From: Danny Muizebelt (Danny.Muizebelt@osiatis.at)
Date: Fri Sep 30 2005 - 06:07:43 GMT-3
Hi Venkat,
A late answer from me. (I'm catching up on the list)
I'll try to explain how learned prefix lists, I hope it works for you too.
Prefix lists and access lists are different in purpose. While access-lists can be used to filter packets they can also filter single packets. Prefix lists are especially designed to filter prefix (hence the name) and cannot be used to filter packets. This specialisation brings a speed improvement and are therefore the preferred way to filter prefixes.
Also the prefix lists don't use the wildcard mask access-lists have. The just use the subnet mask or prefix length.
The most confusing part about prefix lists is that the use for the prefix statement changes when used with le or ge.
The simplest prefix statement would be:
Ip prefix-list TEST seq 10 permit 192.168.1.0/24
In English this would match ONLY the prefix/route entry 192.168.1.0 with a mask of 255.255.255.0. Nothing bigger nothing smaller. 192.168.1.0/24 would be permitted but 192.168.1.128/25 would be denied.
How does a default route look like in the "sh ip route"? Right, as 0.0.0.0/0. Want to match it with a prefix list?
Ip prefix-list TEST seq 20 permit 0.0.0.0/0
Quite simple when you know how it works.
Now on with the LE and GE statements:
Here the prefix statement defines NOT a single prefix but the RANGE of prefixes which should match. The LE and GE statement are there to define the extend of the range. Just remember that with GE "Greater Equal" the amount of hosts on the subnet does not become "greater" only the prefix becomes "greater" which in fact means a smaller network with fewer hosts.
Ip prefix-list TEST seq 30 permit 172.16.0.0/16 le 24
This would match all prefixes bigger or equal then 172.16.0.0/16 but the prefix should be less or equal then 25. So it matches the prefix range from 16 to 24.
Want to match all the little networks in your AS?
Ip prefix-list TEST seq 40 permit 172.168.0.0/16 ge 25
It matches here all the networks within the 172.16.0.0/16 range with a prefix length from /25 to /32. 172.16.34.192/26 would be matched but 172.16.34.0/24 would not.
You can also combine the GE and LE statements. For example I want to match all the prefixes with a prefix length from /16 till /24.
Ip prefix-list TEST seq 50 permit 0.0.0.0/0 ge 16 le 24
So 172.19.0.0/16 would match, so would 192.168.224.0/19 and 10.123.1.0/24. 10.128.0.0/9 or 10.123.1.128/25 would NOT match.
If I wanted to limit my match to the 10.0.0.0/8 network I would have used:
Ip prefix-list TEST seq 60 permit 10.0.0.0/8 ge 16 le 24
So the main thing to remember is that the prefix list statement WITHOUT the LE or GE statement defines a single prefix. WITH the LE and GE statement it defines a subset of prefixes.
Sorry for the long answer, I hope everything is a bit clearer now.
Cheers,
Danny
Danny Muizebelt
-----------------------------------------------------------------
OSIATIS Computer Services GmbH
Tel.: +43-1-79 520
-----------------------------------------------------------------
> -----Urspr|ngliche Nachricht-----
> Von: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Im Auftrag
> von Venkataramanaiah.R
> Gesendet: Samstag, 17. September 2005 18:11
> An: Jens Petter Eikeland
> Cc: ccielab@groupstudy.com
> Betreff: Re: SV: Match Any behaviour in Prefix lists
>
> :-) Although i am right with my configs, i am having hard time
> memorziing
> it, because, honestly, i am still not getting the basics behind it..
>
> The problem i have here is understanding it when comparing prefix
> lists with
> access-lists. In access-lists we use inv-masks and at other places
> we use
> standard mask. And in some situations, prefix list operation seem to
> match
> with standard mask and in some case with inv-mask.
>
> I think, it is better i leave this at this stage and come back to it
> a
> little latter. May be I will can look at it with a different
> perspective
> then..
>
> Anyways, Thanks to all
>
> -Venkat
>
> On 9/17/05, Jens Petter Eikeland <jenseike@start.no> wrote:
> >
> > Hi ..
> > You are right.. sorry about that. I dont know why i wrote it down
> > incorrect.
> >
> > This is as it should be :
> > To deny the default route 0.0.0.0/0 <http://0.0.0.0/0>:
> >
> > ip prefix-list abc deny 0.0.0.0/0 <http://0.0.0.0/0>
> >
> >
> > To permit all routes with a prefix of 0/0:
> >
> > ip prefix-list abc permit 0.0.0.0/0 <http://0.0.0.0/0> le 32
> >
> > You can check it out in the documentation..
> >
> >
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123c
> gcr/iprr
> > p_r/ip2_i1g.htm#wp1039727
> >
> > Jens P
> >
> > -----Opprinnelig melding-----
> > Fra: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Pe vegne
> av
> > Venkataramanaiah.R
> > Sendt: 17. september 2005 15:41
> > Til: Leigh Harrison
> > Kopi: ccielab@groupstudy.com
> > Emne: Re: SV: Match Any behaviour in Prefix lists
> >
> > Guys, Although i agree with your way of interpreting the default
> route
> > sounds logical to me, it is not working that way practically.
> Even, i
> > applied the same logic, however it is not working when i lab it
> up..
> > Default
> > route gets in only when i permit 0.0.0.0/0 <http://0.0.0.0/0> <
> > http://0.0.0.0/0> and not with
> > 0.0.0.0/32 <http://0.0.0.0/32> <http://0.0.0.0/32>.
