Many people prefer prefixes-lists over ACLs because they give you more preciseness over which routes to allow. This blogs goes over some examples between the two methods using RIP and distribute-lists.
The Network:
R1----R2----R3
Each router is connected to its own LAN, call them LAN1,LAN2 and LAN3
Addressing:
R1-R2 = 12.0.0.0/8
R2-R3 = 13.0.0.0/8
LAN1 = 1.0.0.1/8
LAN2 = 2.0.0.2/8
LAN3 = 3.0.0.0/16
R3 also has 4 loopbacks:
3.1.0.3/16
3.2.0.3/16
3.3.0.3/16
3.4.0.3/16
RIP is enabled everywhere so that R1 has the following route table:
R1#show ip route | begin Ga
Gateway of last resort is not set
1.0.0.0/16 is subnetted, 1 subnets
C 1.0.0.0 is directly connected, FastEthernet0/0
R 2.0.0.0/8 [120/2] via 13.0.0.3, 00:00:06, Serial1/1
3.0.0.0/16 is subnetted, 5 subnets
R 3.3.0.0 [120/1] via 13.0.0.3, 00:00:06, Serial1/1
R 3.2.0.0 [120/1] via 13.0.0.3, 00:00:06, Serial1/1
R 3.1.0.0 [120/1] via 13.0.0.3, 00:00:06, Serial1/1
R 3.0.0.0 [120/1] via 13.0.0.3, 00:00:06, Serial1/1
R 3.4.0.0 [120/1] via 13.0.0.3, 00:00:06, Serial1/1
R 23.0.0.0/8 [120/1] via 13.0.0.3, 00:00:06, Serial1/1
R 12.0.0.0/8 [120/2] via 13.0.0.3, 00:00:06, Serial1/1
C 13.0.0.0/8 is directly connected, Serial1/1
Let's say I create a prefix-list like this:
R3(config)#ip prefix-list NET3 permit 3.0.0.0/8
Then apply the distribute list:
R3(config)#router rip
R3(config-router)#distribute-list prefix NET3 out
R1 will have no routes to any of the 3 networks:
R1# show ip route | begin Ga
Gateway of last resort is not set
1.0.0.0/16 is subnetted, 1 subnets
C 1.0.0.0 is directly connected, FastEthernet0/0
C 13.0.0.0/8 is directly connected, Serial1/1
But if we use the same matching principle (3.0.0.0/8) in an ACL, then R3 has all the 3.0.0.0 routes:
R3(config)#router rip
R3(config-router)#no distribute-list prefix NET3 out
R3(config-router)#exit
R3(config)#access-list 3 permit 3.0.0.0 0.255.255.255
R3(config)#router rip
R3(config-router)#distribute-list 3 out
R1#clear ip route *
R1# show ip route | begin Ga
Gateway of last resort is not set
1.0.0.0/16 is subnetted, 1 subnets
C 1.0.0.0 is directly connected, FastEthernet0/0
3.0.0.0/16 is subnetted, 5 subnets
R 3.3.0.0 [120/1] via 13.0.0.3, 00:00:01, Serial1/1
R 3.2.0.0 [120/1] via 13.0.0.3, 00:00:01, Serial1/1
R 3.1.0.0 [120/1] via 13.0.0.3, 00:00:01, Serial1/1
R 3.0.0.0 [120/1] via 13.0.0.3, 00:00:01, Serial1/1
R 3.4.0.0 [120/1] via 13.0.0.3, 00:00:01, Serial1/1
C 13.0.0.0/8 is directly connected, Serial1/1
The reason this happens is because prefix-lists match on the exact route subnet length unless the ge or le arguments are added. To make the prefix-list perform like the ACL we can do this:
R3(config)#router rip
R3(config-router)#no distribute-list 3 out
R3(config-router)#exit
R3(config)#no ip prefix-list NET3 permit 3.0.0.0/8
R3(config)#ip prefix-list NET3 permit 3.0.0.0/8 ge 9
R3(config)#router rip
R3(config-router)#distribute-list prefix NET3 out
R1#clear ip route *
R1# show ip route | begin Ga
Gateway of last resort is not set
1.0.0.0/16 is subnetted, 1 subnets
C 1.0.0.0 is directly connected, FastEthernet0/0
3.0.0.0/16 is subnetted, 5 subnets
R 3.3.0.0 [120/1] via 13.0.0.3, 00:00:00, Serial1/1
R 3.2.0.0 [120/1] via 13.0.0.3, 00:00:00, Serial1/1
R 3.1.0.0 [120/1] via 13.0.0.3, 00:00:00, Serial1/1
R 3.0.0.0 [120/1] via 13.0.0.3, 00:00:00, Serial1/1
R 3.4.0.0 [120/1] via 13.0.0.3, 00:00:00, Serial1/1
C 13.0.0.0/8 is directly connected, Serial1/1
The prefix-lists matches the first 8 bits of a prefix and then matches any of those prefixes that have masks of 9 bits or longer. If we wanted the ACL to perform like the prefix-list we could do this:
R3(config)#access-list 13 permit 3.0.0.0 0.0.0.0
R3(config)#router rip
R3(config-router)#no distribute-list prefix NET3 out
R3(config-router)#distribute-list 13 out
R1# show ip route | begin Ga
Gateway of last resort is not set
1.0.0.0/16 is subnetted, 1 subnets
C 1.0.0.0 is directly connected, FastEthernet0/0
3.0.0.0/16 is subnetted, 1 subnets
R 3.0.0.0 [120/1] via 13.0.0.3, 00:00:02, Serial1/1
C 13.0.0.0/8 is directly connected, Serial1/1
Now R1 has the route to 3.0.0.0, but notice it has no regard for the subnet length as the prefix-lists does. In other words, the above ACL 13 would match 3.0.0.0/8, 3.0.0.0/9, etc.
Friday, July 4, 2008
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.