NTP security as in RFC 958/1305

Dezember 19th, 2008

When devices should be synced, it’s time to configure ntp with sources, servers and clients/peers.

Every cisco router can act as the ntp master.

ntp master 1

is just everything you need to configure the router as an ntp source. The router will use address as the local source for ntp updates. This is a reference clock for the NTP protocol to be used as the source of time. This is mostly a radio clock or some other kind of clock sometimes even attached directly to the router.

R1#show ntp associations detail configured, our_master, sane, valid, stratum 0

As of IOS 12.1 there are two reference clock drivers for ntp:

R1(config-line)#ntp refclock ?
telecom-solutions Telecom Solutions GPS

When devices should be synced, it’s time to configure ntp with sources, servers and clients/peers.

Every cisco router can act as the ntp master (here with stratum 1).

ntp master 1

is just everything you need to configure the router as an ntp source. The router will use address as the local source for ntp updates. This is a reference clock for the NTP protocol to ne used as the source of time. This is mostly a radio clock or some other kind of clock sometimes even attached directly to the router.

R1#show ntp associations detail configured, our_master, sane, valid, stratum 1

As of IOS 12.1 there are two reference clock drivers for ntp:

R1(config-line)#ntp refclock ?
telecom-solutions Telecom Solutions GPS
trimble Trimble Navigation TSIP Protocol

So it’s possible to have an external clock hooked up to the aux port. Trimble has a „Acutimeâ„¢ Gold GPS Smart Antenna“ with an RS422 port. Don’t know if it’s still possible to use this antenna with the 7200.

So if you use the, the local ntp timer, as the master with

ntp master 1

you can also configure the stratum for this clock. In the hierarchal ntp model, where server and clients distribute time to another, the stratum value will give information on how far the original clock is away. Stratum 0 is a real time source, like an external gps or dcf77 receiver. Stratum 1 is normaly a host which uses it’s local clock as a time source, like the „ntp master“ command does. Every client in between adds a stratum and inaccuracy with about 10-100 ms. So the higher stratum values indicate a better time source regarding accuracy.

Access to the NTP service is controlled with the

„ntp access-group“


ntp access-group knows the following options (from the documentation).

The access group options are scanned in the following order, from least restrictive to most restrictive:

1. peer—Allows time requests and NTP control queries and allows the system to synchronize itself to a system whose address passes the access list criteria.

2. serve—Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria.

3. serve-only—Allows only time requests from a system whose address passes the access list criteria.

4. query-only—Allows only NTP control queries from a system whose address passes the access list criteria.

If you want to update from a local router (software) clock, you have to include the address in the access-list statement also.

ntp master 1

ntp access-group peer 10

access-list 10 permit

Otherwise the local clock will not be able to synchronize.

If you want to get time from a remote server and allow only to get time from you:

ntp server

ntp access-group peer 1

access-list 1 permit







3725 on dynamips against 3550/3560 and what is missing

Dezember 3rd, 2008

Here is a list of what is missing with the 16 port switching modul for the 3725 in comparision to the 3550/3460 Catalys switches in the lab.

