prefix list !! help plz

Unanswered Question
Jun 12th, 2007
User Badges:

hi every1, plz some 1 solve this problem

suppose i have 10 contigiuous networks connected on my routers loopback interfaces

10.1.0.1/16

10.2.0.1/16

10.3.0.1/16

10.4.0.1/16

10.5.0.1/16

10.6.0.1/16

10.7.0.1/16

10.8.0.1/16

10.9.0.1/16

10.10.0.1/16

now i want to advertise only network 10.1.0.0 - 10.4.0.0/16 using prefix list, can some 1 tell me is it possible like i know how to do it in access-list but not getting it in prefix, plz tell me wat will be the prefix list for this???

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.9 (9 ratings)
Loading.
Harold Ritter Tue, 06/12/2007 - 04:33
User Badges:
  • Cisco Employee,

You can certainly do this with prefix-lists. The prefix-list to cover 10.1.0.0/16 - 10.4.0.0/16 would be as follow:


ip prefix-list test seq 5 permit 10.1.0.0/16

ip prefix-list test seq 10 permit 10.2.0.0/15

ip prefix-list test seq 15 permit 10.4.0.0/16


It would have been easier to aggregate 10.0.0.0/16 - 10.3.0.0, which is aggregatable with the following statement.


ip prefix-list test seq 5 permit 10.0.0.0/14


Hope this helps,



Harold Ritter Tue, 06/12/2007 - 04:38
User Badges:
  • Cisco Employee,

Oops,


I forgot. It should look like this:


ip prefix-list test seq 5 permit 10.1.0.0/16

ip prefix-list test seq 10 permit 10.2.0.0/15 le 16

ip prefix-list test seq 15 permit 10.4.0.0/16


And also for the second example:


ip prefix-list test seq 5 permit 10.0.0.0/14 le 16


Hope this helps,



shaila_rox Tue, 06/12/2007 - 04:42
User Badges:

thanks for the reply but i didnt understand any of u, plz i m not an expert just started prefix list, i understand the ge and le and seq and all but i didnt understand how to specify the range of ip addres that i need to block ( or allow ), can u explain that by keeping my example, can i specify my range ( i.e. from 10.1.0.0 - 10.4.0.0 ) in a single prefix statement ?? i m really confused here plz explain to me how can i do it?

still thanks for ur feedback but i didnt get it really

Harold Ritter Tue, 06/12/2007 - 04:54
User Badges:
  • Cisco Employee,

Shaila,


You couldn't permit 10.1.0.0/16 - 10.4.0.0/16 in a single statement without also including other prefixes since these prefixes do not fall on a common boundary.


The first portion of the prefix-list is key in this exercise.


for instance


10.0.0.0/14 le 16 ge 16

would include 10.0.0.0/16 - 10.3.0.0/16


10.0.0.0/13 le 16 ge 16

would include 10.0.0.0/16 - 10.7.0.0/16


10.0.0.0/12 le 16 ge 16

would include 10.0.0.0/16 - 10.15.0.0/16


Let me know if this makes sense to you,

smothuku Tue, 06/12/2007 - 04:34
User Badges:
  • Silver, 250 points or more

Hi ,


You can use the following command for advertising 10.1.0.0 anc 10.4.0.0 /16 netwrks.


ip prefix-list XXX ser 5 permit 10.1.0.0/16

ip prefix-list YYY seq 10 permit 10.4.0.0/16.


Details - Prefix-list:


To create a prefix list or add a prefix-list entry, use the ip prefix-list command in global configuration mode. To delete a prefix-list entry, use the no form of this command.


ip prefix-list {list-name | list-number} [seq number] {deny network/length | permit network/length} [ge ge-length] [le le-length]


The ip prefix-list command is used to configure IP prefix filtering. Prefix lists are configured with permit or deny keywords to either permit or deny the prefix based on the matching condition. A prefix list consists of an IP address and a bit mask. The IP address can be a classful network, a subnet, or a single host route. The bit mask is entered as a number from 1 to 32. An implicit deny is applied to traffic that does not match any prefix-list entry.


Prefix lists are configured to match an exact prefix length or a prefix range. The ge and le keywords are used to specify a range of the prefix lengths to match, providing more flexible configuration than can be configured with just the network/length argument. The prefix list is processed using an exact match when neither the ge nor le keyword is entered. If only the ge value is entered, the range is the value entered for the ge ge-length argument to a full 32-bit length. If only the le value is entered, the range is from value entered for the network/length argument to the le le-length argument. If both the ge ge-length and le le-length keywords and arguments are entered, the range falls between the values used for the ge-length and le-length arguments. The following formula shows this behavior:


network/length < ge ge-length < le le-length <= 32


A prefix list is configured with a name and/or sequence number. One or the other must be entered when configuring this command. If a sequence number is not entered, a default sequence number of 5 is applied to the prefix list, and subsequent prefix list entries will be increment by 5 (for example, 5, 10, 15, and onwards). If a sequence number is entered for the first prefix list entry but not subsequent entries, then the subsequent entries will also be incremented by 5 (For example, if the first configured sequence number is 3, then subsequent entries will be 8, 13, 18, and onwards). Default sequence numbers can be suppressed by entering the no form of this command with the seq keyword.


