Prefix-list

Answered Question
Jul 31st, 2009
User Badges:

Hi all,


I need your explanation for the below prefix list.


I want to allow only the IP address from

11.1.0.0 to 11.1.3.0 with mask 255.255.255.0


Initially i configured the


ip prefix-list SAIRAM permit 11.1.0.0/16 ge 22 le 24


I thought that, I am matching the ip address first 2 octets "11.1" and matching the subnetmask 25.255.255.252, so that i will achieve.

but It didn't work. It allowed all the ip address in this subnet say example 11.1.6.0, 11.1.7.0 etc. which i wanted to block


Then, I reconfigured like this


ip prefix-list SAIRAM permit 11.1.0.0/22 le 24


It started working perfectly.


I am not able to determine the difference between the two and why the first logic didn't.


Can you please explain what mistake i did in first one


Thanks in advance


Sairam

Correct Answer by Peter Paluch about 7 years 7 months ago

Hello Sairam,


The prefix list was given as follows:


ip prefix-list PL permit 192.0.2.64/27 ge 29 le 30


It is permitting subnets of the network 192.0.2.64/27 with netmasks from /29 to /30. The original network 192.0.2.64/27 goes from 192.0.2.64 up to 192.0.2.95.


So the permissible networks with the mask /29 will be:


192.0.2.64/29

192.0.2.72/29

192.0.2.80/29

192.0.2.88/29


And the permissible networks with the mask /30 will be:


192.0.2.64/30

192.0.2.68/30

192.0.2.72/30

... and so on, up to:

192.0.2.92/30


Can you follow this?


Best regards,

Peter


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Edison Ortiz Fri, 07/31/2009 - 08:00
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Sairam,


The first 'prefix-list' example you are allowing 11.1.0.0 255.255.0.0 subnets with netmask greater than 255.255.252.0 and less than or equal to 255.255.255.0


The second 'prefix-list' example you are allowing 11.1.0.0 255.255.252.0 subnets with netmask less than or equal to 255.255.255.0


In the second example, the range is correct from:


11.1.1.0 thru 11.1.3.0 and within those subnets, you will allow IP address such as with the following format


11.1.1.1 255.255.255.0


but you will not allow IP address such as


11.1.1.1 255.255.255.192


as the subnet mask is greater than 24 bits.


HTH,


__


Edison.

Peter Paluch Fri, 07/31/2009 - 09:52
User Badges:
  • Cisco Employee,

Hi Sairam.


Let's look closer at how the prefix lists actually work.


The prefix lists are an efficient way how to filter both network addresses and netmasks. Originally, it was done by extended access lists where the "source" part filtered networks and the "destination" part filtered netmasks. While this was a workable solution, it was also cumbersome and confusing in times. The prefix lists serve a similar purpose but in a more concise format.


Now, assume that the prefix list says:


ip prefix-list PL permit 192.0.2.0/24


This prefix list looks for the network 192.0.2.0/24, exactly as issued in the command.


There are however operators available that further limit the netmask value. Consider the prefix list


ip prefix-list PL permit 192.0.2.0/24 ge 26 le 28


Now, how is this one evaluated? This prefix list looks for networks and their netmasks that match all of the following conditions:


1.) The evaluated network ANDed with the netmask /24 must yield 192.0.2.0. In other words, the first 24 bits of the evaluated network's address must match the first 24 bits of the address 192.0.2.0.


2.) The netmask of the evaluated network must be at least /26


3.) The netmask of the evaluated network must be at most /28


Therefore, this prefix list would permit any subnet of the network 192.0.2.0/24 whose netmask is /26, /27 or /28. It would not accept a subnet of the network 192.0.2.0/24 with a different netmask. Also, it would not accept networks that are not subnets of the 192.0.2.0/24.


If we write it symbolically, assume that the prefix list is written as


ip prefix-list PL permit A.B.C.D/M ge G le L


Now, assume that you are matching a network X.Y.Z.Q/N against this prefix list and want to know if it matches or not. The network will match if these conditions are met:


1.) The network X.Y.Z.Q masked with mask M = A.B.C.D (X.Y.Z.Q & M = A.B.C.D)

2.) The netmask N is in the range from G to L (G <= N <= L)


This might look hard to understand at first but give it time, it will go naturally after a few experiments.


Best regards,

Peter


snarayanaraju Fri, 07/31/2009 - 10:17
User Badges:

Hi Peter & Edison,


Thanks for your quick reply and your answers are very helpful.


Peter: I will take your example and try to interpret. Please correct me if I am going wrong on the concept


ip prefix-list PL permit 192.0.2.0/24 ge 26 le 28


For this matching network should be as follows


192.0.2.0 / 255.255.255.192

192.0.2.64 / 255.255.255.192

till

192.0.2.192/ 255.255.255.192


192.0.2.0 / 255.255.255.224

192.0.2.32 / 255.255.255.224

till

192.0.2.224 / 255.255.255.224


then,


192.0.2.0 / 255.255.255.240

192.0.2.16 / 255.255.255.240

till

192.0.2.240 / 255.255.255.240


Is this correct? I will be looking forward to hear from you


Sairam

Peter Paluch Fri, 07/31/2009 - 10:21
User Badges:
  • Cisco Employee,

Hello Sairam,


You got it. Your solution is absolutely correct.