> >
> > Well, if you look at permit all, it works fine with our logic.
> ie., permit
> > 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> le 32 works for
> Permit
> > all.
> >
> > Again, for deny all, the same logic does not work... To deny all,
> only
> > deny
> > 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> works.
> >
> > Could you guys lab it and confirm.
> >
> > Thanks for your attempt to clarify
> >
> > -Venkat
> >
> >
> > On 9/17/05, Leigh Harrison <ccileigh@gmail.com> wrote:
> > >
> > > Venkat,
> > >
> > > The way I think of it is:-
> > >
> > > ip prefix-list test permit 192.168.0.0/16
> <http://192.168.0.0/16> <
> > http://192.168.0.0/16> le 32
> > >
> > > The way I read it is the prefix that I'm looking for has to
> start
> > > 192.168.x.x and have a mask of less than or equal to 32 bits -
> so the
> > > mask has to be between 16 and 32 bits and begin with 192.168 and
> it's
> > in.
> > >
> > > The bit that got me was making the difference between a prefix-
> list and
> > > an access-list.
> > >
> > > For the default route:-
> > > ip prefix-list test permit 0.0.0.0/32 <http://0.0.0.0/32> <
> > http://0.0.0.0/32>
> > >
> > > This one reads "The prefix that I'm looking for has to start
> > 0.0.0.0 <http://0.0.0.0><http://0.0.0.0>and
> > > have mask of 32" - think "1 in the mask = unchangable bits" - so
> the
> > > only thing it will allow here is 0.0.0.0 <http://0.0.0.0> <
> > http://0.0.0.0> - no need to put
> > > any ge or le
> > > on the end as 32 bits is pretty definitive !!
> > >
> > > For all routes:-
> > > ip prefix-list test permit 0.0.0.0/0 <http://0.0.0.0/0> <
> > http://0.0.0.0/0> le 32
> > >
> > > This one reads "The prefix that I'm looking for has to start
> > 0.0.0.0 <http://0.0.0.0><http://0.0.0.0>and
> > > have a mask of 0" - think "1 in the mask = unchangable bits" -
> as it's a
> > > 0, there are no bits that are fixed. The less than or equal to
> at the
> > > end reads "but has to have a mask of 32 bits or less" - which
> will cover
> > > everything.
> > >
> > > To read the last example as a whole:-
> > > "I am looking for a prefix that has any number is it, with a
> mask of 32
> > > bits or less"
> > >
> > > To read the first example as a whole:-
> > > " I am looking for a prefix that begins with 192.168 and has a
> mask of
> > > 32 bits or less"
> > >
> > > Hope that helps
> > >
> > > LH
> > >
> > >
> > > Jens Petter Eikeland wrote:
> > >
> > > >HI ,
> > > >
> > > >I was wondering the same thing a while ago.. Here is how it is
> :
> > > >
> > > >prefix-list to match the "default-route" is;
> > > >
> > > >ip prefix-list mebean permit 0.0.0.0/32 <http://0.0.0.0/32> <
> > http://0.0.0.0/32>
> > > >
> > > >all the first 32 bits "must" be zeros.
> > > >
> > > >
> > > >prefix-list to match "any" route is;
> > > >
> > > >ip prefix-list mrbean permit 0.0.0.0/0 <http://0.0.0.0/0> <
> > http://0.0.0.0/0> le 32.
> > > >
> > > >All the 32 bits can be "anything" and can have any mask.
> > > >
> > > >Jens Petter Eikeland
> > > >
> > > >-----Opprinnelig melding-----
> > > >Fra: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Pe
> vegne av
> > > >Venkataramanaiah.R
> > > >Sendt: 17. september 2005 10:39
> > > >Til: ccielab@groupstudy.com
> > > >Emne: Match Any behaviour in Prefix lists
> > > >
> > > >Any idea, which what do we configure for match any when you use
> the
> > > prefix
> > > >lists?
> > > >
> > > >In a case of deny only 0.0.0.0/0 <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> > <http://0.0.0.0/0>
> > > matches all the routes
> > > >
> > > >In a case of Permit, only 0.0.0.0/0 <http://0.0.0.0/0> <
> > http://0.0.0.0/0> <http://0.0.0.0/0>
> > > le 32 matches all the
> > > >routes. Just 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> > http://0.0.0.0/0> does not
> > > match all traffic, rather
> > > >it matches just the default route, when used with a permit
> command.
> > > >
> > > >I am sure this is something to do with the way the prefix lists
> > operate,
> > > >which is apparently not clear to me.
> > > >
> > > >Can someone clarify?
> > > >
> > > >TIA
> > > >-Venkat
> > > >
> > >
> >___________________________________________________________________
> ____
> > > >Subscription information may be found at:
> > > >http://www.groupstudy.com/list/CCIELab.html
> > > >
> > >
> >___________________________________________________________________
> ____
> > > >Subscription information may be found at:
> > > >http://www.groupstudy.com/list/CCIELab.html
> >
> >
> ____________________________________________________________________
> ___
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ____________________________________________________________________
> ___
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Diese Information ist vertraulich und ausschlie_lich zur Kenntnisnahme durch den (die) genannten Adressaten bestimmt.
Wenn Sie nicht der vorgesehene Adressat sind, informieren sie uns bitte unverz|glich.
The information herein is confidential and intended solely for the attention and use of the named addressee(s).
If you are not the intended recipient please inform us immediately.
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:17 GMT-3