From: ccie2be (ccie2be@nyc.rr.com)
Date: Sun Nov 14 2004 - 14:49:00 GMT-3
Hehe, thanks, I like that vote of confidence. However, once I am a ccie, I
think I'll change my email name from ccie2be to something like ccieNOW.
With respect to your filtering problem, I don't know off-hand, but I'll try
to work out the answer in this post and see what happens.
This is the original problem
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.5.0/24
With a prefix-list, (Or, with a access-list?) is there anyway to permit say
only subnet 3 and 4
with one line?
OK, let's see if we can figure this out. Let's try with an acl first and if
that's work, we'll see if this can also be done with a prefix list
First, notice that the subnet mask is /24 for each subnet and that the only
difference
between the prefixes occurs in the 3rd octet.
So, our acl will look like this:
192.168. X . 0 0.0.Y. 255
and we need to figure what values to use for X and Y.
Looking at the mask, 0.0.Y.255, we know this is correct, so far,
because 0 means "must match" and 255 means "don't care".
Now, let's convert the 3rd octet to binary:
Decimal Binary
1 0000 0001
2 0000 0010
3 0000 0011
4 0000 0100
5 0000 0101
From the above, it's easy to see that the first 5 bit's from left to right
are the same. Only the last
3 bits vary. Given 3 consecutive bits that vary, there are 2**3 = 8
potential values that those 3 bits
can have: 000, 001, 010, 011, 100, 101, 110, and 111. Therefore, if the
mask for the 3rd octet
is 5 bits, the acl will look like this:
192.168.0.0 0.0.7.255
X = 0 because the 1st 5bits are all 0, the 3rd octet of the wildcard mask,
Y, is 7 because 7 = 111
in binary and 1 means "don't care".
So, there's no way to filter just 3 and 4 in the 3rd octet in one line with
an acl. And, if it can't
be done with an acl, it can't be done with a prefix list.
That said, it's always possible to filter an even subnet and the consecutive
odd subnet with one line.
For example, to filter just 4 and 5, your acl would look lilke this:
192.168.4.0 0.0.1.255
Let's see why. From above table
4 0000 0100
5 0000 0101
In this case, the 1st 7 bits are the same and equal to 4 in decimal. But,
since the 8th bit can be
either 0 or 1, the wildcard for the 8th bit = 1 = don't care.
HTH, Tim
----- Original Message -----
From: "Bob Smith" <ccnet101@nmccentral.com>
To: "ccie2be" <ccie2be@nyc.rr.com>
Sent: Sunday, November 14, 2004 10:33 AM
Subject: Re: Prefix-list
> ccie2be,
>
> You have a very mast amount of knowledge..are you CCIE?,if you aren't,
then
> you should be. I have a question though...i understand pre-fix lists,
> however, is there a way to block routes 3 and 4 from my original post in 1
> line? or do you have to use two?, to block them, do you have do them
> individually? any help would be great.
>
>
> Thanks
>
>
>
>
>
>
> ----- Original Message -----
> From: "ccie2be" <ccie2be@nyc.rr.com>
> To: "none" <alsontra@hotmail.com>; "'Bob Smith'"
<ccnet101@nmccentral.com>;
> <ccielab@groupstudy.com>
> Sent: Sunday, November 14, 2004 7:04 AM
> Subject: Re: Prefix-list
>
>
> > Alsontra,
> >
> > When using acl's this way to filter routes as shown below, I assume the
> > host keyword could also be used instead of 0.0.0.0, correct?
> >
> > Taking some of Brain's example's from below.
> > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 EQUALS
> >
> > access-list 100 permit ip host 10.0.0.0 host 255.255.0.0
> >
> > Matches 10.0.0.0/16 - Only
> >
> > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0 EQUALS
> >
> > access-list 100 permit ip host 10.0.0.0 host 255.255.255.0
> >
> > Matches10.0.0.0/24 - Only
> >
> > Also, if you have an acl like this:
> >
> >
> >
> > access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
> >
> >
> >
> > I think that there's no way to use a prefix-list to do the same thing
> > because
> >
> > with this acl, the 3rd octet can be anything and ip prefix-lists can't
> have
> > a
> >
> > discontinuous mask. Is that correct?
> >
> >
> >
> >
> >
> > TIA, Tim
> >
> >
> >
> > ----- Original Message -----
> > From: "none" <alsontra@hotmail.com>
> > To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Bob Smith'"
> > <ccnet101@nmccentral.com>; <ccielab@groupstudy.com>
> > Sent: Saturday, November 13, 2004 1:29 PM
> > Subject: RE: Prefix-list
> >
> >
> > > I cannot remember when, but someone once said that using access-lists
in
> > > this way pre-dates prefix-list. Meaning this was how you matched both
a
> > > prefix(s) and its mask before some ultra savvy Cisco engineer invented
> or
> > > introduced the IOS to prefix-list.