Access Switch Device Manager (SDM) Template
ACL – Improved Merging Algorithm
ARP Optimization
BGP Increased Support of Numbered as-path Access Lists to 500
BGP Restart Neighbor Session After max-prefix Limit Reached
BGP Route-Map Continue Support for Outbound Policy
Clear Counters Per Port
DHCP Snooping
DHCP Snooping Counters
Diagnotics Options on bootup
ErrDisable Reactivation Per Port
ErrDisable timeout
EtherChannel – Flexible PAgP
Etherchannel Guard
Fallback Bridging
Flex Link Bi-directional Fast Convergence
Flex Link VLAN Load-Balancing
Flex Links Interface Preemption
GOLD – Generic Online Diagnostics
IEEE 802.1ab, Link Layer Discovery Protocol
IEEE 802.1s – Multiple Spanning Tree (MST) Standard Compliance
IEEE 802.1s VLAN Multiple Spanning Trees
IEEE 802.1t
IEEE 802.1W Spanning Tree Rapid Reconfiguration
IEEE 802.1x – Auth Fail Open
IEEE 802.1x – Auth Fail VLAN
IEEE 802.1x – VLAN Assignment
IEEE 802.1x – Wake on LAN Support
IEEE 802.1x Authenticator
IEEE 802.1X Multi-Domain Authentication
IEEE 802.1x RADIUS Accounting
IEEE 802.1x with Port Security
IEEE 802.3ad Link Aggregation (LACP)
IEEE 802.3af Power over Ethernet
IGMP Fast Leave
IGMP Version 1
IP Phone Detection Enhancements
IP Phone Enhancement – PHY Loop Detection
IPSG (IP Source Guard)
Jumbo Frames
L2PT – Layer 2 Protocol Tunneling
MAC Authentication Bypass
MLD Snooping
Multicast Etherchannel Load Balancing
NAC – L2 IEEE 802.1x
NAC – L2 IP with Auth Fail Open
Packet-Based Storm Control
Per Port Per VLAN Policing
Port Security
Port Security on Private VLAN Ports
Private VLANs
QoS Policy Propagation via Border Gateway Protocol (QPPB)
Rapid-Per-VLAN-Spanning Tree (Rapid-PVST)
Reduced MAC Address Usage
Smart Port
Spanning Tree Protocol (STP) – Loop Guard
Spanning Tree Protocol (STP) – Portfast
Spanning Tree Protocol (STP) – PortFast BPDU Filtering
Spanning Tree Protocol (STP) – Portfast Support for Trunks
Spanning Tree Protocol (STP) – Root Guard
Spanning Tree Protocol (STP) – Uplink Load Balancing
SRR (Shaped Round Robin)
Standby Supervisor Port Usage
STP Syslog Messages
Switching Database Manager (SDM)
Trunk Failover
Trusted boundary (extended trust for CDP devices)
Unicast Mac Filtering
UniDirectional Link Detection (UDLD)
VLAN Access Control List (VACL)
VLAN Aware Port Security
Weighted Tail Drop (WTD)

CCIE Wireless is there

Dezember 2nd, 2008

Interesting news. Wireless is a new topic on the plan. Now we have:

I still go for the Routing and Switching.



Cisco Firewall evolution with access-lists, reflexive access-lists, ip tcp intercept and CBAC

Dezember 2nd, 2008

What can i do with cbac and who to configure it? What is it thought of? What can also be done with reflexive access-lists? Might be ip tcp intercept also helpful?

Reflexive Access Lists are cisco introduction to statefull filtering. For Firewalling it is a nice feature and can be thought as a kind of ip nat with overload without beeing able to reach the inside, only if you have trigged a connection from the inside, then traffic is allowed to pass.

Speaking of a established session, means the device in between records the connection and dynamically adds an allow filter to let the traffic matching to this session passing back through the firewall. That is the meaning of a statefull filter. Cisco standard and extended access-lists can only filter statically. Here is where reflexive access-lists come into play.

This are two configuration examples regarding telnet access for telnet sessions:

1. The first example allows telnet for established sessions in a „extended“ access-listinterface

ip access-list extended ESTABLISHED
permit tcp any eq telnet any established


ip access-group ESTABLISHED in

Here only telnet traffic originated from the inside client is allowed to come back into the network.

As you already expect there is another way with reflexive access-lists:


ip access-group REFL_IN in
ip access-group REFL_OUT out

ip access-list extended REFL_IN
evaluate REFLECT
ip access-list extended REFL_OUT
permit tcp any any eq telnet reflect REFLECT timeout 30

FW#sh access-lists

Reflexive IP access list REFLECT
permit tcp host eq telnet host eq 28929 (12 matches) (time left 25)

Extended IP access list REFL_IN
10 evaluate REFLECT
Extended IP access list REFL_OUT
10 permit tcp any any eq telnet reflect REFLECT (7 matches)

Here the host is outside from firewalls perspective and is answering telnet requests from This reflexive access-list is dynamically generated. By default this list is active for 300 seconds. If the connection is idle for that amount of time, the access-list is removed from the list and memory, but does not terminate the session. The active session will again bring up a new reflexive access-list. So this timeout has nothing to do with an absolut or idle timeout in the normal way of understanding idle timeout. It is more a „clean up“ timeout.

Here is a possible use of „ip tcp intercept“. vs. reflexive access-lis

ip tcp intercept list REFL_OUT
ip tcp intercept connection-timeout 20

Here you can set an idle timeout for the tcp connection in your firewall. The idle timeout is now set to 20 seconds.

