Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2110
Views
0
Helpful
9
Replies

Exclude subnet from summarized address block

Go to solution
James_niel1
Level 1
Level 1

‎12-07-2010 05:22 PM - edited ‎03-03-2019 06:09 AM

Hi all hope you can help,

I m very new to ACL especially to advanced prefix lists.

I am trying to exclude a 10.111.113.0/24 subnet from 10.111.112.0/23  using prefix-list


ip prefix-list TEST seq 10 deny 10.111.112.0/23 ge 24 le 24
ip prefix-list TEST seq 10 permit192.168.112.0/23 ge 25 le 30

Can some tell why this is not working? Or could someone explain how to do/read/understand it correctly.

Thanks for all you help

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Lei Tian
Cisco Employee
Cisco Employee
In response to James_niel1

‎12-09-2010 07:01 AM

Hi James,

couple things here:

1, you cann't filter /24 if you only receive the summary /23. The router has to see /24 in order to filter it.

2, if you leak both /24 and the /23 out, you can filter /24, but your ping will still work. The ping will follow the summary /23.

Regards,

Lei TIan

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Mahesh Gohil
Level 7
Level 7

‎12-07-2010 06:13 PM

Hello James,

ip prefix-list TEST seq 10 deny 10.111.112.0/23 ge 24 le 24
ip prefix-list TEST seq 10 permit 192.168.112.0/23 ge 25 le 30

Seq no is same in both statement and both IP are different

> If peer is advt. only /23 prefix it is not possible to block a single /24 from that supernet

> If peer is advt. both /24 ips you can try this

ip prefix-list TEST seq 10 permit 10.111.113.0/24 le 30
ip prefix-list TEST seq 15 deny 10.111.112.0/23 le 30

Hope this helps

Regards

Mahesh

0 Helpful

Go to solution
Lei Tian
Cisco Employee
Cisco Employee
In response to Mahesh Gohil

‎12-07-2010 06:36 PM

Hi James,

As Mahesh mentioned, you are using same seq # for both statements, and your first statement "ip prefix-list TEST seq 10 deny 10.111.112.0/23 ge 24 le 24" is able to block both 10.111.112.0/24 and 10.111.113.0/24

Regards,

Lei Tian

0 Helpful

Go to solution
James_niel1
Level 1
Level 1
In response to Lei Tian

‎12-08-2010 07:45 AM

Thanks Lei,

But how should I permit 10.111.112.0/24 traffic while blocking 10.111.113.0/24?

I know that I am missing something but can not figure out what. Could you tell that the the correct syntax would be?

Thanks

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to James_niel1

‎12-08-2010 12:21 PM

hi,

ip prefix-list test seq 10 permit 10.111.112.0/24

ip prefix-list test seq 20 deny 10.111.113.0/24

regards.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Mahesh Gohil
Level 7
Level 7
In response to cadet alain

‎12-09-2010 06:04 AM

Hello james,

If I understood correctly your peer is advt. 10.111.112.0/23 and you want to block one 10.111.113.0/24  and allow

f10.111.112.0/24  rom that supernet.

well if peer is advt. only /23 pool you can strip off /24 while matching in prefix list.

The above is possible only if your peer is advt. two /24 routes.

ip prefix-list TEST seq 10 deny 10.111.112.0/23 ge 24 le 24

the above policy means

10.111.112.0/24 and 10.111.113.0/24 will be considered for deny  but only if peer had advt. in /24 format

ip prefix-list TEST seq 15 permit 10.111.112.0/23 ge 25 le 30

the above policy means

10.111.112.0/30 to 10.111.112.0/25 will be permitted but only if advt. in this format.

so as a summary you can achieve what you want only if peer is advt. routes in /24 subnets with below prefix-list

ip prefix-list test seq 5 permit 10.111.112.0/24

ip prefix-list test seq 10 deny 10.111.113.0/24

Hope above explanation is meaningful to you

Regards

Mahesh

0 Helpful

Go to solution
Lei Tian
Cisco Employee
Cisco Employee
In response to James_niel1

‎12-09-2010 06:25 AM

Hi James,

As mentioned by other folks, you can filter /24 only if the peer is advertising the /24. prefix-list is used to filter control traffic, like the route advertise;  if you want filter data traffic, you need to use ACL.

hope this makes sense

Regards,

Lei Tian

0 Helpful

Go to solution
James_niel1
Level 1
Level 1
In response to Lei Tian

‎12-09-2010 06:53 AM

Thanks for coming back to me. I m not sure if its me or my GNS3 software, but when I try to filter summarized IP addresses block I can still see it appearing in the routers (I redistributing from EIGRP networks into OSPF)on OSPF routing table and I am able to ping both addresses. However if I remove summarization and leave two individual /24 networks, my filtered does work and network does not appear in the routing table. Can someone explain what's the catch here? I assumed by using extended ACL I have to mach the whole summarized block, when deny 113/24 address and permit everything  else.

Thats way I was matching the whole block at first:

ip prefix-list TEST seq 10 deny 10.111.112.0/23 ge 24 le 24
ip prefix-list TEST seq 10 permit 192.168.112.0/23 ge 25 le 30

Thanks

0 Helpful

Go to solution
Lei Tian
Cisco Employee
Cisco Employee
In response to James_niel1

‎12-09-2010 07:01 AM

Hi James,

couple things here:

1, you cann't filter /24 if you only receive the summary /23. The router has to see /24 in order to filter it.

2, if you leak both /24 and the /23 out, you can filter /24, but your ping will still work. The ping will follow the summary /23.

Regards,

Lei TIan

0 Helpful

Go to solution
James_niel1
Level 1
Level 1
In response to Lei Tian

‎12-09-2010 07:03 AM

Thanks, this makes much more sense.

Thanks for clarifiend things to me

0 Helpful
Customers Also Viewed These Support Documents