一、字首清單的特點:
可以增量修改,我們知道對于普通通路控制清單,我們不能删除該清單中的某個條目,如果想删除清單中的某個條目隻能将該通路清單全部删除,而字首清單中,一個條目可以單獨地删除或添加。
字首清單在Cisco IOS 12.0及其以後的版本中可以使用。
在大型清單的加載和路由查找方面比通路控制清單有顯著的性能改進。
字首清單用于BGP路由。
二、字首清單的指令描述
文法:
<b>ip prefix-list </b>list-name [<b>seq</b> seq-value] {<b>deny|permit}</b> network/len [<b>ge</b> ge-value] [<b>le</b> le-value]
list name 代表被建立的字首清單名(注意該清單名是區分大小寫的)
seq-value 代表字首清單語名的32bit序号,用于确定過濾語句被處理的次序。預設序号以5遞增(5,10,15等等)。
deny|permit 代表當發現一個比對條目時所要采取的行動
network/len 代表要進行比對的字首和字首長度。Network是32位的位址,長度是一個十進制的數。
ge-value 代表比“network/len”更具體的字首,要進行比對的字首長度的範圍。如果隻規定了“ge”屬性,該範圍被認為是從“ge-value”到32。
le-vlaue 代表比“network/len”更具體的字首,要進行比對的字首長度的範圍。如果隻規定了“le”屬性,該範圍被認為是從“len”到“le-value”。
(2)、neighbor {ip-address | peer-group-name} prefix-list prefix-listname {in|out}
ip-address 代表要為之進行路由過濾的BGP鄰居的IP位址。
peer-group-name 代表BGP對等體組的名稱。
prefix-listname 代表要被用來過濾路由的字首清單的名稱。
in 說明字首清單要被應用在來自鄰居的入路由通告。
out 說明字首清單要被應用在發送給鄰居的外出的路由通告。
三、在“ip prefix-list”指令中“ge”和“le”任選項的使用可能令人迷惑,了解起來比較難,下面我們做了一個測試,以便更好的了解這些選項的含義。
網絡拓樸描述如下:
路由器A屬于AS65000,路由器B與路由器C是路由器A的鄰居,路由器A從路由器B學到了,172.16.10.0/24, 172.16.11.0這兩條路由,路由器C是路由器A的EBGP鄰居,路由器C的接口位址為10.1.1.1,如上圖所示。
假設配置字首清單之前,路由器A學到了下面的路由(從路由器B那裡學來的):
172.16.0.0 subnetted:
172.16.10.0/24
172.16.11.0/24
我們測試了如下5種情況:
【情況1】,對路由器A做了如下配置:
router bgp 65000
aggregate-address 171.16.0.0 255.255.0.0
neighbor 10.1.1.1 prefix-list tenonly out
in prefix-list tenonly permit 172.16.10.0/8 le 24
當用“show run”指令檢視路由器的配置時,我們将看到路由器A自動地将這個配置的最後一行改為下面這樣:
ip prefix-fix tenonly permit 172.0.0.0/8 le 24
這時路由器C學到了三個路由器,即:
172.16.0.0/16
下面就祥細的說明一下路由器C為什麼會學到這三條路由:
因為我們在路由器A中用aggregate建立了一條聚合路由器172.16.0.0/16,
而且在使用這個指令的時候沒有加參數summary-only是以,路由器A的EBGP鄰居,即路由器C有可能學到三條路由,即聚合路由172.16.0.0/16,具體路由172.16.10.0/24,
具體路由172.16.11.0/24。
在指令“in prefix-list tenonly permit 172.16.10.0/8 le 24”中, len等于8,len-value等24,。前面我們說過對于比“network/len”更具體的字首,要加上參數len-value,如果隻規定了“le”屬性,該範圍被認為是從“len”到“le-value”,這裡的8和24是長度的概念,即可以精确比對前8位,前9位,前11位,…….一直到可以精确比對前24位。172.16.0.0/16被認為是精确比對了前16位,而172.16.10.0/24和172.16.11.0/24則被認為是精确比對了前24位,如果是172.0.0.0/8則被認為是精确比對了前8位,即這裡的8至24可是掩碼位的概念,就是說從路由器C的角度上來說,我可以學到路由器A的BGP路由表中的掩碼為/8,/9,/10,/11,/12,/13,/14,/15,/16,/17,/18,/19,/20,/21,/22,/23,/24的路由器,是以在這種情況下路由器C學到了三條路由即:
【情況2】,對路由器A做了如下配置:
in prefix-list tenonly permit 172.16.10.0/8 le 16
結果:路由器C隻學到172.16.0.0/16這一條路由器,原因是,len-value的值已經改為16,即我隻能學到掩碼為/8,/9,/10,/11,/12,/13,/14,/15,/16的路由,在上面的三條路由中,符合條件的隻有 172.16.0.0/16,是以路由器C隻學到172.16.0.0/16這一條路由。
in prefix-list tenonly permit 172.16.10.0/8 ge 17
結果:路由器C隻學到172.16.11.0/24,172.16.10.0/24這兩條路由,為什麼呢,這是因為這裡ge-value 的值為17,它精确比對前17位,前19位,前20位,一直可以精确比對前32位,即從路由器C的角度上來看,我能說到路由器A中的BGP路由表中的掩碼為/17,/18,/19,/20,/21,/22,/23,/24,/25,/26,/27,/28,/29,/30,/31,/32的路由,是以路由器C學到了兩條路由:172.16.11.0/24,172.16.10.0/24。
【情況3】,對路由器A做了如下配置:
in prefix-list tenonly permit 172.16.10.0/8 ge 16 le24
結果:路由器C學到的路由是172.16.0.0/16 ,172.16.11.0/24,172.16.10.0/24,路由器C能從路由器A的BGP路由表中學到掩碼為/16,/17,/18,/19,/20,/21,/22,/23,/24的路由,以上三條路由都符合條件,是以都被路由器C學到了。
【情況5】,對路由器A做了如下配置:
in prefix-list tenonly permit 172.16.10.0/8 ge 17 le24
結果:路由器C學到的路由是172.16.11.0/24,172.16.10.0/24,路由器C能從路由器A的BGP路由表中學到掩碼為/17,/18,/19,/20,/21,/22,/23,/24的路由,以上三條路由中隻有172.16.11.0/24,172.16.10.0/24符合條件,是以路由器C學到了172.16.11.0/24,172.16.10.0/24這兩條路由。
看下面的例子:
ip prefix-list LIST permit 1.2.3.0/24 le 32
上面的例子表示字首1.2.3.0前面的24位必須比對。此外,子網路遮罩必須小于或等于32位
ip prefix-list LIST permit 0.0.0.0/0 le 32
上面的例子意味着比對所有,以這句話等于permit any
ip prefix-list LIST permit 10.0.0.0/8 ge 21 le 29
上面的例子說明網段10.0.0.0的前8位必須比對,此外子網路遮罩必須在21位和29位之間。
注意:
使用字首清單不能像通路清單那樣比對具體的應用流。
字首清單也不能用來具體比對奇數或偶數的字首,或什麼可以被15整除的字首
在字首清單中,比特位必須是連續的,并且從左邊開始
ip prefix-list fuck permit 0.0.0.0/0 ge 1 表示除了預設路由外的所有路由
ip prefix-list test16 seq 5 permit 0.0.0.0/1 ge 8 le 8 配置A類位址
ip prefix-list test16 seq 10 permit 128.0.0.0/2 ge 16 le 16 配置B類位址
ip prefix-list test16 seq 15 permit 192.0.0.0/3 ge 24 le 24 配置C類位址
Exercises:
1. Construct a prefix list that permits only the 192.168.1.0/24 network.
ip prefix-list test1 seq 5 permit 192.168.1.0/24
2. Construct a prefix list that denies network 119.0.0.0, and permits all other prefixes (including all subnets of 119.0.0.0).
ip prefix-list test2 seq 5 deny 119.0.0.0/8
ip prefix-list test2 seq 10 permit 0.0.0.0/0 le 32
3. Construct a prefix list that permits only the default route.
ip prefix-list test3 seq 5 permit 0.0.0.0/0
4. Construct a prefix list the permits everything except the default route.
ip prefix-list test4 seq 5 deny 0.0.0.0/0
ip prefix-list test4 seq 10 permit 0.0.0.0/0 le 32
5. Construct a prefix list that permits network 172.16.0.0 and any of its subnets, and denies all other prefixes.
ip prefix-list test5 seq 5 permit 172.16.0.0/16 le 32
6. Construct a prefix list that permits only the following prefixes:
10.2.8.32/27
10.2.8.32/28
10.2.8.32/29
10.2.8.32/30
ip prefix-list test6 seq 5 permit 10.2.8.32/27 le 30
7. Construct a prefix list that:
Permits 197.25.94.128/25
Denies 197.25.94.192/26
Permits 197.25.94.224/27
Denies 197.25.94.240/28
Permits 197.25.94.248/29
Denies 197.25.94.252/30
Permits all other prefixes, except for 198.82.0.0/16
ip prefix-list test7 seq 5 deny 197.25.94.192/26
ip prefix-list test7 seq 10 deny 197.25.94.240/28
ip prefix-list test7 seq 15 deny 197.25.94.252/30
ip prefix-list test7 seq 20 deny 198.82.0.0/16
ip prefix-list test7 seq 25 permit 0.0.0.0/0 le 32
8. Construct a prefix list that permits any prefix matching the first 20 bits of 175.29.64.0 which has a mask of at least /26 but not exceeding /29, and denies all other prefixes.
