And we know that in all things God works for the good of those who love him, who<sup class="footnote" data-fn="#fen-NIV-28145a" data-link="[a]”> have been called according to his purpose. ( Romans 8:28)
As promised, this is the second part of my laboratory for prefix-list. On the first part, I have explored how prefix-list can be used as an alternative options for access-list. To recap, in order to configure prefix-list, we have to do the two steps:
1. Define which network or IP address to permit or deny. This can be accomplished using the following command:
2. Apply the policy under any dynamic routing protocols.
distribute-list prefix
The above steps are just my simplified steps. For complete details, Cisco is providing a complete reference.
For this lab, I will be using the same topology as my previous Prefix-List Lab.
Additional Information:
I will be adding more subnets on Manila router as follows:
Lo5: 172.16.0.0/23 (Range : 172.16.0.1 – 172.16.1.255)
Laboratory Objective:
1. Create an Outbound Route Filtering in Singapore to allow only the routes that falls between 172.16.0.0/16 to 172.16.0.0/23 subnets. All other routes will be filtered out and will not be installed on Melbourne.
2. Add a new prefix 172.15.0.0/23 on Manila router. Allow an outbound prefix in Singapore to advertise this routes to Melbourne.
3. Apply an Outbound Prefix-list policy in Singapore to allow 172.16.30.0/24 & 172.16.40.0/24 to be advertise to Melbourne by using a prefix-list conditions above /23. Used the Greater Than (ge) Operations in Prefix-List.
Here is my Manila router configuration:
Manila(config)#int lo5
Manila(config-if)#ip add 172.16.0.1 255.255.254.0
And below is the current Singapore configs from the previous lab,
Singapore#show ip prefix-list
ip prefix-list FILTER-MANILA: 3 entries
seq 10 deny 172.16.10.0/24
seq 20 deny 172.16.20.0/24
seq 30 permit 0.0.0.0/0 le 32
Let me removed the sequence 30 and replaced it to satisfy the first objective of this lab.
Singapore(config)#no ip prefix-list FILTER-MANILA seq 30 permit 0.0.0.0/0 le 32
Now, let me add the new prefix-list,
Singapore(config)#ip prefix-list FILTER-MANILA seq 30 permit 172.16.0.0/16 le 23
Upon entering the new prefix-list, it does re-sync the routing information towards Melbourne router from Singapore router.
Singapore#
*Aug 7 21:32:14.251: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.23.3 (Serial2/1) is resync: intf route configuration changed
Let’s see what is the current routing information of Singapore router first,
Singapore#show ip route eigrp
!
Gateway of last resort is not set
100.0.0.0/24 is subnetted, 3 subnets
D 100.100.100.0 [90/2297856] via 192.168.23.3, 00:12:31, Serial2/1
D 100.100.110.0 [90/2297856] via 192.168.23.3, 00:12:31, Serial2/1
D 100.100.120.0 [90/2297856] via 192.168.23.3, 00:12:31, Serial2/1
172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
D 172.16.0.0/23 [90/2297856] via 192.168.12.1, 00:05:26, Serial2/0 <<< This is the new network which I have added in Manila router.
D 172.16.10.0/24 [90/2297856] via 192.168.12.1, 00:12:31, Serial2/0
D 172.16.20.0/24 [90/2297856] via 192.168.12.1, 00:12:31, Serial2/0
D 172.16.30.0/24 [90/2297856] via 192.168.12.1, 00:12:31, Serial2/0
D 172.16.40.0/24 [90/2297856] via 192.168.12.1, 00:12:31, Serial2/0
And now, let’s see what is the current Melbourne router routing table have.
Melbourne#show ip route eigrp
!
Gateway of last resort is not set
172.16.0.0/23 is subnetted, 1 subnets
D 172.16.0.0 [90/2809856] via 192.168.23.2, 00:07:07, Serial2/1
Melbourne#
Observation:
a. So it means that the prefix-list which I have applied in Singapore is only allowing subnet 172.16.0.0/23. You can calculate the IP range for this subnet. The IP range is between
172.16.0.1 – 172.16.1.255.
b. It also means that even though my Prefix-list statement in Singapore is allowing 172.16.30.0/24 & 172.16.40.0/24, it’s still filtered out because my last prefix-list statement is telling us to allow only within the range of 172.16.0.0/23.
Singapore#sh ip prefix-list
ip prefix-list FILTER-MANILA: 3 entries
seq 10 deny 172.16.10.0/24
seq 20 deny 172.16.20.0/24
seq 30 permit 172.16.0.0/16 le 23 <<< This only allows IP address within this range.
c. Let’s explore a bit by adding another Loopback address (172.15.0.0/23) which is not on the previous range. Let’s allow this from the Outbound Filtering which we applied in Singapore towards Melbourne router. The range for this subnet is 172.15.0.1 to 172.15.1.255.
Manila(config)#in lo 6
Manila(config-if)#ip add 172.15.0.1 255.255.254.0
As observed from Singapore router, the new routes from Manila were installed in its routing table.
Singapore#show ip route eigrp
!
Gateway of last resort is not set
100.0.0.0/24 is subnetted, 3 subnets
D 100.100.100.0 [90/2297856] via 192.168.23.3, 00:24:05, Serial2/1
D 100.100.110.0 [90/2297856] via 192.168.23.3, 00:24:05, Serial2/1
D 100.100.120.0 [90/2297856] via 192.168.23.3, 00:24:05, Serial2/1
172.15.0.0/23 is subnetted, 1 subnets
D 172.15.0.0 [90/2297856] via 192.168.12.1, 00:00:12, Serial2/0
172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
D 172.16.0.0/23 [90/2297856] via 192.168.12.1, 00:17:00, Serial2/0
D 172.16.10.0/24 [90/2297856] via 192.168.12.1, 00:24:05, Serial2/0
D 172.16.20.0/24 [90/2297856] via 192.168.12.1, 00:24:05, Serial2/0
D 172.16.30.0/24 [90/2297856] via 192.168.12.1, 00:24:05, Serial2/0
D 172.16.40.0/24 [90/2297856] via 192.168.12.1, 00:24:05, Serial2/0
Singapore#
d. Now, let me add a prefix-list in such a way that I will be permitting any ip address ranges that belongs to 172.15.0.0/23.
Singapore(config)#ip prefix-list FILTER-MANILA seq 40 permit 172.15.0.0/16 le 23
So here’s how my new prefix-list looks like,
Singapore# sh ip prefix-list
ip prefix-list FILTER-MANILA: 4 entries
seq 10 deny 172.16.10.0/24
seq 20 deny 172.16.20.0/24
seq 30 permit 172.16.0.0/16 le 23
seq 40 permit 172.15.0.0/16 le 23
Again the moment, I applied the new prefix-list, it does re-sync the route configurations to Melbourne from Singapore router.
Singapore#
*Aug 7 22:02:43.047: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.23.3 (Serial2/1) is resync: intf route configuration changed
Singapore#
I have also notice the same happening in Melbourne router.
Singapore#
*Aug 7 22:02:43.047: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.23.3 (Serial2/1) is resync: intf route configuration changed
Singapore#
Now, let’s have a look into the Melbourne routing table. So, this is the results I am expecting here.Sweet! I can see the network 172.15.0.0/23 advertise into Melbourne router.
Melbourne#show ip route eigrp
!
Gateway of last resort is not set
172.15.0.0/23 is subnetted, 1 subnets
D 172.15.0.0 [90/2809856] via 192.168.23.2, 00:05:22, Serial2/1
172.16.0.0/23 is subnetted, 1 subnets
D 172.16.0.0 [90/2809856] via 192.168.23.2, 00:08:38, Serial2/1
Melbourne#
e. Now, let’s fulfill the third lab objective.
I really want to be clear on the objective. Actually, we can create an individual prefix-list to allow 172.16.30.0/24 & 172.16.40.0/24 but what I wanted to show is to utilized the parameters in “Prefix-List”. The greater than or equal to (ge) or less than or equal to (le) operations is very useful to allow certain range based on the total number of mask bits.
Removing the previous prefx-list :
Singapore(config)#no ip prefix-list FILTER-MANILA seq 30 permit 172.16.0.0/16 le 23
And now, I will be adding a prefix list to allow network staring with 172.16.x.x but the subnet mas is equal to or greater that /23 or 255.255.254.0.
Singapore(config)#ip prefix-list FILTER-MANILA seq 30 permit 172.16.0.0/16 ge 23
Singapore(config)#^Z
So the last statement above only tells us that any IP address that falls within 172.16.0.0 with subnet mask starting from /23 or 255.255.254.0 will be advertise to Melbourne. Make sense?
Here’s the new prefix-list on Singapore,
Singapore# sh ip prefix-list
ip prefix-list FILTER-MANILA: 4 entries
seq 10 deny 172.16.10.0/24
seq 20 deny 172.16.20.0/24
seq 30 permit 172.16.0.0/16 ge 23
seq 40 permit 172.15.0.0/16 le 23
Now, let’s have a look into the Melbourne routing table after the new prefix-list condition is applied. So sweet! As seen below, I have the previous two networks 172.16.0.0/16 & 172.15.0.0/16 plus the network 172.16.30.0/24 & 172.16.40.0/24. The sequence 10 & 20 still applies thus denying the two subnets 172.16.10.0/24 & 172.16.20.0/24 to be advertise in Melbourne.
Melbourne#show ip route eigrp
!
Gateway of last resort is not set
172.15.0.0/23 is subnetted, 1 subnets
D 172.15.0.0 [90/2809856] via 192.168.23.2, 00:28:29, Serial2/1
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D 172.16.0.0/23 [90/2809856] via 192.168.23.2, 00:31:45, Serial2/1
D 172.16.30.0/24 [90/2809856] via 192.168.23.2, 00:07:23, Serial2/1
D 172.16.40.0/24 [90/2809856] via 192.168.23.2, 00:07:23, Serial2/1
Melbourne#
*** This ends my laboratory for another concepts related to Prefix-List***
NETWORK LESSON 
Leave a comment