【语法】:
ip prefix-list
list-name
[
seq
seq-value
] {
deny|permit}
network/len
[
ge
ge-value
] [
le
le-value
]
- ge,大于等于
- le,小于等于
- 如果只出现ge,范围从 ge-value --> 32
- 如果只出现le,范围从length-->le-value
【分析】
前缀列表中的ge ,le 的理解
假定有三条路由
172.16.0.0/16
172.16.10.0/24
172.16.11.0/24
| 设置匹配条件 | 匹配结果 |
| ip prefix-list permit 172.16.10.0/8 le 24 | 172.16.0.0/16 172.16.10.0/24 172.16.11.0/24 |
| ip prefix-list permit 172.16.10.0/8 le 16 | 172.16.0.0/16 |
| in prefix-list tenonly permit 172.16.10.0/8 ge 16 le 24 | 172.16.0.0/16 172.16.11.0/24 172.16.10.0/24 |
| in prefix-list tenonly permit 172.16.10.0/8 ge 17 le 24 | 172.16.10.0/24 172.16.11.0/24 |
其实ACL也有方法定义一个范围,以实现类似prefix-list的功能。
access-list 10 permit 199.172.0.0 0.0.3.0,这里这个0.0.3.0,即起了一个定义范围的作用,0表示match,1表示不关心。这样的话,199.172.0.0 这个被定义物里,前16个bit和最后8个bit都是被定死的,唯独第三段的最后2bit是不关心的,可以变换,所以结果就是:
199.172.0.0
199.172.1.0
199.172.2.0
199.172.3.0
per 199.172.1.0 0.0.254.0 奇数路由
per 199.172.0.0 0.0.254.0 偶数路由
在进行路由过滤和地址限制方面,Prefix-list占用CPU的资源比采用access-list要少很多,
它提供更快的访问列表装入速度,目前IOS版本11.1CC(17),11.3(3)和12.0都提供该项特性。
Prefix-list保存了access-list的多项重要特性:
1、Permit和Deny;
2、最先匹配法则;
3、基于Prefix长度的过滤(精确匹配或range匹配)
Prefix-list与ACL的不同之处:
- Prefix-list可以采用增量方式从新定义,也就是说,它里面的条目可以单独增加或删除,而无需像access-list一样,一删就得将整个access-list删掉重写。
ACL , prefix , route-map共同特点:
- 一个空的/不存在 的acl & prefix预设是permit all ,一个不存在 的 route-map 预设是deny all
- 一个acl 如果配置一条以上permit或deny语句,最后一笔为隐藏的deny all
- route-map预设deny all(即使为空)
-----------------------------------------------------------------------
以下为各种例子,以如下的网络架构为网络环境:
R1 (s1/0,192.168.1.1) =============== (s1/0,192.168.1.2) R2
Case Study: ACL
R1#conf t
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#access-class 3 in
R2#telnet 192.168.1.1
Password :
R1> 没有阻挡可以直接进去
Summary: 空的(未定义的)acl默认允许所有的主机。
-----------------------------------------------------------------------
Case Study: Route-map
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
注: 不存在的route-map预设deny all。所以这个case的route-map永远返回不满足要求。
-----------------------------------------------------------------------
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense permit 10
R2#sh ip route
Gateway of last resort is 192.168.1.6 to network 0.0.0.0
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
O*E2 0.0.0.0/0 [110/1] via 192.168.1.6, 00:00:12, Serial1/1
-----------------------------------------------------------------------
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense permit 10
R1(config-route-map)#match ip add 1
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
-----------------------------------------------------------------------
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense deny 10
R2#sh ip route
Gateway of last resort is 192.168.1.6 to network 0.0.0.0
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
O*E2 0.0.0.0/0 [110/1] via 192.168.1.6, 00:00:12, Serial1/1
-----------------------------------------------------------------------
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense deny 10
R1(config-route-map)#match ip add 1
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
-----------------------------------------------------------------------
Case Study: Prefix-list
R1(config)#int lo0
R1(config-if)#ip add 172.16.33.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#ip ospf network point-to-point
R1(config-if)#exit
R1(config)#router ospf 100
R1(config-router)#redistribute connected subnets
R1(config-router)#distribute-list prefix sense out connected
R1(config)#
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 4 subnets
O 172.16.44.0 [33/65] via 192.168.1.1, 00:07:54, Serial1/0
O E2 172.16.33.0 [55/20] via 192.168.1.1, 00:00:01, Serial1/0
O IA 172.16.1.0 [44/65] via 192.168.1.1, 00:07:54, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
R1(config)#ip prefix-list sense seq 5 deny 172.16.33.0/24
rtb#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 3 subnets
O 172.16.44.0 [33/65] via 192.168.1.1, 00:09:15, Serial1/0
O IA 172.16.1.0 [44/65] via 192.168.1.1, 00:09:15, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
Summary: 空的prefix-list预设允许所有的路由。
-----------------------------------------------------------------------
Case Study: Integrate Route-map and ACL
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense deny 5
R1(config-route-map)#match ip address 33
R1(config-route-map)#
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
总结: 至少定义一条permit或deny语句才能使用acl或route-map的隐含deny功能。空的acl预设允所有的路由。
本文转自zcm8483 51CTO博客,原文链接:http://blog.51cto.com/haolun/993172
