ACL,prefix及route-map共同特点:
1>一个
空的/不存在的acl,prefix默认允许所有。一个
不存在的route-map默认deny所有。
2>想要使用acl,prefix的隐含deny功能,必须至少配置一条permit或deny语句。
route-map默认deny所有,所以它的隐含deny默认就生效。
Topology:
R1 (s1/0,192.168.1.1) =============== (s1/0,192.168.1.2) R2
Case Study: ACL
R1#conf t
R1(config)#line vty 0 935
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#access-class 3 in
R2#telnet 192.168.1.1
Password:
R1>
Summary: 空的(未定义的)acl默认允许所有的主机。
Case Study: Route-map
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
注: 未定义的route-map默认deny所有的路由。所以这里这个route-map永远返回不满足要求。
=============================================================
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense permit 10
R2#sh ip route
Gateway of last resort is 192.168.1.6 to network 0.0.0.0
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
O*E2 0.0.0.0/0 [110/1] via 192.168.1.6, 00:00:12, Serial1/1
===============================================================
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense permit 10
R1(config-route-map)#match ip add 1
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
=================================================================
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense deny 10
R2#sh ip route
Gateway of last resort is 192.168.1.6 to network 0.0.0.0
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
O*E2 0.0.0.0/0 [110/1] via 192.168.1.6, 00:00:12, Serial1/1
=====================================================================
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense deny 10
R1(config-route-map)#match ip add 1
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
=====================================================================
Case Study: Prefix-list
R1(config)#int lo0
R1(config-if)#ip add 172.16.33.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#ip ospf network point-to-point
R1(config-if)#exit
R1(config)#router ospf 100
R1(config-router)#redistribute connected subnets
R1(config-router)#distribute-list prefix sense out connected
R1(config)#
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 4 subnets
O 172.16.44.0 [33/65] via 192.168.1.1, 00:07:54, Serial1/0
O E2 172.16.33.0 [55/20] via 192.168.1.1, 00:00:01, Serial1/0
O IA 172.16.1.0 [44/65] via 192.168.1.1, 00:07:54, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
R1(config)#ip prefix-list sense seq 5 deny 172.16.33.0/24
rtb#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 3 subnets
O 172.16.44.0 [33/65] via 192.168.1.1, 00:09:15, Serial1/0
O IA 172.16.1.0 [44/65] via 192.168.1.1, 00:09:15, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
Summary: 空的prefix-list默认允许所有的路由。
Case Study: Integrate Route-map and ACL
R1(config)#router ospf 100
R1(config-router)#default-information originate route-map sense
R1(config-router)#exit
R1(config)#route-map sense deny 5
R1(config-route-map)#match ip address 33
R1(config-route-map)#
R2#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/65] via 192.168.1.1, 00:32:38, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
Summary: 至少定义一条permit或deny语句才能使用acl或route-map的隐含deny功能。空的acl默认允所有的路由。
注:在route-map一节中,对其中四个例子没有加以summary,不太清楚它们有什么规律,请大家知道的PM我,谢谢支持~
本文出自 “SENSE” 博客,转载请与作者联系!