07-31-2009 06:50 AM - edited 03-04-2019 05:37 AM
Hi all,
I need your explanation for the below prefix list.
I want to allow only the IP address from
11.1.0.0 to 11.1.3.0 with mask 255.255.255.0
Initially i configured the
ip prefix-list SAIRAM permit 11.1.0.0/16 ge 22 le 24
I thought that, I am matching the ip address first 2 octets "11.1" and matching the subnetmask 25.255.255.252, so that i will achieve.
but It didn't work. It allowed all the ip address in this subnet say example 11.1.6.0, 11.1.7.0 etc. which i wanted to block
Then, I reconfigured like this
ip prefix-list SAIRAM permit 11.1.0.0/22 le 24
It started working perfectly.
I am not able to determine the difference between the two and why the first logic didn't.
Can you please explain what mistake i did in first one
Thanks in advance
Sairam
Solved! Go to Solution.
07-31-2009 11:24 AM
Hello Sairam,
The prefix list was given as follows:
ip prefix-list PL permit 192.0.2.64/27 ge 29 le 30
It is permitting subnets of the network 192.0.2.64/27 with netmasks from /29 to /30. The original network 192.0.2.64/27 goes from 192.0.2.64 up to 192.0.2.95.
So the permissible networks with the mask /29 will be:
192.0.2.64/29
192.0.2.72/29
192.0.2.80/29
192.0.2.88/29
And the permissible networks with the mask /30 will be:
192.0.2.64/30
192.0.2.68/30
192.0.2.72/30
... and so on, up to:
192.0.2.92/30
Can you follow this?
Best regards,
Peter
07-31-2009 08:00 AM
Sairam,
The first 'prefix-list' example you are allowing 11.1.0.0 255.255.0.0 subnets with netmask greater than 255.255.252.0 and less than or equal to 255.255.255.0
The second 'prefix-list' example you are allowing 11.1.0.0 255.255.252.0 subnets with netmask less than or equal to 255.255.255.0
In the second example, the range is correct from:
11.1.1.0 thru 11.1.3.0 and within those subnets, you will allow IP address such as with the following format
11.1.1.1 255.255.255.0
but you will not allow IP address such as
11.1.1.1 255.255.255.192
as the subnet mask is greater than 24 bits.
HTH,
__
Edison.
07-31-2009 09:52 AM
Hi Sairam.
Let's look closer at how the prefix lists actually work.
The prefix lists are an efficient way how to filter both network addresses and netmasks. Originally, it was done by extended access lists where the "source" part filtered networks and the "destination" part filtered netmasks. While this was a workable solution, it was also cumbersome and confusing in times. The prefix lists serve a similar purpose but in a more concise format.
Now, assume that the prefix list says:
ip prefix-list PL permit 192.0.2.0/24
This prefix list looks for the network 192.0.2.0/24, exactly as issued in the command.
There are however operators available that further limit the netmask value. Consider the prefix list
ip prefix-list PL permit 192.0.2.0/24 ge 26 le 28
Now, how is this one evaluated? This prefix list looks for networks and their netmasks that match all of the following conditions:
1.) The evaluated network ANDed with the netmask /24 must yield 192.0.2.0. In other words, the first 24 bits of the evaluated network's address must match the first 24 bits of the address 192.0.2.0.
2.) The netmask of the evaluated network must be at least /26
3.) The netmask of the evaluated network must be at most /28
Therefore, this prefix list would permit any subnet of the network 192.0.2.0/24 whose netmask is /26, /27 or /28. It would not accept a subnet of the network 192.0.2.0/24 with a different netmask. Also, it would not accept networks that are not subnets of the 192.0.2.0/24.
If we write it symbolically, assume that the prefix list is written as
ip prefix-list PL permit A.B.C.D/M ge G le L
Now, assume that you are matching a network X.Y.Z.Q/N against this prefix list and want to know if it matches or not. The network will match if these conditions are met:
1.) The network X.Y.Z.Q masked with mask M = A.B.C.D (X.Y.Z.Q & M = A.B.C.D)
2.) The netmask N is in the range from G to L (G <= N <= L)
This might look hard to understand at first but give it time, it will go naturally after a few experiments.
Best regards,
Peter
07-31-2009 10:17 AM
Hi Peter & Edison,
Thanks for your quick reply and your answers are very helpful.
Peter: I will take your example and try to interpret. Please correct me if I am going wrong on the concept
ip prefix-list PL permit 192.0.2.0/24 ge 26 le 28
For this matching network should be as follows
192.0.2.0 / 255.255.255.192
192.0.2.64 / 255.255.255.192
till
192.0.2.192/ 255.255.255.192
192.0.2.0 / 255.255.255.224
192.0.2.32 / 255.255.255.224
till
192.0.2.224 / 255.255.255.224
then,
192.0.2.0 / 255.255.255.240
192.0.2.16 / 255.255.255.240
till
192.0.2.240 / 255.255.255.240
Is this correct? I will be looking forward to hear from you
Sairam
07-31-2009 10:21 AM
Hello Sairam,
You got it. Your solution is absolutely correct.