Prefix lists are evaluated starting with the lowest sequence number. The longest most specific prefix is matched. The first successful match is processed for a given prefix. Once a match occurs, the permit or deny statement is processed, and the rest of the list is not evaluated.




--------------------------------------------------------------------------------


Tip For best performance, the most frequently processed prefix list statements should be configured with the lowest sequence numbers. The seq number keyword and argument can be used for resequencing.



--------------------------------------------------------------------------------


The prefix list is applied to inbound or outbound updates for specific peer by entering the neighbor prefix-list command. Prefix list information and counters are displayed in the output of the show ip prefix-list command. Prefix-list counters can be reset by entering the clear ip prefix-list command.



smothuku Tue, 06/12/2007 - 04:34
User Badges:
  • Silver, 250 points or more

Examples

In the following example, a prefix list configured to deny the default route 0.0.0.0/0:


Router(config)# ip prefix-list RED deny 0.0.0.0/0


In the following example, a prefix list is configured to permit traffic from the 172.16.1.0/24 subnet:


Router(config)# ip prefix-list BLUE permit 172.16.1.0/24


In the following example, a prefix list is configured to permit routes from the 10.0.0.0/8 network that have a mask length that is less than or equal to 24 bits:


Router(config)# ip prefix-list YELLOW permit 10.0.0.0/8 le 24


In the following example, a prefix list is configured to deny routes from the 10.0.0.0/8 network that have a mask length that is greater than or equal to 25 bits:


Router(config)# ip prefix-list PINK deny 10.0.0.0/8 ge 25


In the following example, a prefix list is configured to routes to permit routes from any network that have a mask length from 8 to 24 bits:


Router(config)# ip prefix-list GREEN permit 0.0.0.0/0 ge 8 le 24


In the following example, a prefix list configured to deny any route with any mask length from the 10.0.0.0/8 network:


Router(config)# ip prefix-list ORANGE deny 10.0.0.0/8 le 32


Thanks,

Satish


s.arunkumar Tue, 06/12/2007 - 04:47
User Badges:
  • Bronze, 100 points or more

helloo..

i think this will also work.........


ip prefix-list test 5 10.0.0.0/14 ge 15 le 16

ip prefix-list 10 test 10 10.4.0.0/16


arun :)

Harold Ritter Tue, 06/12/2007 - 05:00
User Badges:
  • Cisco Employee,

Arun,


This would work but would allow additional prefixes such as 10.0.0.0/15, 10.0.0.0/16, 10.1.0.0/15, 10.2.0.0/15, 10.3.0.0/15.


On the other hand you could change the first statement for ge 16 le 16, at which point only prefix 10.0.0.0/16 would be allowed on top of the specified prefixes (10.1.0.0/16 - 10.4.0.0/16).


Regards,

shaila_rox Tue, 06/12/2007 - 05:38
User Badges:

hi sir, i should admit that i m not able to understand ge or le at all !!! either u explain to me in simple words plz or refer me a doc that can explain me prefix list in an easy manner, i checked the univercd bgp guide and prefix list doc but didnt understand, can u plz refer me some doc or explain

thanks again in advance

shaila_rox Tue, 06/12/2007 - 06:53
User Badges:

sorry sir, but it didnt helped :( i m getting really confuse in ge and le parameters, see i have these 4 networks

10.24.0.0/16

10.25.0.0/16

10.26.0.0/16

10.27.0.0/16

now the summary will be 10.24.0.0/14 right ?

how can i specify this in the prefix list,

plz sir dont take me wrong but just dont give the answer i mean plz explain ur answer, like if u include ge or le then plz tell me how and why u have written them

thanks in advance

Harold Ritter Tue, 06/12/2007 - 07:06
User Badges:
  • Cisco Employee,

That is correct. You can use one statement to match the 4 prefixes as they share a common boundary.


Now if you want these prefixes to be allowed but strictly with a prefix length of 16, you would have the following prefix-list:


ip prefix-list test seq 10 permit 10.24.0.0/14 ge 16 le 16


If you didn't configure le 16 ge 16 then the default prefix length (/14) would be applied and would therefore not allow the /16 prefixes.


Hope this helps,


Harold Ritter Tue, 06/12/2007 - 11:13
User Badges:
  • Cisco Employee,

Slight oversight.


10.1.0.0/15 and 10.3.0.0/15 are illegal prefix/prefix length combination.


Sorry for the confusion,

shaila_rox Thu, 06/14/2007 - 00:31
User Badges:

hi sir, i started reading wendell odom exam certification for ccie and i think i m understanding it now, just a lil more practice i guess, there is one final question so plz tell me

i have these networks

10.1.0.0/16 till 10.20.0.0/16

i want to filter

1) all the odd networks

2) all the even networks

wat will be the prefix list ??

plz give separate prefix list for 1 and 2.

thanks again in advance

Harold Ritter Thu, 06/14/2007 - 08:02
User Badges:
  • Cisco Employee,

This kind of requirement (odd/even) cannot be achieved with a prefix-list as prefix-lists do not allow to configure non contiguous masks.