R2#sh tcp intercept connections
Client Server State Create Timeout Mode

Client Server State Create Timeout Mode ESTAB 00:00:59 00:00:01 I

After that time you can see your firewall sending an TCP Session Reset to both ends:

Packet debug on the firewall:

*Mar 1 10:37:00.665: IP: s= (local), d= (Vlan5), len 40, sending
*Mar 1 10:37:00.665: TCP src=23, dst=50346, seq=197049759, ack=1038522490, win=0 ACK RST
*Mar 1 10:37:00.665: IP: s= (local), d= (FastEthernet0/0), len 40, sending
*Mar 1 10:37:00.665: TCP src=50346, dst=23, seq=1038522490, ack=197049759, win=0 ACK RST
The connection is cleanly reset.

With ip tcp intercept you have more possible scenarios. For example if you are under a DOS Syn attack. Here i use nmap as a tool for generating multiple TCP SYN packets.

cat syn-dos-test.sh

nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &

If you start this several times you will see ip tcp intercept starting some actions against half open sessions. High watermark is the point for starting aggressive mode and low watermark has to be crossed for starting normal mode again.

*Mar 1 13:50:35.548: %TCP-6-INTERCEPT: getting aggressive, count (5/5) 1 min 9
*Mar 1 13:50:35.548: INTERCEPT: Possible attack! Aborting half-open connection SYNRCVD ( <->
*Mar 1 13:50:35.548: INTERCEPT(*): ( <- RST
*Mar 1 13:50:35.548: INTERCEPT: new connection ( SYN ->
*Mar 1 13:50:35.548: INTERCEPT(*): ( <- ACK+SYN
*Mar 1 13:50:35.584: INTERCEPT: Possible attack! Aborting half-open connection SYNRCVD ( <->

Now tcp intercept is starting to drop half open connections. Oldest first. You can also change the drop mode.

Next take a look at „ip inspect“ called CBAC (Context-Based Access Control).

interface FastEthernet0/0

ip access-group 101 in
ip inspect TELNET out

access-list 101 deny tcp any eq telnet any

ip inspect tcp idle-time 15
ip inspect name TELNET telnet

After opening a session, the telnet connection is able to establish and inspect has registred the session:

FW#sh ip inspect sessions
Established Sessions
Session 6571BC0C (>( telnet SIS_OPEN

You can enable an idle timeout for telnet session:

ip inspect name TELNET telnet timeout 10

or for all tcp sessions:

ip inspect tcp idle-time 10

ip inspect max-incomplete low 4
ip inspect max-incomplete high 5
ip inspect name TELNET telnet alert on audit-trail off timeout 10

If you test the TCP Syn flood here also, you will get ip inspect react on the SYN Attack:

*Mar 1 14:24:43.736: %FW-4-ALERT_ON: getting aggressive, count (6/5) current 1-min rate: 6
*Mar 1 14:24:44.012: %FW-4-ALERT_OFF: calming down, count (3/4) current 1-min rate: 16

Audit-trail will log all connections/attempts. Alert will send only those to the log, which have been found suspicious.

CBAC does support many different protocols. Also protocols which negotiate ports dynamically. And is therefore able to inspect at the application layer.




How to receive logging/traps with Linux from your dynamips with syslog-ng/snmptrapd

November 29th, 2008

What are traps and informs and is it possible to have a NMS (Network Managment System) on your Linux box to receive those messages? Cisco Works is also NMS, you might try this also, it’s possible to install it under VMWare, i had some trouble with 3.1 on Windows 2003 Server Enterprise SP2 though. Complaining always about not enough space on drive c:, however i expanded the disc to have more than 25GB of free space. Still no success. So i got to the point, where i dropped LMS and tried to use already present programs on my Linux box. Would like to see LMS also on my VMWare maybe later.

