RE: Prefix-list

Grrrrr, for some reason the RFC1918 example in my last post got
crunched.....hopefully this is better!

 
Lets take the RFC1918 private address blocks for an example. Here is a
prefix-list that will deny all of them

ip prefix-list No-RFC1918 deny 10.0.0.0/8 le 32
ip prefix-list No-RFC1918 deny 172.16.0.0/12 le 32
ip prefix-list No-RFC1918 deny 192.168.0.0/16 le 32

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Joe
Astorino
Sent: Thursday, May 07, 2009 5:20 AM
To: 'Jared Scrivener'; 'Khurram Noor'
Cc: 'Cisco certification'
Subject: RE: Prefix-list

Awesome stuff Jared! Guys, if you are having any issues with prefix-lists I
would highly recommend you check out what Jared has to say. Last week at
Ipexpert bootcamp, some of the students were struggling with this technology
in particular, and after 10 minutes many of them were like "wow, I've never
grasped this and now I totally get it." It would definitely be worth your
time, even if you understand it to get another perspective.

Khurram, I'm sure Jared will cover any of your questions in more detail but
basically

In the simplest form a prefix-list simply matches an EXACT prefix. Forget
about masks for now. For example:

Ip prefix-list pants permit 192.168.1.0/24 <------- This will permit ONLY
the specific network 192.168.1.0/24 , nothing more , nothing less.
Ip prefix-list foo permit 10.2.34.0/17 <------ This will permit ONLY the
specific network 10.2.34.0/17, nothing more, nothing less

There is also an option in prefix-lists to match subnet mask length using
the keywords le / ge . Do not let this confuse you, it is a totally
separate thing than what we just discussed. Here is an example:

Lets take the RFC1918 private address blocks for an example. Here is a
prefix-list that will deny all of them

ip prefix-list No-RFC1918 deny 10.0.0.0/8 le 32 ip prefix-list No-RFC1918
deny 172.16.0.0/12 le 32 ip prefix-list No-RFC1918 deny 192.168.0.0/16 le 32

Now, the explanation. In a prefix-list the / specifies how many bits you
"care" about, and the le or ge option specifies the bits in your mask. So
for instance with 10.0.0.0/8 le 32 we are saying the first 8 bits of the
prefix MUST be equal to the first 8 bits of 10.0.0.0 AND the mask of those
routes must be less than or equal to 32. With 192.168.0.0/16 we are saying
the first 16 bits MUST be equal to 192.168 AND the mask of those routes must
be less than or equal to 32. So again anything starting with 192.168 will
match.

Here is something a little trickier:

Ip prefix-list pants permit 192.168.0.0/16 le 24 <-------- So this says
the first 16 bits MUST be 192.168 , AND the mask must be LE 24. So what
routes match this?

192.168.0.0/24
192.168.0.0/23
192.168.0.0/22
192.168.0.0/21
192.168.0.0/20
...

192.168.1.0/24
192.168.1.0/23
192.168.1.0/22
192.168.1.0/21
192.168.1.0/20
...

192.168.2.0/24
192.168.2.0/23
192.168.2.0/22
192.168.2.0/21
192.168.2.0/20
...

And so on and so forth... So 192.168.x.x with any mask 24 and less!

I hope that helps man, but definitely tune into Jared's Ask The Expert as he
can explain it better than I can type it! Apologies for any errors it's 5:20
AM and I've been labbing all night hehe

"He not busy being born is busy dying" -- Dylan

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
 
mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
74k/eLaYWYqu7YI=
=8HMA
-----END PGP PUBLIC KEY BLOCK-----
 
 

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Jared Scrivener
Sent: Thursday, May 07, 2009 3:32 AM
To: Khurram Noor
Cc: Cisco certification
Subject: Re: Prefix-list

Hey Khurram,

Send a time to Groupstudy and to me as to what time between 12 midday and
midnight today (in Pacific Standard Time which means between 11.5 and 23.5
hours from now, roughly) that you'll be available and I'll do a live Ask The
Expert session on it for you and anyone else who is interested to teach it
from the basics so ANYONE can understand. If you have a microphone connect
it to your PC and you'll get to ask me questions too (only you, as you asked
first and with 100 people in these lectures I can't scale that out easily,
so everyone else will have to type theirs).

You asked the question, so you can pick the time - plan for a one hour block
please and I'll send the Adobe Connect URL to everyone so others can watch
too. If I don't hear back by the time I wake up (it's 1230am
here) so I can plan my day, it won't happen but if I do it will, so
everyone's counting on you now. :)

I have to go to bed imminently so I won't confirm the time until I wake up,
but if you pick any slot in that window I'll make it work.

Congratulations on being the first person to Ask The Expert. ;)

Speak to you tomorrow,

Jared

On May 6, 2009, at 11:53 PM, Khurram Noor <engr.khurramnoor_at_googlemail.com
> wrote:

> Hello everyone,
> I am having a hard time in understanding mechanism of prefix-list and
> how can it be related to acls. Is there any good resource/exercise/
> article which can help me understand prefix-list and show me how to
> convert ACL into Prefix-list.
>
> I will be thankful if anyone can help or just define how prefix-list
> work with some examples.
>
> --
> Khurram Noor
> Internetwork Professional
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _
 

> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu May 07 2009 - 05:33:12 ART