This would easily be done with an extended ACL as they do allow for non contiguous masks:


1) Allow all odd networks between 10.1.0.0/16 and 10.20.0.0/16 inclusively

access-list 101 permit ip 10.1.0.0 0.14.255.255 host 255.255.0.0

access-list 101 permit ip 10.17.0.0 0.2.255.255 host 255.255.0.0


2) Allow all even networks between 10.1.0.0/16 and 10.20.0.0/16 inclusively

access-list 101 permit ip 10.0.0.0 0.14.255.255 host 255.255.0.0

access-list 101 permit ip 10.16.0.0 0.2.255.255 host 255.255.0.0

access-list 101 permit ip 10.20.0.0 0.0.255.255 host 255.255.0.0


Hope this helps,

Harold Ritter Thu, 06/14/2007 - 12:31
User Badges:
  • Cisco Employee,

Small rectification on the second access-list. The requirement stated 10.1.0.0/16 to 10.20.0.0/16 and the proposed ACL allows 10.0.0.0/16. It can be modified as follow to fulfill the requirement:


access-list 101 deny ip 10.0.0.0 0.0.255.255 host 255.255.0.0

access-list 101 permit ip 10.0.0.0 0.14.255.255 host 255.255.0.0

access-list 101 permit ip 10.16.0.0 0.2.255.255 host 255.255.0.0

access-list 101 permit ip 10.20.0.0 0.0.255.255 host 255.255.0.0


Hope this helps,


s.arunkumar Fri, 06/15/2007 - 02:55
User Badges:
  • Bronze, 100 points or more

Really interesting ....


sir,

can u just tell then how will be my access-list if i want to permit only networks

10.1.0.0/16 to 10.10.0.0/16 ??


Harold Ritter Sun, 06/17/2007 - 16:49
User Badges:
  • Cisco Employee,

Again, 10.1.0.0/16 to 10.10.0/16 don't all fall under a common mask boundary, so you will need more than one line.


access-list 101 deny ip 10.0.0.0 0.0.255.255 host 255.255.0.0 /* denies 10.0.0.0/16 as it is part of the following block but shouldn't allowed according to your specifications */

access-list 101 permit ip 10.0.0.0 0.0.15.255 host 255.255.0.0 /* allows 10.0.0.0/16 tp 10.15.0.0/16 */

access-list 101 permit ip 10.16.0.0 0.0.255.255 host 255.255.0.0 /* allows 10.16.0.0/16 */



Hope this helps,

Harold Ritter Sun, 06/17/2007 - 16:56
User Badges:
  • Cisco Employee,

Sorry I misread the specifications. Here's the new ACL:


access-list 101 deny ip 10.0.0.0 0.0.255.255 host 255.255.0.0 /* denies 10.0.0.0/16 from the following block */

access-list 101 permit ip 10.0.0.0 0.7.255.255 host 255.255.0.0 /* permits 10.0.0.0/16 to 10.7.0.0/16 */

access-list 101 permit ip 10.8.0.0 0.1.255.255 host 255.255.0.0 /* permits 10.8.0.0/16 to 10.9.0.0/16 */

access-list 101 permit ip 10.0.10.0 0.0.255.255 host 255.255.0.0 /* permits 10.10.0.0/16 */


Hope this helps,

s.arunkumar Sun, 06/17/2007 - 20:34
User Badges:
  • Bronze, 100 points or more

thanks u sir,,


so the logic is divide into block size of nearest 2^n , and the find the network portion by logical AND of first and last ip,and for mask portion logical XOR of first and last ip....

after it if any ip are coming out of our requirement,make specific access-list for it...


am i right???

... :)



Harold Ritter Mon, 06/18/2007 - 07:55
User Badges:
  • Cisco Employee,

You are correct about the nearest 2^n boundary and the fact that you have to add additional statements for prefixes that don't share that common boundary.


It would be a logical XOR for both the prefix part and the mask part though.


Hope this helps,


nikhil.engineer Mon, 06/18/2007 - 11:36
User Badges:

sir I have modified ur acl a bit. do let me know if this is correct.


access-list 101 deny ip 10.0.0.0 0.0.255.255 host 255.255.0.0 /* denies 10.0.0.0/16 from the following block */

access-list 101 permit ip 10.0.0.0 0.7.255.255 host 255.255.0.0 /* permits 10.0.0.0/16 to 10.7.0.0/16 */

access-list 101 permit ip 10.8.0.0 0.2.255.255 host 255.255.0.0 /* permits 10.8.0.0/16 to 10.10.0.0/16 */


Cheers,

Nikhil

Harold Ritter Mon, 06/18/2007 - 12:37
User Badges:
  • Cisco Employee,

Nikhil,


The last line of the ACL would allow 10.8.0.0/16 and 10.10.0.0/16 but not 10.9.0.0/16 and therefore doesn't meet the requirements.


Hope this helps,

Actions

This Discussion