ip prefix-list test8 seq 5 permit 175.29.64.0/20 ge 26 le 29
9. Construct a prefix list that denies any prefix matching the first 19 bits of 15.26.96.0 with any mask up to and including /32, and permits any other prefix.
ip prefix-list test9 seq 5 deny 15.26.96.0/19 le 32
ip prefix-list test9 seq 10 permit 0.0.0.0/0 le 32
10. Construct a prefix list that denies the RFC 1918 private networks and any of their subnets, and permits everything else.
ip prefix-list test10 seq 5 deny 10.0.0.0/8 le 32
ip prefix-list test10 seq 10 deny 172.16.0.0/12 le 32
ip prefix-list test10 seq 15 deny 192.168.0.0/16 le 32
ip prefix-list test10 seq 20 permit 0.0.0.0/0 le 32
11. Construct a prefix list that permits any subnet of network 15.0.0.0 (but not the network), and denies everything else. Your router lies within AS 65011. Place the prefix list in service in the inbound direction with BGP neighbor 1.2.3.4.
ip prefix-list test11 seq 5 permit 15.0.0.0/8 ge 9
To place it in service:
router bgp 65011
neighbor 1.2.3.4 prefix-list test11 in
12. Construct a prefix list that denies 162.56.0.0/16 and all of its subnets (with the exception of 162.56.209.208/29, which is permitted), and permits all other prefixes. Your router lies within AS 65012. Place the prefix list in service in the outbound direction with its BGP neighbor having address 5.6.7.8.
ip prefix-list test12 seq 5 permit 162.56.209.208/29
ip prefix-list test12 seq 10 deny 162.56.0.0/16 le 32
ip prefix-list test12 seq 15 permit 0.0.0.0/0 le 32
router bgp 65012
neighbor 5.6.7.8 prefix-list test12 out
13. Construct a prefix list that permits the CIDR block containing the thirty-two class C networks beginning with 200.202.160.0/24, and denies everything else. Your router is within AS 65013. Place the prefix list in service in the inbound direction with BGP peer-group "Lucky_13".
ip prefix-list test13 seq 5 permit 200.202.160.0/19
router bgp 65013
neighbor Lucky_13 prefix-list test13 in
14. Construct a prefix list that denies any prefix for which the most-significant four bits are "0110", and permits everything else.
ip prefix-list test14 seq 5 deny 96.0.0.0/4 le 32
ip prefix-list test14 seq 10 permit 0.0.0.0/0 le 32
15. Construct a prefix list that permits the host address of "CatSpace", and denies everything else.
ip prefix-list test15 seq 5 permit 64.82.100.67/32
16. Construct a prefix list that permits only classful networks, and denies everything else.
ip prefix-list test16 seq 5 permit 0.0.0.0/1 ge 8 le 32
ip prefix-list test16 seq 10 permit 128.0.0.0/2 ge 16 le 32
ip prefix-list test16 seq 15 permit 192.0.0.0/3 ge 24 le 32
17. Construct a prefix list that denies only supernets, and permits everything else.
ip prefix-list test17 seq 5 deny 0.0.0.0/1 le 7
ip prefix-list test17 seq 10 deny 128.0.0.0/2 le 15
ip prefix-list test17 seq 15 deny 192.0.0.0/3 le 23
ip prefix-list test17 seq 20 permit 0.0.0.0/0 le 32
18. Construct a prefix list that permits only subnets, and denies everything else.
ip prefix-list test18 seq 5 permit 0.0.0.0/1 ge 9
ip prefix-list test18 seq 10 permit 128.0.0.0/2 ge 17
ip prefix-list test18 seq 15 permit 192.0.0.0/3 ge 25
19. Construct a prefix list that permits only CIDR blocks encompassing at least 32 class-C equivalents.
ip prefix-list test19 seq 5 deny 0.0.0.0/0
ip prefix-list test19 seq 10 permit 0.0.0.0/0 le 19
20. Construct a prefix list that permits only the RFC 1918 private networks and their subnets, and configure RIP to use this prefix list for outbound routing advertisements.
ip prefix-list test20 seq 5 permit 10.0.0.0/8 le 32
ip prefix-list test20 seq 10 permit 172.16.0.0/12 le 32
ip prefix-list test20 seq 15 permit 192.168.0.0/16 le 32
To place it in effect for outbound RIP updates:
router rip
distribute-list prefix test20 out
本文轉自zcm8483 51CTO部落格,原文連結:http://blog.51cto.com/haolun/993168
![HTTP 錯誤 403.9 - 禁止通路:連接配接的使用者過多 XP IIS伺服器連接配接數的修改[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)