First make sure you have connectivity to the outside world from your dynamips. Here is a link to an more detailed description http://blog.sazza.de/?p=355. In short you need a local interface that can be bridged. You create a bridged interface and setup this with IP adressing. I use a VMWare interface for this bridged interface. Here is my script:

ifconfig vmnet7
ifconfig vmnet7 down
brctl addbr br0
ifconfig br0 netmask
brctl addif br0 vmnet7
brctl addif br0 tap0
ifconfig br0 up
ifconfig tap0 up
ifconfig vmnet7 up
The tap0 is created from your dynamips.net file. Is use Router1’s secound FastEthernt Interface:

[[Router R1]]
model = 3725
console = 2001
autostart = False
slot2 = NM-1FE-TX
slot1 = NM-4T
F0/0 = SW1 F1/1
F0/1 = NIO_tap:tap0
Now i can use R1 F0/1 for connections to the outside world.

Check your syslog-ng configuration file, to enable a socket your syslog server listens to port 514/udp:


source src {
# include internal syslog-ng messages
# note: the internal() soure is required!

# the default log socket for local logging:

# uncomment to process log messages from network:
udp(ip(„“) port(514));

Then restart your syslog daemon by issuing „/ect/init.d/syslog restart“. Make sure you can see the socket listening with

hostname:/usr/share/snmp/mibs # netstat -lun
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0*
udp 0 0*
udp 6624 0*
udp 0 0*

You might want do add port 514/tcp for syslog also listening to tcp logging messages. You can also log from your cisco router to any tcp port with:

R2(config)# logging host transport tcp port 514

After this your system is able to recieve syslog messages und will log it into /var/log/messages for example. Check with „tail -f /var/log/messages“. Configure logging from a router with:

R2(config)# logging host

and produce some logging messages.

Next make sure that your local firewall does not block logging packets to your host.

You need at least ports:




At this point on your linux box start your

# snmptrapd -fa

You should have net-snmp-5.x.x installed (check with „rpm -qa | grep net-snmp“). This daemon also needs some kind of access configuration:

cat /etc/snmp/snmptrapd.conf

authCommunity log,execute,net CISCO
logoption f /var/log/snmptrapd.log
logoption s 2


mibs +ALL

Where CISCO is your community string. This is for SNMP v1 and v2c.

But you might want to download a list of MIBS from cisco first, to have snmptrapd support all kinds of cisco mibs. You can download them from ftp://ftp.cisco.com/pub/mibs/v1/v1.tar.gz and ftp://ftp.cisco.com/pub/mibs/v2/v2.tar.gz.

Just copy them to /usr/share/snmp/mibs (find out your mibs directory with „net-snmp-config –snmpconfpath“, where mibs should be a subdirectory, under your path for example /usr/share/snmp).

You should now be able to receive those mibs in your logfile /var/log/snmptrapd.log.

for example:

Nov 29 17:19:12 hostname snmptrapd[5824]: Enterprise Specific Trap (.1) Uptime: 0:26:44.80, SNMPv2-SMI::enterprises. = INTEGER: 1, SNMPv2-SMI::enterprises. = INTEGER: 2, SNMPv2-SMI::enterprises. = INTEGER: 3

Or do an snmpwalk:

# snmpwalk -v2c -c CISCO

Reload your Cisco router with snmpset:

First enable system-reload:

snmp-server community CISCO RW
snmp-server system-shutdown

Then set the router ro reload (note dynamips router instance will crash, since reloading the router is only supported by dynagen console):

snmpset -c CISCO -v 2c  . i 2







Implementing route reflectors and avoid loops with cluster-id or originator-id

November 22nd, 2008

What is a route reflector? What is a cluster-id or originator-id and why should i need id?

If you start google for cluster-id it will not bring up many explanations about what is a clusters in bgp. However it’s quite simple. Because you can have multiple route reflectors inside one AS and this might break the normal AS path loop prevention mechanism. So normally AS path takes care of loop, but inside the AS it’s done with cluster-id and originator-id.

Let’s start with a route reflector. In BGP you would need a full mesh for all iBGP client peerings, to have routes propagated from client to client. Route reflection overcomes the need for a full mesh. The Route reflector reflects routes coming from a client to his route reflector clients.

Here a sample full mesh configuration within AS 200:

BGP full mesh

Here is a replaced full mesh example with one route reflector, which copies all updated to his clients. So if an update from AS100 is received it’s send to the route reflector and the route reflector copied the update to all of it’s clients:

Make sure next hop is reachable from within the peer. In case of this example, if no next-hop-self is configured from route reflector clients to the route reflector, the next hop for routes coming into AS 200 are pointing to AS100 and as AS300 gateways. This might be a problem for AS200 RR’s, if next hop self is not reachable via a local route.