And what about the prefix list:
ip prefix-list PL permit 192.0.2.64/27 ge 29 le 30
What would be the permissible networks here?
Sorry that I am making this basically a school exercise but as usual, if someone is actually forced to do something he will eventually learn it.
Best regards
Peter
07-31-2009 11:03 AM
Hi Peter,
Thanks for your efforts to make me understand the subtle logic behind this prefix-list.
I will try to workout the homework given by you(remembering school days!!!!!)
The matching IP address (The network is 192.0.2.64 / 255.255.255.248) should be
192.0.2.65 / 255.255.255.248
192.0.2.66 / 255.255.255.248
till
192.0.2.70 / 255.255.255.248
and othe network is
192.0.2.64 / 255.255.255.252
Really I blinked twice to get this. Please validate. I will wait for you peter
sairam
07-31-2009 11:24 AM
Hello Sairam,
The prefix list was given as follows:
ip prefix-list PL permit 192.0.2.64/27 ge 29 le 30
It is permitting subnets of the network 192.0.2.64/27 with netmasks from /29 to /30. The original network 192.0.2.64/27 goes from 192.0.2.64 up to 192.0.2.95.
So the permissible networks with the mask /29 will be:
192.0.2.64/29
192.0.2.72/29
192.0.2.80/29
192.0.2.88/29
And the permissible networks with the mask /30 will be:
192.0.2.64/30
192.0.2.68/30
192.0.2.72/30
... and so on, up to:
192.0.2.92/30
Can you follow this?
Best regards,
Peter
07-31-2009 11:46 AM
Hi peter,
I was confused when drafting it seems. It seems to be clear now. The understanding is like this
A) 192.0.2.64 / 29 (255.255.255.224) hosts ranges from 192.0.2.65 to 192.0.2.95
B) /29 = 248
clubing A & B
192.0.2.64/29, 192.0.2.72 till 192.0.2.88 (Hosts 192.0.2.89 to 192.0.2.95)
Hope i am clear now. Please reply If am wrong anywhere here.
Perhaps, whenever i come across Prefilx-list, I will remember you and your explanations.
Thanks for helping us (I am noticing you are giving solutions to my other queries also).
with regards,
sairam
07-31-2009 12:06 PM
Hello,
Yes, your logic here seems to be correct.
Can you now also see why your first solution regarding the four subnets 11.1.0.0/24 - 11.1.3.0/24 was not correct?
You originally created the prefix list as follows:
ip prefix-list SAIRAM permit 11.1.0.0/16 ge 22 le 24
But this one actually permits a huge amount of networks that are all subnets of the network 11.1.0.0/16 and have the mask either /22, /23 or /24.
With netmask /22 = 255.255.252.0:
11.1.0.0/22
11.1.4.0/22
11.1.8.0/22
and so on, up to
11.1.252.0/22
With netmask /23 = 255.255.254.0:
11.1.0.0/23
11.1.2.0/23
11.1.4.0/23
and so on, up to
11.1.254.0/23
With netmask /24 = 255.255.255.0:
11.1.0.0/24
11.1.1.0/24
11.1.2.0/24
and so on, up to
11.1.255.0/24
So then you decided to correct your prefix list as follows:
ip prefix-list SAIRAM permit 11.1.0.0/22 le 24
But notice that even this prefix list actually allows more than you expected. It allows subnets of the network 11.1.0.0/22 whose netmasks are either /22, /23 or /24.
The 11.1.0.0/22 ranges from 11.1.0.0 do 11.1.3.255.
With netmask /22 = 255.255.252.0:
11.1.0.0/22 (a single network only)
With netmask /23 = 255.255.254.0:
11.1.0.0/23
11.1.2.0/23
With netmask /24 = 255.255.255.0:
11.1.0.0/24
11.1.1.0/24
11.1.2.0/24
11.1.3.0/24
Actually, the correct prefix list just for your case would be this one:
ip prefix-list SAIRAM permit 11.1.0.0/22 ge 24 le 24
Note that this prefix list allows only the subnets of the network 11.1.0.0/22 having their netmask precisely /24. As the 11.1.0.0/22 ranges from 11.1.0.0 do 11.1.3.255, subnetting it by netmask /24 yields precisely your networks. No other netmasks are allowed by this prefix list.
As for your kind words about helping you - thank you. It is my pleasure to be of help to others.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide