Friday, July 4, 2008

Prefix-lists vs ACLs

Many people prefer prefixes-lists over ACLs because they give you more preciseness over which routes to allow. This blogs goes over some examples between the two methods using RIP and distribute-lists.

The Network:

R1----R2----R3

Each router is connected to its own LAN, call them LAN1,LAN2 and LAN3

Addressing:

R1-R2 = 12.0.0.0/8
R2-R3 = 13.0.0.0/8
LAN1 = 1.0.0.1/8
LAN2 = 2.0.0.2/8
LAN3 = 3.0.0.0/16

R3 also has 4 loopbacks:

3.1.0.3/16
3.2.0.3/16
3.3.0.3/16
3.4.0.3/16

RIP is enabled everywhere so that R1 has the following route table:

R1#show ip route | begin Ga
Gateway of last resort is not set

1.0.0.0/16 is subnetted, 1 subnets
C 1.0.0.0 is directly connected, FastEthernet0/0
R 2.0.0.0/8 [120/2] via 13.0.0.3, 00:00:06, Serial1/1
3.0.0.0/16 is subnetted, 5 subnets
R 3.3.0.0 [120/1] via 13.0.0.3, 00:00:06, Serial1/1
R 3.2.0.0 [120/1] via 13.0.0.3, 00:00:06, Serial1/1
R 3.1.0.0 [120/1] via 13.0.0.3, 00:00:06, Serial1/1
R 3.0.0.0 [120/1] via 13.0.0.3, 00:00:06, Serial1/1
R 3.4.0.0 [120/1] via 13.0.0.3, 00:00:06, Serial1/1
R 23.0.0.0/8 [120/1] via 13.0.0.3, 00:00:06, Serial1/1
R 12.0.0.0/8 [120/2] via 13.0.0.3, 00:00:06, Serial1/1
C 13.0.0.0/8 is directly connected, Serial1/1

Let's say I create a prefix-list like this:

R3(config)#ip prefix-list NET3 permit 3.0.0.0/8

Then apply the distribute list:

R3(config)#router rip
R3(config-router)#distribute-list prefix NET3 out

R1 will have no routes to any of the 3 networks:

R1# show ip route | begin Ga
Gateway of last resort is not set

1.0.0.0/16 is subnetted, 1 subnets
C 1.0.0.0 is directly connected, FastEthernet0/0
C 13.0.0.0/8 is directly connected, Serial1/1

But if we use the same matching principle (3.0.0.0/8) in an ACL, then R3 has all the 3.0.0.0 routes:

R3(config)#router rip
R3(config-router)#no distribute-list prefix NET3 out
R3(config-router)#exit
R3(config)#access-list 3 permit 3.0.0.0 0.255.255.255
R3(config)#router rip
R3(config-router)#distribute-list 3 out

R1#clear ip route *
R1# show ip route | begin Ga
Gateway of last resort is not set

1.0.0.0/16 is subnetted, 1 subnets
C 1.0.0.0 is directly connected, FastEthernet0/0
3.0.0.0/16 is subnetted, 5 subnets
R 3.3.0.0 [120/1] via 13.0.0.3, 00:00:01, Serial1/1
R 3.2.0.0 [120/1] via 13.0.0.3, 00:00:01, Serial1/1
R 3.1.0.0 [120/1] via 13.0.0.3, 00:00:01, Serial1/1
R 3.0.0.0 [120/1] via 13.0.0.3, 00:00:01, Serial1/1
R 3.4.0.0 [120/1] via 13.0.0.3, 00:00:01, Serial1/1
C 13.0.0.0/8 is directly connected, Serial1/1

The reason this happens is because prefix-lists match on the exact route subnet length unless the ge or le arguments are added. To make the prefix-list perform like the ACL we can do this:

R3(config)#router rip
R3(config-router)#no distribute-list 3 out
R3(config-router)#exit
R3(config)#no ip prefix-list NET3 permit 3.0.0.0/8
R3(config)#ip prefix-list NET3 permit 3.0.0.0/8 ge 9
R3(config)#router rip
R3(config-router)#distribute-list prefix NET3 out

R1#clear ip route *
R1# show ip route | begin Ga
Gateway of last resort is not set

1.0.0.0/16 is subnetted, 1 subnets
C 1.0.0.0 is directly connected, FastEthernet0/0
3.0.0.0/16 is subnetted, 5 subnets
R 3.3.0.0 [120/1] via 13.0.0.3, 00:00:00, Serial1/1
R 3.2.0.0 [120/1] via 13.0.0.3, 00:00:00, Serial1/1
R 3.1.0.0 [120/1] via 13.0.0.3, 00:00:00, Serial1/1
R 3.0.0.0 [120/1] via 13.0.0.3, 00:00:00, Serial1/1
R 3.4.0.0 [120/1] via 13.0.0.3, 00:00:00, Serial1/1
C 13.0.0.0/8 is directly connected, Serial1/1

The prefix-lists matches the first 8 bits of a prefix and then matches any of those prefixes that have masks of 9 bits or longer. If we wanted the ACL to perform like the prefix-list we could do this:

R3(config)#access-list 13 permit 3.0.0.0 0.0.0.0
R3(config)#router rip
R3(config-router)#no distribute-list prefix NET3 out
R3(config-router)#distribute-list 13 out

R1# show ip route | begin Ga
Gateway of last resort is not set

1.0.0.0/16 is subnetted, 1 subnets
C 1.0.0.0 is directly connected, FastEthernet0/0
3.0.0.0/16 is subnetted, 1 subnets
R 3.0.0.0 [120/1] via 13.0.0.3, 00:00:02, Serial1/1
C 13.0.0.0/8 is directly connected, Serial1/1

Now R1 has the route to 3.0.0.0, but notice it has no regard for the subnet length as the prefix-lists does. In other words, the above ACL 13 would match 3.0.0.0/8, 3.0.0.0/9, etc.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.