Wednesday, June 5, 2013

IP Prefix-List



IP Prefix List:



IP prefix is heavily used in routing protocols mainly BGP. It is the updated form of traditional access list; unlike ACLs it is easy to modify the prefix-list.

Similar to ACL, there is implicit deny at the end of the sequence.

To Permit any any  rule
Use the prefix rule
Ip prefix-list x permit 0.0.0.0/32
Ip  prefix-list x permit 0.0.0.0/0  >> permits default route 0.0.0.0/0

Case 1

No conditions, for example, ip prefix-list x permit 10.20.3.0/24; first 24 bits has to match. So it will permit only 10.20.3.x with mask 24

Case 2

If ip prefix-list 10.20.3.0/24 ge 25 le 27.
Again first 24 bits need to match with 10.20.3, 4th octet can be changed with a condition of subnet mask equals to 25 or greater and less or equal to 27.
The subnet 10.20.3.32/27 will match the condition.

Case 3

If ip prefix-list 10.20.3.0/24 ge 28 le 28- In this case there are 2 conditions, first 24 bits are unchanged and mask should be 28.
The following subnets will meet the conditions
10.20.3.0/28
10.20.3.16/28
10.20.3.32/28
10.20.3.48/28
10.20.3.64/28
10.20.3.80/28

Case 4

 

If ip prefix-list 10.20.3.0/25 ge 28 le 28

In this case we need to find the 25th bit which is
0  0000011, so we can change only other bits. In this case 0 1000000 thru  01111111 but we can use only subnet mask 28. We can go up to 127 (128 bit is unchanged)
For example 10.20.3.16/28 will match the criteria.

Case 4

If ip prefix-list x permit 170.159.208.0/21  le 32
In this case it has to match 21st bit and subnet mask less than 32
Converts to Binary
11010  000 which means
11010xxx
The possible subnets are 209,210,211,212,213,214,215
This rule covers a large number of subnets, useful in corporate networks

Case 4

ip prefix-list 5 deny 10.168.0.0/23 ge 30 le 30

Binary of 3rd octet with 23rd bit 000000xx
0000 0001> 10.168.1.0
00000010 >10.168.2.0
0000 0011  > 10.168.3.0
So it matches 10.168.1-3.0/30

In real life, we need to create prefix list from the given networks

For example, create a prefix list which matches 10.2.x.x/24,  10.4.x.x/24 and 10.6.x.x/24
In this case, first octet is same, we need to play with second octet.
The binary conversion is
128 64 32 16 8 4 2 1
0 0 0 0 0 0 0 0 0
To match 2,4 and 6, we need to mask the bits at the position of 1,2,4
Which is 0000 0xxx > means /13
So the prefix is 10.0.0.0/13 ge 24 le 24


Case 5 

Create a prefix list for the following networks
10.10.10.0/24
10.10.13.0/24
10.10.11.00/24
10.10.14.0/24
In this case first 2 octets are same; we need to modify the 3rd octet. So the binary conversion is
128 64 32 16 8 4 2 1. To meet the range 10-14, we need to mask 8 4 2 and 1. So the mask is /20
So the prefix is ip prefix-list x permit 10.10.10./20 ge 24 le 24

Case 6

Create a prefix list for the following routes
10.8.3.x/24
10.8.4.x/25
10.8.5.x/26
10.8.7.x/27
10.8.9.x/30
In this case, to meet the range 3-9 in the 3rd octet, we need to mask last 4 bits
So the prefix is 10.8.0/20 ge 24 le 30
If you want to deny 10.8.6.0/24 then the prefix-list is
Ip prefix-list 1 deny 10.8.6.0/24
Ip prefix-list 1 permit 10.8.0/20 ge 24 le 30



Case 7

We need to create a prefix list for 10.16.32-35.0/24 networks
In this case first 2 octets are unchanged.
We convert 32 into binary > 0010 0000
In order to get 33, we need to mask last bit,34- we need to mask 2nd from right. 35 – mask last 2 bits
So it will be 001000xx   which is /22
So the prefix is ip prefix-list  X permit 10.16.32.0/22 ge  24 le 24



No comments:

Post a Comment

Turn off pop notifications in chrome browser from major news outlets

 On Chrome browser, go to settings select privacy and security select site settings select Java Script Select Don't allow sites to use J...