge” does the subnet mask ranging (The subnet mask can be anything from “ge” to “le”).
Example: “192.168.1.0/24 ge 28 le 30”, this matches the first 24 bits, and a subnet mask starting from /28 up to /30.
NOTE In whichever case, the bits that can vary (don’t cares) are anything above the “len”, since the “len” acts as the bit matcher, until the subnetmask pointer, which is very logical since the subnetmask describes the network (fixed) and host (variable) portion of the subnet(s), and the prefix-list is generally used to match a network ID with subnetmask rather than a specific IP address.
If both “le” and “ge” are used equally, this means that we are matching an exact subnet mask, and the “/” does the bit matching.
Example: “192.168.1.0/24 ge 30 le 30”, this matches the first 24 bits, and an exact subnet mask of /30.
One of the interesting and most important structures that is most frequently used is the “0.0.0.0/0 ge x le y”, this matches any route that passes the subnet mask check stated by the x and y values.
Example: “0.0.0.0/0 ge 24 le 24”, this matches any route with /24 subnet mask.
Example: “0.0.0.0/0 le 32”, this matches any route with a subnet mask from 0 to 32 = any route.
I believe that now we can play with whatever combination to have whatever task done, its not a dilemma anymore.
I hope that i’ve been informative.