Solved: IP prefix-list matches

Ahmed Abdi · ‎11-16-2015

Hello,

I am bit confused with the prefix-list match statements, i want to get the match for this subnet 172.16.0.0/29 and correct if I did it wrongly

here is the line

ip prefix-list test1 seq 5 permit 172.16.0.0/16 ge 20 le 30 OR

ip prefix-list test1 seq 6 permit 172.16.0.0/29 for exact match

For my understanding the first statement thenumber 16 does not have nothing to do with Netmask .

please help me to fully understand this prefix-list concent.

Thanks

Ahmed

Jon Marshall · ‎11-16-2015

When you use ge or le or both then the /16 as in your example specifies how many bits of the prefix you are checking.

So 172.16.0.0/16 means that any matches must have 172.16. as the first two octets.

Then ge 20 means the subnet mask is 255.255.240.0 or greater and le 30 means the subnet mask is 255.255.255.252 or less.

Taken together what that line is saying is match any prefix that has 172.16. as the first two octets with any subnet mask of 255.255.240.0 through to 255.255.255.252.

So it can potentially match a lot more than your second line.

Jon

View solution in original post

Masoud Pourshabanian · ‎11-16-2015

Hello,

Jon answer is completely correct, I am just giving you an example.

Suppose you have some routes in the routing table and you want to filter the red ones.

Show ip routes

172.16.0.0/16

172.16.1.0/24

172.16.2.0/24

172.16.5.128/25

172.16.7.0/23

1-You can write three prefix lists to exact match

Ip prefix-list filter deny 172.16.1.0/24

Ip prefix-list filter deny 172.16.2.0/24

Ip prefix-list filter deny 172.16.7.0/23

Ip prefix-list filter permit 0.0.0.0/0 le 32 [permiting the rest of the routes]

1-Or just one

Ip prefix-list filter deny 172.16.0.0/16 ge 23 le 24 [any routes starting with 172.16 with the sunbet mask(equal or greater than 23) and (equal or smaller than 24)

Ip prefix-list filter permit 0.0.0.0/0 le 32 [permiting the rest of the routes]

As you see 172.16.5.128/25 starts with 172.16, but its subnet mask is 25 which is not in the range of gre 23 le 24, so it will not be filtered.

As you see, it is very user friendly.

Hope it helps,

Masoud

View solution in original post

Jon Marshall · ‎11-16-2015

When you use ge or le or both then the /16 as in your example specifies how many bits of the prefix you are checking.

So 172.16.0.0/16 means that any matches must have 172.16. as the first two octets.

Then ge 20 means the subnet mask is 255.255.240.0 or greater and le 30 means the subnet mask is 255.255.255.252 or less.

Taken together what that line is saying is match any prefix that has 172.16. as the first two octets with any subnet mask of 255.255.240.0 through to 255.255.255.252.

So it can potentially match a lot more than your second line.

Jon

Masoud Pourshabanian · ‎11-16-2015

Hello,

Jon answer is completely correct, I am just giving you an example.

Suppose you have some routes in the routing table and you want to filter the red ones.

Show ip routes

172.16.0.0/16

172.16.1.0/24

172.16.2.0/24

172.16.5.128/25

172.16.7.0/23

1-You can write three prefix lists to exact match

Ip prefix-list filter deny 172.16.1.0/24

Ip prefix-list filter deny 172.16.2.0/24

Ip prefix-list filter deny 172.16.7.0/23

Ip prefix-list filter permit 0.0.0.0/0 le 32 [permiting the rest of the routes]

1-Or just one

Ip prefix-list filter deny 172.16.0.0/16 ge 23 le 24 [any routes starting with 172.16 with the sunbet mask(equal or greater than 23) and (equal or smaller than 24)

Ip prefix-list filter permit 0.0.0.0/0 le 32 [permiting the rest of the routes]

As you see 172.16.5.128/25 starts with 172.16, but its subnet mask is 25 which is not in the range of gre 23 le 24, so it will not be filtered.

As you see, it is very user friendly.

Hope it helps,

Masoud