The cluster is defined by the route reflector and the route reflector client(s). The cluster id will be the router reflector client if unset (for ex. Or the cluster ID can be set with the „bgp cluster-id [number]“ command. So here one cluster is formed:

There are several way’s in configuring route reflector and clients in this scenario. It could be a demand that more than one route reflector should be available for redundancy. If in the above scenario the route reflector fails, there is no way to cope with the situation.

So it might be necessary to have more than one route reflector in the AS. A possible solution would be:

cluster id

Cluster id is not passed between different sub asses inside the same confederation. The cluster id can avoid unwanted traffic by denying updates, here for example, if you set „bgp cluster-id 1“ on both router A and router B, they would deny accepting updates from each other, when they receive updates with the same cluster-id.

Updates are not needed because of the hierarchical route reflector setup. Since if an update come from router C, it will be propagated to A and B. Since A and B are from their perspective „None Clients“ to each other, cluster-id comes into place. Using the same cluster-id on both, will deny updates being accepted.

Example for „debug ip bgp updates“ on Router B if Router C is sending a new prefix and Router B is recieving the update from Router A ( also (assuming A and B have the same cluster-id configured). Clusterlist is the inside AS path replacement, for avoiding routing loops. As can be seen here clusterlist holds cluster-id 1 and cluster-id 2. Cluster-id 1 is configured for both A and B, as cluster-id 2 is configured on router D. Originator ID is router C in this example:

*Mar 1 05:40:29.650: BGP(0): rcv UPDATE w/ attr: nexthop, origin i, localpref 100, metric 0, originator, clusterlist, path , community , extended community

*Mar 1 05:40:29.658: BGP(0): rcv UPDATE about — DENIED due to: reflected from the same cluster;

The originator id is the last step, after cluster id has not effect, in preventing updates being sent in loops. At least, when the originator recieves his own update, then it will be dropped. If cluster-id is not by „bgp cluster-id [number]“ then, it will be set by the route-reflector-client sending updates to non clients with it’s own router-id.


Internet Routing Architectures, CiscoPress, P. 268ff

RFC2796, Route Reflection, http://www.faqs.org/rfcs/rfc2796.html


Link Fragmentation and Interleave / LFI / FRF.12

November 9th, 2008

If a packet is sent over a link, the packet delayed due to serialization. Bigger packets need more time to get over the link, than smaller packets. If a 1500 bytes packet is in the transit, a small 150 bytes packet has to wait.

Here LFI can be used to solve the problem of bigger packets blocking smaller, for example voice packets, to long, and let them being sent before the whole 1500 bytes packet is completely being sent over the link.

The definition of packet is, that it includes the Layer 3 header information and the end-user-data, namely the payload. A frame is a packet, but includes also Layer 2 information header and trailer.

While fragmenting frames, the router will chop the 1500 byte frame possibly into two frames, which had to include again the header and trailer information in each new fragmented frame.

Make sure you configure „frame-relay fragment“ on both sides of the PVC. If not, one side will definetly have problems in recognizing the fragmented traffic. If only one side fragments the traffic and the other side will not defragment it, it will just drop all fragmented traffic coming over the DLCI.

A value of 80 kpbs recommended fragmentation size to every 64 kbps bandwidth. So 256 kbps interface bandwidth, means a fragment size of 320 kbps on this link.

Note: For interleaving to work, both fragmentation and the low-latency queueing policy must be configured with shaping disabled.


access-list 101 match ip any host

class-map voice

match access-group 101

policy-map llq

class voice

priority 64

class video

bandwidth 32

interface serial 1/0

ip address

encapsulation frame-relay

frame-relay fragment 80 end-to-end

bandwidth 128

clock rate 128000

service-policy output llq

Show and debug commands:

