ACL、prefix-list、route-map
prefix-list
【語法】:
ip prefix-list list-name [ seq seq-value ] { deny|permit} network/len [ ge ge-value ] [ le le-value ]
ge,大於等於
le,小於等於
如果只出現ge,範圍從 ge-value --> 32
如果只出現le,範圍從length–>le-value
【分析】
字首列表中的ge ,le 的理解
假定有三條路由
172.16.0.0/16
172.16.10.0/24
172.16.11.0/24
其實ACL也有方法定義一個範圍,以實現類似prefix-list的功能。
199.172.0.0
199.172.1.0
199.172.2.0
199.172.3.0
per 199.172.1.0 0.0.254.0 奇數路由
per 199.172.0.0 0.0.254.0 偶數路由
在進行路由過濾和地址限制方面,Prefix-list佔用CPU的資源比採用access-list要少很多,
它提供更快的訪問列表裝入速度,目前IOS版本11.1CC(17),11.3(3)和12.0都提供該項特性。
Prefix-list儲存了access-list的多項重要特性:
1、Permit和Deny;
2、最先匹配法則;
3、基於Prefix長度的過濾(精確匹配或range匹配)
Prefix-list與ACL的不同之處:
Prefix-list可以採用增量方式從新定義,也就是說,它裡面的條目可以單獨增加或刪除,而無需像access-list一樣,一刪就得將整個access-list刪掉重寫。
ACL , prefix , route-map共同特點:
一個空的/不存在 的acl & prefix預設是permit all ,一個不存在 的 route-map 預設是deny all
一個acl 如果配置一條以上permit或deny語句,最後一筆為隱藏的deny all
以下為各種例子,以如下的網路架構為網路環境:
R1 (s1/0,192.168.1.1) =============== (s1/0,192.168.1.2) R2
Case Study: ACL
R1#conf t
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#access-class 3 in
R2#telnet 192.168.1.1
Password :
R1> 沒有阻擋可以直接進去
Summary: 空的(未定義的)acl預設允許所有的主機。
Case Study: Route-map
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
注: 不存在的route-map預設deny all。所以這個case的route-map永遠返回不滿足要求。
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense permit 10
R2#sh ip route
Gateway of last resort is 192.168.1.6 to network 0.0.0.0
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
O*E2 0.0.0.0/0 [110/1] via 192.168.1.6, 00:00:12, Serial1/1
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense permit 10
R1(config-route-map)#match ip add 1
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense deny 10
R2#sh ip route
Gateway of last resort is 192.168.1.6 to network 0.0.0.0
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
O*E2 0.0.0.0/0 [110/1] via 192.168.1.6, 00:00:12, Serial1/1
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense deny 10
R1(config-route-map)#match ip add 1
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
Case Study: Prefix-list
R1(config)#int lo0
R1(config-if)#ip add 172.16.33.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#ip ospf network point-to-point
R1(config-if)#exit
R1(config)#router ospf 100
R1(config-router)#redistribute connected subnets
R1(config-router)#distribute-list prefix sense out connected
R1(config)#
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 4 subnets
O 172.16.44.0 [33/65] via 192.168.1.1, 00:07:54, Serial1/0
O E2 172.16.33.0 [55/20] via 192.168.1.1, 00:00:01, Serial1/0
O IA 172.16.1.0 [44/65] via 192.168.1.1, 00:07:54, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
R1(config)#ip prefix-list sense seq 5 deny 172.16.33.0/24
rtb#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 3 subnets
O 172.16.44.0 [33/65] via 192.168.1.1, 00:09:15, Serial1/0
O IA 172.16.1.0 [44/65] via 192.168.1.1, 00:09:15, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
Summary: 空的prefix-list預設允許所有的路由。
Case Study: Integrate Route-map and ACL
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense deny 5
R1(config-route-map)#match ip address 33
R1(config-route-map)#
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
總結: 至少定義一條permit或deny語句才能使用acl或route-map的隱含deny功能。空的acl預設允所有的路由。