> > >
> > > As to how IOS knows when you're matching a mask as apposed to a
> > > destination??? I think it just depends on usage. Perhaps one of the
list
> > > elders can shed some light on the topic.... :-)
> > >
> > > Brian?Brian?Sccott?Howard??Paul?
> > >
> > > Alsontra
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > > ccie2be
> > > Sent: Saturday, November 13, 2004 10:29 AM
> > > To: none; 'Bob Smith'; ccielab@groupstudy.com
> > > Subject: Re: Prefix-list
> > >
> > > Hi Alsontra,
> > >
> > > I've known about this for a while, but I never understood one thing.
> > Maybe
> > > you can clear this up.
> > >
> > > Consider the first example,
> > >
> > > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
> > >
> > > How does IOS know that the "255.255.0.0 0.0.0.0" portion should be
> > > interpreted as
> > >
> > > <subnet mask> <wildcard mask of subnet mask>
> > >
> > > instead of as
> > >
> > > <destination prefix> <prefix mask>
> > >
> > > Granted, there aren't subnet destinations that begin with 255 since
> that's
> > > reserved for broadcast, but remember that number could be any number
> > instead
> > > of 255.
> > >
> > > Any insight would be greatly appreciated.
> > >
> > > TIA, Tim
> > >
> > > ----- Original Message -----
> > > From: "none" <alsontra@hotmail.com>
> > > To: "'Bob Smith'" <ccnet101@nmccentral.com>; <ccielab@groupstudy.com>
> > > Sent: Saturday, November 13, 2004 10:53 AM
> > > Subject: RE: Prefix-list
> > >
> > >
> > > > Try using an extended access-list - I've also attached a previous
post
> > > from
> > > > Brian Dennis. If you can't figure it out I'll explain, but working
> this
> > > out
> > > > for your self will do you good. Trust me.
> > > >
> > > > <snip>
> > > > Here is the syntax:
> > > > access-list <ACL #> permit ip <network> <wildcard mask of network>
> > <subnet
> > > > mask> <wildcard mask of subnet mask>
> > > >
> > > > Here are some examples:
> > > > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
Matches
> > > > 10.0.0.0/16 - Only
> > > >
> > > > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
> Matches
> > > > 10.0.0.0/24 - Only
> > > >
> > > > access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0
> Matches
> > > > 10.1.1.0/24 - Only
> > > >
> > > > access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
> > Matches
> > > > 10.0.X.0/24 - Any number in the 3rd octet of the network with a
> > > > /24 subnet mask.
> > > >
> > > > access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
> > > Matches
> > > > 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network with
a
> > /24
> > > > subnet mask.
> > > >
> > > > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240
> 0.0.0.0
> > > > Matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the
> > > network
> > > > with a /28 subnet mask.
> > > >
> > > > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0
> 0.0.0.255
> > > > Matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd &
4th
> > > octet
> > > > of the network with a /24 to /32 subnet mask.
> > > >
> > > > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
> > > > 0.0.0.127
> > > > Matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd, 3rd &
4th
> > > octet
> > > > of the network with a /25 to /32 subnet mask
> > > >
> > > >
> > > > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > > > bdennis@internetworkexpert.com Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> > > > Toll Free: 877-224-8987
> > > > Direct: 775-745-6404 (Outside the US and Canada)
> > > > </snip>
> > > >
> > > > HTH
> > > > Alsontra
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > Bob
> > > > Smith
> > > > Sent: Saturday, November 13, 2004 3:11 AM
> > > > To: ccielab@groupstudy.com
> > > > Subject: Prefix-list
> > > >
> > > > say if i have 5 routes:
> > > >
> > > > 192.168.1.0/24
> > > > 192.168.2.0/24
> > > > 192.168.3.0/24
> > > > 192.168.4.0/24
> > > > 192.168.5.0/24
> > > >
> > > > With a prefix-list, is there anyway to permit say only subnet 3 and
4
> > with
> > > > one line?
> > > > Or with a access-list?
> > > >
> > > > If so, can you put the solution in steps and break it out in binary,
i
> > > have
> > > > spent so many hours and reading so many posts, but they seem to be
> > > > contradicting themselves...just don't know how it can be
> done....please
> > > help
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:45 GMT-3