2. it技术
  3. ACL、prefix-list、route-map

ACL、prefix-list、route-map

it2026-04-09  3

prefix-list

【语法】: ip prefix-list list-name [ seq seq-value ] { deny|permit} network/len [ ge ge-value ] [ le le-value ]

ge,大于等于 le,小于等于 如果只出现ge,范围从 ge-value --> 32 如果只出现le,范围从length–>le-value

【分析】 前缀列表中的ge ,le 的理解 假定有三条路由 172.16.0.0/16 172.16.10.0/24 172.16.11.0/24

其实ACL也有方法定义一个范围,以实现类似prefix-list的功能。 access-list 10 permit 199.172.0.0 0.0.3.0,这里这个0.0.3.0,即起了一个定义范围的作用,0表示match,1表示不关心。这样的话,199.172.0.0 这个被定义物里,前16个bit和最后8个bit都是被定死的,唯独第三段的最后2bit是不关心的,可以变换,所以结果就是: 199.172.0.0 199.172.1.0 199.172.2.0 199.172.3.0 per 199.172.1.0 0.0.254.0 奇数路由 per 199.172.0.0 0.0.254.0 偶数路由

在进行路由过滤和地址限制方面,Prefix-list占用CPU的资源比采用access-list要少很多, 它提供更快的访问列表装入速度,目前IOS版本11.1CC(17),11.3(3)和12.0都提供该项特性。

Prefix-list保存了access-list的多项重要特性: 1、Permit和Deny; 2、最先匹配法则; 3、基于Prefix长度的过滤(精确匹配或range匹配)

Prefix-list与ACL的不同之处:

Prefix-list可以采用增量方式从新定义,也就是说,它里面的条目可以单独增加或删除,而无需像access-list一样,一删就得将整个access-list删掉重写。

ACL , prefix , route-map共同特点:

一个空的/不存在 的acl & prefix预设是permit all ,一个不存在 的 route-map 预设是deny all 一个acl 如果配置一条以上permit或deny语句,最后一笔为隐藏的deny all route-map预设deny all(即使为空)

以下为各种例子,以如下的网络架构为网络环境: R1 (s1/0,192.168.1.1) =============== (s1/0,192.168.1.2) R2

Case Study: ACL R1#conf t R1(config)#line vty 0 4 R1(config-line)#password cisco R1(config-line)#login R1(config-line)#access-class 3 in

R2#telnet 192.168.1.1 Password : R1> 没有阻挡可以直接进去

Summary: 空的(未定义的)acl默认允许所有的主机。

Case Study: Route-map R1(config)#router ospf 100 R1(config-router)#default-information originate route-map sense R1(config-router)#exit R2#sh ip route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0 C 172.16.2.0 is directly connected, Loopback0 192.168.1.0/30 is subnetted, 1 subnets C 192.168.1.0 is directly connected, Serial1/0

注: 不存在的route-map预设deny all。所以这个case的route-map永远返回不满足要求。

R1(config)#router ospf 100 R1(config-router)#default-information originate route-map sense R1(config-router)#exit R1(config)#route-map sense permit 10 R2#sh ip route Gateway of last resort is 192.168.1.6 to network 0.0.0.0 172.16.0.0/24 is subnetted, 2 subnets O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0 C 172.16.2.0 is directly connected, Loopback0 192.168.1.0/30 is subnetted, 1 subnets C 192.168.1.0 is directly connected, Serial1/0

O*E2 0.0.0.0/0 [110/1] via 192.168.1.6, 00:00:12, Serial1/1

R1(config)#router ospf 100 R1(config-router)#default-information originate route-map sense R1(config-router)#exit R1(config)#route-map sense permit 10 R1(config-route-map)#match ip add 1 R2#sh ip route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0 C 172.16.2.0 is directly connected, Loopback0 192.168.1.0/30 is subnetted, 1 subnets C 192.168.1.0 is directly connected, Serial1/0

R1(config)#router ospf 100 R1(config-router)#default-information originate route-map sense R1(config-router)#exit R1(config)#route-map sense deny 10 R2#sh ip route Gateway of last resort is 192.168.1.6 to network 0.0.0.0 172.16.0.0/24 is subnetted, 2 subnets O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0 C 172.16.2.0 is directly connected, Loopback0 192.168.1.0/30 is subnetted, 1 subnets C 192.168.1.0 is directly connected, Serial1/0 O*E2 0.0.0.0/0 [110/1] via 192.168.1.6, 00:00:12, Serial1/1

R1(config)#router ospf 100 R1(config-router)#default-information originate route-map sense R1(config-router)#exit R1(config)#route-map sense deny 10 R1(config-route-map)#match ip add 1 R2#sh ip route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0 C 172.16.2.0 is directly connected, Loopback0 192.168.1.0/30 is subnetted, 1 subnets C 192.168.1.0 is directly connected, Serial1/0

Case Study: Prefix-list R1(config)#int lo0 R1(config-if)#ip add 172.16.33.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#ip ospf network point-to-point R1(config-if)#exit R1(config)#router ospf 100 R1(config-router)#redistribute connected subnets R1(config-router)#distribute-list prefix sense out connected R1(config)# R2#sh ip route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 4 subnets O 172.16.44.0 [33/65] via 192.168.1.1, 00:07:54, Serial1/0 O E2 172.16.33.0 [55/20] via 192.168.1.1, 00:00:01, Serial1/0 O IA 172.16.1.0 [44/65] via 192.168.1.1, 00:07:54, Serial1/0 C 172.16.2.0 is directly connected, Loopback0 192.168.1.0/30 is subnetted, 1 subnets C 192.168.1.0 is directly connected, Serial1/0

R1(config)#ip prefix-list sense seq 5 deny 172.16.33.0/24 rtb#sh ip route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 3 subnets O 172.16.44.0 [33/65] via 192.168.1.1, 00:09:15, Serial1/0 O IA 172.16.1.0 [44/65] via 192.168.1.1, 00:09:15, Serial1/0 C 172.16.2.0 is directly connected, Loopback0 192.168.1.0/30 is subnetted, 1 subnets C 192.168.1.0 is directly connected, Serial1/0 Summary: 空的prefix-list预设允许所有的路由。

Case Study: Integrate Route-map and ACL R1(config)#router ospf 100 R1(config-router)#default-information originate route-map sense R1(config-router)#exit R1(config)#route-map sense deny 5 R1(config-route-map)#match ip address 33 R1(config-route-map)#

R2#sh ip route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0 C 172.16.2.0 is directly connected, Loopback0 192.168.1.0/30 is subnetted, 1 subnets C 192.168.1.0 is directly connected, Serial1/0

总结: 至少定义一条permit或deny语句才能使用acl或route-map的隐含deny功能。空的acl预设允所有的路由。

最新回复(0)