Re: Prefix-list

From: Bob Smith (ccnet101@nmccentral.com)
Date: Sun Nov 14 2004 - 16:36:46 GMT-3

• Next message: Mike Flanagan: "IE Lab 8 Problem with Full IP Connectivity"
• Previous message: ccie2be: "Re: MQC QoS - map class or service-policy"
• Maybe in reply to: Bob Smith: "Prefix-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thank you very much, great explanation..thats exactly what my math came out
to be...just wanting to make sure..not to break the NDA....but i don't konw
the answer if that was the question!

----- Original Message -----
From: "ccie2be" <ccie2be@nyc.rr.com>
To: "Group Study" <ccielab@groupstudy.com>; "Bob Smith"
<ccnet101@nmccentral.com>
Sent: Sunday, November 14, 2004 9:49 AM
Subject: Re: Prefix-list

> Hehe, thanks, I like that vote of confidence. However, once I am a ccie,
I
> think I'll change my email name from ccie2be to something like ccieNOW.
>
> With respect to your filtering problem, I don't know off-hand, but I'll
try
> to work out the answer in this post and see what happens.
>
> This is the original problem
>
> 192.168.1.0/24
> 192.168.2.0/24
> 192.168.3.0/24
> 192.168.4.0/24
> 192.168.5.0/24
>
> With a prefix-list, (Or, with a access-list?) is there anyway to permit
say
> only subnet 3 and 4
> with one line?
>
> OK, let's see if we can figure this out. Let's try with an acl first and
if
> that's work, we'll see if this can also be done with a prefix list
>
> First, notice that the subnet mask is /24 for each subnet and that the
only
> difference
> between the prefixes occurs in the 3rd octet.
>
> So, our acl will look like this:
>
> 192.168. X . 0 0.0.Y. 255
>
> and we need to figure what values to use for X and Y.
>
> Looking at the mask, 0.0.Y.255, we know this is correct, so far,
> because 0 means "must match" and 255 means "don't care".
>
> Now, let's convert the 3rd octet to binary:
>
> Decimal Binary
> 1 0000 0001
> 2 0000 0010
> 3 0000 0011
> 4 0000 0100
> 5 0000 0101
>
> From the above, it's easy to see that the first 5 bit's from left to right
> are the same. Only the last
> 3 bits vary. Given 3 consecutive bits that vary, there are 2**3 = 8
> potential values that those 3 bits
> can have: 000, 001, 010, 011, 100, 101, 110, and 111. Therefore, if the
> mask for the 3rd octet
> is 5 bits, the acl will look like this:
>
> 192.168.0.0 0.0.7.255
>
> X = 0 because the 1st 5bits are all 0, the 3rd octet of the wildcard mask,
> Y, is 7 because 7 = 111
> in binary and 1 means "don't care".
>
> So, there's no way to filter just 3 and 4 in the 3rd octet in one line
with
> an acl. And, if it can't
> be done with an acl, it can't be done with a prefix list.
>
> That said, it's always possible to filter an even subnet and the
consecutive
> odd subnet with one line.
>
> For example, to filter just 4 and 5, your acl would look lilke this:
>
> 192.168.4.0 0.0.1.255
>
> Let's see why. From above table
>
> 4 0000 0100
> 5 0000 0101
>
> In this case, the 1st 7 bits are the same and equal to 4 in decimal. But,
> since the 8th bit can be
> either 0 or 1, the wildcard for the 8th bit = 1 = don't care.
>
> HTH, Tim
>
> ----- Original Message -----
> From: "Bob Smith" <ccnet101@nmccentral.com>
> To: "ccie2be" <ccie2be@nyc.rr.com>
> Sent: Sunday, November 14, 2004 10:33 AM
> Subject: Re: Prefix-list
>
>
> > ccie2be,
> >
> > You have a very mast amount of knowledge..are you CCIE?,if you aren't,
> then
> > you should be. I have a question though...i understand pre-fix lists,
> > however, is there a way to block routes 3 and 4 from my original post in
1
> > line? or do you have to use two?, to block them, do you have do them
> > individually? any help would be great.
> >
> >
> > Thanks
> >
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "ccie2be" <ccie2be@nyc.rr.com>
> > To: "none" <alsontra@hotmail.com>; "'Bob Smith'"
> <ccnet101@nmccentral.com>;
> > <ccielab@groupstudy.com>
> > Sent: Sunday, November 14, 2004 7:04 AM
> > Subject: Re: Prefix-list
> >
> >
> > > Alsontra,
> > >
> > > When using acl's this way to filter routes as shown below, I assume
the
> > > host keyword could also be used instead of 0.0.0.0, correct?
> > >
> > > Taking some of Brain's example's from below.
> > > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 EQUALS
> > >
> > > access-list 100 permit ip host 10.0.0.0 host 255.255.0.0
> > >
> > > Matches 10.0.0.0/16 - Only
> > >
> > > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
EQUALS
> > >
> > > access-list 100 permit ip host 10.0.0.0 host 255.255.255.0
> > >
> > > Matches10.0.0.0/24 - Only
> > >
> > > Also, if you have an acl like this:
> > >
> > >
> > >
> > > access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
> > >
> > >
> > >
> > > I think that there's no way to use a prefix-list to do the same thing
> > > because
> > >
> > > with this acl, the 3rd octet can be anything and ip prefix-lists can't
> > have
> > > a
> > >
> > > discontinuous mask. Is that correct?
> > >
> > >
> > >
> > >
> > >
> > > TIA, Tim
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "none" <alsontra@hotmail.com>
> > > To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Bob Smith'"
> > > <ccnet101@nmccentral.com>; <ccielab@groupstudy.com>
> > > Sent: Saturday, November 13, 2004 1:29 PM
> > > Subject: RE: Prefix-list