And what about the prefix list:


ip prefix-list PL permit 192.0.2.64/27 ge 29 le 30


What would be the permissible networks here?


Sorry that I am making this basically a school exercise but as usual, if someone is actually forced to do something he will eventually learn it.


Best regards

Peter


snarayanaraju Fri, 07/31/2009 - 11:03
User Badges:

Hi Peter,


Thanks for your efforts to make me understand the subtle logic behind this prefix-list.


I will try to workout the homework given by you(remembering school days!!!!!)


The matching IP address (The network is 192.0.2.64 / 255.255.255.248) should be


192.0.2.65 / 255.255.255.248

192.0.2.66 / 255.255.255.248

till

192.0.2.70 / 255.255.255.248


and othe network is


192.0.2.64 / 255.255.255.252


Really I blinked twice to get this. Please validate. I will wait for you peter


sairam


Correct Answer
Peter Paluch Fri, 07/31/2009 - 11:24
User Badges:
  • Cisco Employee,

Hello Sairam,


The prefix list was given as follows:


ip prefix-list PL permit 192.0.2.64/27 ge 29 le 30


It is permitting subnets of the network 192.0.2.64/27 with netmasks from /29 to /30. The original network 192.0.2.64/27 goes from 192.0.2.64 up to 192.0.2.95.


So the permissible networks with the mask /29 will be:


192.0.2.64/29

192.0.2.72/29

192.0.2.80/29

192.0.2.88/29


And the permissible networks with the mask /30 will be:


192.0.2.64/30

192.0.2.68/30

192.0.2.72/30

... and so on, up to:

192.0.2.92/30


Can you follow this?


Best regards,

Peter


snarayanaraju Fri, 07/31/2009 - 11:46
User Badges:

Hi peter,


I was confused when drafting it seems. It seems to be clear now. The understanding is like this


A) 192.0.2.64 / 29 (255.255.255.224) hosts ranges from 192.0.2.65 to 192.0.2.95


B) /29 = 248


clubing A & B


192.0.2.64/29, 192.0.2.72 till 192.0.2.88 (Hosts 192.0.2.89 to 192.0.2.95)


Hope i am clear now. Please reply If am wrong anywhere here.


Perhaps, whenever i come across Prefilx-list, I will remember you and your explanations.


Thanks for helping us (I am noticing you are giving solutions to my other queries also).


with regards,


sairam

Peter Paluch Fri, 07/31/2009 - 12:06
User Badges:
  • Cisco Employee,

Hello,


Yes, your logic here seems to be correct.


Can you now also see why your first solution regarding the four subnets 11.1.0.0/24 - 11.1.3.0/24 was not correct?


You originally created the prefix list as follows:


ip prefix-list SAIRAM permit 11.1.0.0/16 ge 22 le 24


But this one actually permits a huge amount of networks that are all subnets of the network 11.1.0.0/16 and have the mask either /22, /23 or /24.


With netmask /22 = 255.255.252.0:

11.1.0.0/22

11.1.4.0/22

11.1.8.0/22

and so on, up to

11.1.252.0/22


With netmask /23 = 255.255.254.0:

11.1.0.0/23

11.1.2.0/23

11.1.4.0/23

and so on, up to

11.1.254.0/23


With netmask /24 = 255.255.255.0:

11.1.0.0/24

11.1.1.0/24

11.1.2.0/24

and so on, up to

11.1.255.0/24


So then you decided to correct your prefix list as follows:


ip prefix-list SAIRAM permit 11.1.0.0/22 le 24


But notice that even this prefix list actually allows more than you expected. It allows subnets of the network 11.1.0.0/22 whose netmasks are either /22, /23 or /24.


The 11.1.0.0/22 ranges from 11.1.0.0 do 11.1.3.255.


With netmask /22 = 255.255.252.0:

11.1.0.0/22 (a single network only)


With netmask /23 = 255.255.254.0:

11.1.0.0/23

11.1.2.0/23


With netmask /24 = 255.255.255.0:

11.1.0.0/24

11.1.1.0/24

11.1.2.0/24

11.1.3.0/24


Actually, the correct prefix list just for your case would be this one:


ip prefix-list SAIRAM permit 11.1.0.0/22 ge 24 le 24


Note that this prefix list allows only the subnets of the network 11.1.0.0/22 having their netmask precisely /24. As the 11.1.0.0/22 ranges from 11.1.0.0 do 11.1.3.255, subnetting it by netmask /24 yields precisely your networks. No other netmasks are allowed by this prefix list.


As for your kind words about helping you - thank you. It is my pleasure to be of help to others.


Best regards,

Peter


Actions

This Discussion