IP Prefix List:
IP prefix is heavily used in routing protocols mainly BGP.
It is the updated form of traditional access list; unlike ACLs it is easy to
modify the prefix-list.
Similar to ACL, there is implicit deny at the end of the
sequence.
To Permit any any
rule
Use the prefix rule
Ip prefix-list x permit 0.0.0.0/32
Ip prefix-list x
permit 0.0.0.0/0 >> permits
default route 0.0.0.0/0
Case 1
No conditions, for example, ip prefix-list x permit
10.20.3.0/24; first 24 bits has to match. So it will permit only 10.20.3.x with
mask 24
Case 2
If ip prefix-list 10.20.3.0/24 ge 25 le 27.
Again first 24 bits need to match with 10.20.3, 4th
octet can be changed with a condition of subnet mask equals to 25 or greater
and less or equal to 27.
The subnet 10.20.3.32/27 will match the condition.
Case 3
If ip prefix-list 10.20.3.0/24 ge 28 le 28- In this case there
are 2 conditions, first 24 bits are unchanged and mask should be 28.
The following subnets will meet the conditions
10.20.3.0/28
10.20.3.16/28
10.20.3.32/28
10.20.3.48/28
10.20.3.64/28
10.20.3.80/28
Case 4
If ip prefix-list 10.20.3.0/25 ge 28 le 28
In this case we need to find the 25th bit which
is
0 0000011, so we can
change only other bits. In this case 0 1000000 thru 01111111 but we can use only subnet mask 28.
We can go up to 127 (128 bit is unchanged)
For example 10.20.3.16/28 will match the criteria.
Case 4
If ip prefix-list x permit 170.159.208.0/21 le 32
In this case it has to match 21st bit and subnet
mask less than 32
Converts to Binary
11010 000 which means
11010xxx
The possible subnets are 209,210,211,212,213,214,215
This rule covers a large number of subnets, useful in
corporate networks
Case 4
ip prefix-list 5 deny 10.168.0.0/23 ge 30
le 30
Binary of 3rd octet with 23rd
bit 000000xx
0000 0001> 10.168.1.0
00000010 >10.168.2.0
0000 0011 > 10.168.3.0
So it matches 10.168.1-3.0/30
In real life, we need to create prefix list from the given
networks
For example, create a prefix list which matches 10.2.x.x/24, 10.4.x.x/24 and 10.6.x.x/24
In this case, first octet is same, we need to play with
second octet.
The binary conversion is
128 64 32 16 8 4 2 1
0 0 0 0 0 0 0 0 0
To match 2,4 and 6, we need to mask the bits at the position
of 1,2,4
Which is 0000 0xxx > means /13
So the prefix is 10.0.0.0/13 ge 24 le 24
Case 5
Create a prefix list for the following networks
10.10.10.0/24
10.10.13.0/24
10.10.11.00/24
10.10.14.0/24
In this case first 2 octets are same; we need to modify the
3rd octet. So the binary conversion is
128 64 32 16 8 4 2 1. To meet the range 10-14, we need to
mask 8 4 2 and 1. So the mask is /20
So the prefix is ip prefix-list x permit 10.10.10./20 ge 24
le 24
Case 6
Create a prefix list for the following routes
10.8.3.x/24
10.8.4.x/25
10.8.5.x/26
10.8.7.x/27
10.8.9.x/30
In this case, to meet the range 3-9 in the 3rd
octet, we need to mask last 4 bits
So the prefix is 10.8.0/20 ge 24 le 30
If you want to deny 10.8.6.0/24 then the prefix-list is
Ip prefix-list 1 deny 10.8.6.0/24
Ip prefix-list 1 permit 10.8.0/20 ge 24 le 30
Case 7
We need to create a prefix list for 10.16.32-35.0/24
networks
In this case first 2 octets are unchanged.
We convert 32 into binary > 0010 0000
In order to get 33, we need to mask last bit,34- we need to
mask 2nd from right. 35 – mask last 2 bits
So it will be 001000xx
which is /22
So the prefix is ip prefix-list X permit 10.16.32.0/22 ge 24 le 24
No comments:
Post a Comment