From: ccie2be (ccie2be@nyc.rr.com)
Date: Fri Nov 05 2004 - 10:13:02 GMT-3
Marc,
There's a guy named Bill Lijewski who wrote an excellent tutorial on this
topic sometime earlier this year - I don't remember exactly when. I susgest
you do a search of the GS archieves and find that write up - it's excellent
IMHO. I learned most of what I know about prefix-lists from that tutorial.
But, in a nutshell, you need to keep something straight in your mind which
took me a while to absorb as well.
The /24 has two very different meanings. (Of course, it doesn't have to be
24, it can be any number from 1 to 32)
If the /24 is used by itself ie it isn't followed by either a "le" or "ge",
then the /24 applies to both the network address AND the mask.
If the /24 is followed by either a le or ge, then the /24 applies ONLY to
the network address, not the mask. The mask length when the /24 is followed
by either le or ge or both is determined by the values specified after the
le or ge or both.
One other very important point which I only found out yesterday ( or maybe
had known but forgotten) is that prefix-lists share a common attribute with
acl's. There's an implicit deny at the end of the prefix-list.
Yesterday, while I was doing a lab, I had to block an aggregate from being
advertised to bgp peers. The Solution Guide used route-maps to do this, but
I thought it should be easier todo with prefix-lists. So, I configured a
prefix-list to deny the aggregate. It looked like this:
ip prefix-list AGG deny 239.3.0.0/24
Then, I configured the neighbor statement like this
nei x.x.x.x prefix-list AGG out
After I clear the bgp peering sessions, my bgp tables were all screwed up
and I couldn't understand why. I tried a whole slew of things but couldn't
figure it out. Finally, I posted the problem on GS and a few people told me
about the implicit deny. After I added another entry to the prefix-list
that allowed all the other routes, everything was fine. But, for a few
hours I was going absolutely nuts. I checked a number of books I had but
nothing mentioned that critical point about the implicit deny and what I did
find kind of confimed I had constructed the prefix-list correctly. It was
very frustrating. But, at least that's one thing I forget before my next
lab attempt.
HTH, Tim
----- Original Message -----
From: "marc van hoof" <mvh@marcvanhoof.com>
To: "ccie2be" <ccie2be@nyc.rr.com>
Cc: "Cisco Net" <network.cisco@gmail.com>; "Group Study"
<ccielab@groupstudy.com>
Sent: Thursday, November 04, 2004 11:37 PM
Subject: Re: Prefix lists differences ?
> ah - ok - i thought that when you said "the /24 applies to both the
> network address and the net mask" that you meant the netmask (as well as
> the network) had 24 fixed bits and 8 variable bits...
>
> as mentioned later in the post, it wasn't long ago that you had masks for
> masks...
>
> misunderstanding - apologies...
>
> cheers,
> -marc.
>
> On Thu, 4 Nov 2004, ccie2be wrote:
>
> > No, those 2 prefix aren't the same.
> >
> > The 1st prefix list means that the 1st 24 bits must equal to 192.168.0
and
> > the net mask is 24 bits long.
> >
> > The 2nd perfix list means that the 1st 24 bits must equal 192.168.0
(same as
> > before) but the le 32 that follows means the net mask can be from 24
bits
> > long to 32 bits long.
> >
> > Don't overlook that le means LESS THAN OR EQUAL.
> >
> > So, the 1st perfix list means 192.168.0.0 255.255.255.0 ONLY/
> >
> > The 2nd prefix list means the following matches:
> >
> > 192.168.0.0/24
> > 192.168.0.0/25
> > 192.168.0.0/26
> > 192.168.0.0/27
> > 192.168.0.0/28
> > 192.168.0.0/29
> > 192.168.0.0/30
> > 192.168.0.0/31
> > 192.168.0.0/32
> >
> > So, you see there's a big difference.
> >
> > HTH, Tim
> > ----- Original Message -----
> > From: "marc van hoof" <mvh@marcvanhoof.com>
> > To: "ccie2be" <ccie2be@nyc.rr.com>
> > Cc: "Cisco Net" <network.cisco@gmail.com>; "Group Study"
> > <ccielab@groupstudy.com>
> > Sent: Thursday, November 04, 2004 10:54 PM
> > Subject: Re: Prefix lists differences ?
> >
> >
> >> so what you're saying is that if you don't specify the ge xx le xx, it
> >> means that you are specifying a minimum mask length ?
> >>
> >> seems odd, but i'll believe it...
> >>
> >> basically that would mean that
> >>
> >> ip prefix-list 10 permit 192.168.0.0/24
> >>
> >> is the same as
> >>
> >> ip prefix-list 10 permit 192.168.0.0/24 le 32
> >>
> >> ??
> >>
> >> on this topic, do people remember the days before prefix-lists, where
you
> >> HAD to use extended ip access lists for route filtering, and the
> >> "destination address/mask" of the extended acl referred to the mask of
the
> >> route ?
> >>
> >> it was never any fun to see:
> >>
> >> access-list 100 permit 192.160.0.0 0.0.0.255 255.255.255.0 0.0.0.255
> >>
> >> cheers,
> >> -marc.
> >>
> >> On Thu, 4 Nov 2004, ccie2be wrote:
> >>
> >>> They're the same.
> >>>
> >>> The slash 24 in the 1st prefix list means the 1st 24 bits of the
network
> >>> address must match and the ge 24 le 24 means the net mask must be
> > exactly 24
> >>> bits.
> >>>
> >>> In the 2nd prefix list, when you don't have either ge or le, then the
> > /24
> >>> refers to both the network address and the net mask.
> >>>
> >>> HTH, Tim
> >>>
> >>> ----- Original Message -----
> >>> From: "Cisco Net" <network.cisco@gmail.com>
> >>> To: "Group Study" <ccielab@groupstudy.com>
> >>> Sent: Thursday, November 04, 2004 10:20 PM
> >>> Subject: Prefix lists differences ?
> >>>
> >>>
> >>>> Hi
> >>>> Is the meaning of the following 2 Prefix lists are same ?
> >>>> -ip prefix-list ONE permit 100.100.100.0/24 ge 24 le 24
> >>>> -ip prefix-list TEO permit 100.100.100.0/24
> >>>>
> >>>> I thought both are same.. What do you think ?
> >>>> Regds
> >>>> Cert
> >>>>
> >>>>
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:38 GMT-3