> > >
> > >
> > > > I cannot remember when, but someone once said that using
access-lists
> in
> > > > this way pre-dates prefix-list. Meaning this was how you matched
both
> a
> > > > prefix(s) and its mask before some ultra savvy Cisco engineer
invented
> > or
> > > > introduced the IOS to prefix-list.
> > > >
> > > > As to how IOS knows when you're matching a mask as apposed to a
> > > > destination??? I think it just depends on usage. Perhaps one of the
> list
> > > > elders can shed some light on the topic.... :-)
> > > >
> > > > Brian?Brian?Sccott?Howard??Paul?
> > > >
> > > > Alsontra
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > > ccie2be
> > > > Sent: Saturday, November 13, 2004 10:29 AM
> > > > To: none; 'Bob Smith'; ccielab@groupstudy.com
> > > > Subject: Re: Prefix-list
> > > >
> > > > Hi Alsontra,
> > > >
> > > > I've known about this for a while, but I never understood one thing.
> > > Maybe
> > > > you can clear this up.
> > > >
> > > > Consider the first example,
> > > >
> > > > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
> > > >
> > > > How does IOS know that the "255.255.0.0 0.0.0.0" portion should be
> > > > interpreted as
> > > >
> > > > <subnet mask> <wildcard mask of subnet mask>
> > > >
> > > > instead of as
> > > >
> > > > <destination prefix> <prefix mask>
> > > >
> > > > Granted, there aren't subnet destinations that begin with 255 since
> > that's
> > > > reserved for broadcast, but remember that number could be any number
> > > instead
> > > > of 255.
> > > >
> > > > Any insight would be greatly appreciated.
> > > >
> > > > TIA, Tim
> > > >
> > > > ----- Original Message -----
> > > > From: "none" <alsontra@hotmail.com>
> > > > To: "'Bob Smith'" <ccnet101@nmccentral.com>;
<ccielab@groupstudy.com>
> > > > Sent: Saturday, November 13, 2004 10:53 AM
> > > > Subject: RE: Prefix-list
> > > >
> > > >
> > > > > Try using an extended access-list - I've also attached a previous
> post
> > > > from
> > > > > Brian Dennis. If you can't figure it out I'll explain, but
working
> > this
> > > > out
> > > > > for your self will do you good. Trust me.
> > > > >
> > > > > <snip>
> > > > > Here is the syntax:
> > > > > access-list <ACL #> permit ip <network> <wildcard mask of network>
> > > <subnet
> > > > > mask> <wildcard mask of subnet mask>
> > > > >
> > > > > Here are some examples:
> > > > > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
> Matches
> > > > > 10.0.0.0/16 - Only
> > > > >
> > > > > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
> > Matches
> > > > > 10.0.0.0/24 - Only
> > > > >
> > > > > access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0
> > Matches
> > > > > 10.1.1.0/24 - Only
> > > > >
> > > > > access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
> > > Matches
> > > > > 10.0.X.0/24 - Any number in the 3rd octet of the network with a
> > > > > /24 subnet mask.
> > > > >
> > > > > access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0
0.0.0.0
> > > > Matches
> > > > > 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network
with
> a
> > > /24
> > > > > subnet mask.
> > > > >
> > > > > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240
> > 0.0.0.0
> > > > > Matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of
the
> > > > network
> > > > > with a /28 subnet mask.
> > > > >
> > > > > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0
> > 0.0.0.255
> > > > > Matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd &
> 4th
> > > > octet
> > > > > of the network with a /24 to /32 subnet mask.
> > > > >
> > > > > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
> > > > > 0.0.0.127
> > > > > Matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd, 3rd &
> 4th
> > > > octet
> > > > > of the network with a /25 to /32 subnet mask
> > > > >
> > > > >
> > > > > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > > > > bdennis@internetworkexpert.com Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > > > > Toll Free: 877-224-8987
> > > > > Direct: 775-745-6404 (Outside the US and Canada)
> > > > > </snip>
> > > > >
> > > > > HTH
> > > > > Alsontra
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> > > > Bob
> > > > > Smith
> > > > > Sent: Saturday, November 13, 2004 3:11 AM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: Prefix-list
> > > > >
> > > > > say if i have 5 routes:
> > > > >
> > > > > 192.168.1.0/24
> > > > > 192.168.2.0/24
> > > > > 192.168.3.0/24
> > > > > 192.168.4.0/24
> > > > > 192.168.5.0/24
> > > > >
> > > > > With a prefix-list, is there anyway to permit say only subnet 3
and
> 4
> > > with
> > > > > one line?
> > > > > Or with a access-list?
> > > > >
> > > > > If so, can you put the solution in steps and break it out in
binary,
> i
> > > > have
> > > > > spent so many hours and reading so many posts, but they seem to be
> > > > > contradicting themselves...just don't know how it can be
> > done....please
> > > > help
> > > > >
> > > > >
> > _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html

• Next message: Mike Flanagan: "IE Lab 8 Problem with Full IP Connectivity"
• Previous message: ccie2be: "Re: MQC QoS - map class or service-policy"
• Maybe in reply to: Bob Smith: "Prefix-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:45 GMT-3