Hi Sairam.

Let's look closer at how the prefix lists actually work.

The prefix lists are an efficient way how to filter both network addresses and netmasks. Originally, it was done by extended access lists where the "source" part filtered networks and the "destination" part filtered netmasks. While this was a workable solution, it was also cumbersome and confusing in times. The prefix lists serve a similar purpose but in a more concise format.

Now, assume that the prefix list says:

ip prefix-list PL permit 192.0.2.0/24

This prefix list looks for the network 192.0.2.0/24, exactly as issued in the command.

There are however operators available that further limit the netmask value. Consider the prefix list

ip prefix-list PL permit 192.0.2.0/24 ge 26 le 28

Now, how is this one evaluated? This prefix list looks for networks and their netmasks that match all of the following conditions:

1.) The evaluated network ANDed with the netmask /24 must yield 192.0.2.0. In other words, the first 24 bits of the evaluated network's address must match the first 24 bits of the address 192.0.2.0.

2.) The netmask of the evaluated network must be at least /26

3.) The netmask of the evaluated network must be at most /28

Therefore, this prefix list would permit any subnet of the network 192.0.2.0/24 whose netmask is /26, /27 or /28. It would not accept a subnet of the network 192.0.2.0/24 with a different netmask. Also, it would not accept networks that are not subnets of the 192.0.2.0/24.

If we write it symbolically, assume that the prefix list is written as

ip prefix-list PL permit A.B.C.D/M ge G le L

Now, assume that you are matching a network X.Y.Z.Q/N against this prefix list and want to know if it matches or not. The network will match if these conditions are met:

1.) The network X.Y.Z.Q masked with mask M = A.B.C.D (X.Y.Z.Q & M = A.B.C.D)

2.) The netmask N is in the range from G to L (G <= N <= L)

This might look hard to understand at first but give it time, it will go naturally after a few experiments.

Best regards,

Peter

Hi Peter & Edison,

Thanks for your quick reply and your answers are very helpful.

Peter: I will take your example and try to interpret. Please correct me if I am going wrong on the concept

ip prefix-list PL permit 192.0.2.0/24 ge 26 le 28

For this matching network should be as follows

192.0.2.0 / 255.255.255.192

192.0.2.64 / 255.255.255.192

till

192.0.2.192/ 255.255.255.192

192.0.2.0 / 255.255.255.224

192.0.2.32 / 255.255.255.224

till

192.0.2.224 / 255.255.255.224

then,

192.0.2.0 / 255.255.255.240

192.0.2.16 / 255.255.255.240

till

192.0.2.240 / 255.255.255.240

Is this correct? I will be looking forward to hear from you

Sairam

Hello Sairam,

You got it. Your solution is absolutely correct.

And what about the prefix list:

ip prefix-list PL permit 192.0.2.64/27 ge 29 le 30

What would be the permissible networks here?

Sorry that I am making this basically a school exercise but as usual, if someone is actually forced to do something he will eventually learn it.

Best regards

Peter

Hi Peter,

Thanks for your efforts to make me understand the subtle logic behind this prefix-list.

I will try to workout the homework given by you(remembering school days!!!!!)

The matching IP address (The network is 192.0.2.64 / 255.255.255.248) should be

192.0.2.65 / 255.255.255.248

192.0.2.66 / 255.255.255.248

till

192.0.2.70 / 255.255.255.248

and othe network is

192.0.2.64 / 255.255.255.252

Really I blinked twice to get this. Please validate. I will wait for you peter

sairam

Hi peter,

I was confused when drafting it seems. It seems to be clear now. The understanding is like this

A) 192.0.2.64 / 29 (255.255.255.224) hosts ranges from 192.0.2.65 to 192.0.2.95

B) /29 = 248

clubing A & B

192.0.2.64/29, 192.0.2.72 till 192.0.2.88 (Hosts 192.0.2.89 to 192.0.2.95)

Hope i am clear now. Please reply If am wrong anywhere here.

Perhaps, whenever i come across Prefilx-list, I will remember you and your explanations.

Thanks for helping us (I am noticing you are giving solutions to my other queries also).

with regards,

sairam

Hello,

Yes, your logic here seems to be correct.

Can you now also see why your first solution regarding the four subnets 11.1.0.0/24 - 11.1.3.0/24 was not correct?

You originally created the prefix list as follows:

ip prefix-list SAIRAM permit 11.1.0.0/16 ge 22 le 24

But this one actually permits a huge amount of networks that are all subnets of the network 11.1.0.0/16 and have the mask either /22, /23 or /24.

With netmask /22 = 255.255.252.0:

11.1.0.0/22

11.1.4.0/22

11.1.8.0/22

and so on, up to

11.1.252.0/22

With netmask /23 = 255.255.254.0:

11.1.0.0/23

11.1.2.0/23

11.1.4.0/23

and so on, up to

11.1.254.0/23

With netmask /24 = 255.255.255.0:

11.1.0.0/24

11.1.1.0/24

11.1.2.0/24

and so on, up to

11.1.255.0/24

So then you decided to correct your prefix list as follows:

ip prefix-list SAIRAM permit 11.1.0.0/22 le 24

But notice that even this prefix list actually allows more than you expected. It allows subnets of the network 11.1.0.0/22 whose netmasks are either /22, /23 or /24.

The 11.1.0.0/22 ranges from 11.1.0.0 do 11.1.3.255.

With netmask /22 = 255.255.252.0:

11.1.0.0/22 (a single network only)

With netmask /23 = 255.255.254.0:

11.1.0.0/23

11.1.2.0/23

With netmask /24 = 255.255.255.0:

11.1.0.0/24

11.1.1.0/24

11.1.2.0/24

11.1.3.0/24

Actually, the correct prefix list just for your case would be this one:

ip prefix-list SAIRAM permit 11.1.0.0/22 ge 24 le 24

Note that this prefix list allows only the subnets of the network 11.1.0.0/22 having their netmask precisely /24. As the 11.1.0.0/22 ranges from 11.1.0.0 do 11.1.3.255, subnetting it by netmask /24 yields precisely your networks. No other netmasks are allowed by this prefix list.

As for your kind words about helping you - thank you. It is my pleasure to be of help to others.

Best regards,

Peter