R5#sh frame-relay fragment interface s1/0 501

fragment size 200 fragment type end-to-end
in fragmented pkts 4511 out fragmented pkts 86
in fragmented bytes 109183 out fragmented bytes 10797
in un-fragmented pkts 162 out un-fragmented pkts 88
in un-fragmented bytes 10808 out un-fragmented bytes 5952
in assembled pkts 1053 out pre-fragmented pkts 130
in assembled bytes 94707 out pre-fragmented bytes 16317
in dropped reassembling pkts 0 out dropped fragmenting pkts
in DE fragmented pkts 4511 out DE fragmented pkts 0
in DE un-fragmented pkts 162 out DE un-fragmented pkts 0
in timeouts 0
in out-of-sequence fragments 0
in fragments with unexpected B bit set 0
in fragments with skipped sequence number 0
out interleaved packets 0
R5#sh frame-relay fragment
interface dlci frag-type size in-frag out-frag dropped-frag
Se1/0 501 end-to-end 200 4519 86 0
Se1/0 502 end-to-end 200 0 0 0
Se1/0 503 end-to-end 200 0 0 0
Se1/0 504 end-to-end 200 0 0 0
Se1/0 513 end-to-end 200 0 0 0

R5# debug frame-relay fragment interface s1/0 501
*Mar 1 04:33:08.866: Serial1/0(o): dlci 501, tx-seq-num 125, B bit set, frag_hdr 03 B1 80 7D
*Mar 1 04:33:08.870: Serial1/0(o): dlci 501, tx-seq-num 126, no bit set, frag_hdr 03 B1 00 7E
*Mar 1 04:33:08.874: Serial1/0(o): dlci 501, tx-seq-num 127, E bit set, frag_hdr 03 B1 40 7F


Cisco QOS, Second Edition, Exam Certification Guide





multiple LLQ Low Latency Queues / bandwith (remaining) percent

November 9th, 2008

LLQ means priority a queue, to forward voice and video traffic before all other traffic.

If you have multiple LLQ queues, the difference between the single and multiple queue configuration is, that if you have at least two priority queues, both get policed. So if configured in a single police-map command, you will always policed the traffic at a maximum rate. Even if more bandwidth will be available, in case one queue fills up and the other still is not yet. The traffic will strictly be policed at the maximum rate.

The bandwidth percent gives the option to reserve a percentage of a link, also in case the link speed will change in the future. It will be calculated dependent on the actual link speed for the interface. This is changeable with the „bandwidth“ command on the interface.

The bandwidth remaining percent gives the option, to configure a remaining bandwidth on the actual link. If the link for example has a bandwidth of 1000 kbps and there is already different LLQ’s (100,200), then this is added to 300 kbps being already reserved. „max reserved-bandwidth“ will be per default 75% on an interface, which is 750 kpbs. So if you configure a reservation from the remaining percent, it will be calculated from

750 kbps

-300 kbps


450 kbps.

So if you configure „bandwidth remaining percent 50“ you will get 225 kbps from the bandwidth of the interface.


Cisco Qos, Exam Certification Guide, Second Edition, Wendell Odom

Cisco announces Mobile CCIE Labs

November 4th, 2008

These are interessting news for ccie lab takers. You might save time and travel costs, by beeing able to chose a lab more close to your location. There are several new so called „Mobile CCIE Lab“ locations. Some of them are already open, some are still to be opened. Currently it’s starting to open for the R&S exam.



ip prefix-list

November 4th, 2008

I had to look at prefix-lists again a bit more in detail and how matching is done.

There are several key words that need to be understood for mathing the right addresses.

At first the most simple match is the:

ip prefix-list PRE_20 permit

which does just match for the first 24 bit in the address and nothing else.

If in case you have to match more addresses, maybe a range from subnets with a specific prefix, you can match it with „ge“ or „le“.

„ge“ means greater or equal

„le“ means less or equal

So if you want to match the following subnets:

You could create an prefix list with the following match:

ip prefix-list PRE_20 permit ge 16 le 16

This means, that first the matching is done one the subnet that is the same for all subnets:, that can include and

Here we already summarized the best match for both addresses. So this part is the same for all addresses. Then, since we don’t want to match the or the, we have to tell the prefix list, how to extend the variable match for addresse, that should be included in the match.

Se we want specially matches greater or equal /16 and maximal /16.

That means:

ip prefix-list PRE_20 permit ge 16 le 16

If we want to include for example only:

ip prefix-list PRE_22 permit ge 24 le 24

Another example would be to match a range of subnets with „le“

ip prefix-list le 18

Would match:

Where the 20.0. prefix must be in all network ranges at a minimum and every address with a maximum of /18 would match if 20.0. is in the prefix.