Do you like this site? Remember to share it to all your friends on Facebook and Twitter!

Thursday, November 20, 2014

A simple example explaining why we need Prefix-List in addition to simple Access-List (ACL) on Cisco IOS

My example is: assume we want to filter out "all possible subnets/prefixes inside" from rushing into our router.

Red House Theater, at the West Gate of Taipei Wall (西門紅樓、紅樓劇場). 
We can first visualize what subnets are to be filtered in the following, but incomplete list:

(and even more ...)

If we only have plain, old, simple Access Control List, then the commands would be something like this:
access-list 100 deny ip host host
access-list 100 deny ip host host
access-list 100 deny ip host host
access-list 100 deny ip host host
access-list 100 deny ip host host
access-list 100 deny ip host host
access-list 100 deny ip host host
(and even more ...)
access-list 100 permit ip any any

router eigrp X
 distribute-list 100 in
Very tedious, isn't it!

So, Cisco defined new object named Prefix-Lists to simplify configurations for similar requirements.

Let's Focus on Two Parts of Prefix Lists

An prefix list can be viewed as of 2 parts.

ip prefix-list {list-name | list-number} [seq number] {deny network/length | permit network/length} [ge ge-length] [le le-length]

Part 1: What base range of addresses we are talking about.

In this example, we are talking about all the IP addresses inside, so Part 1 should be exactly "".

Part 2: What range of prefix lengths we are interested in.

In this example, we are interested in "All possible subnets, all possible prefix lengths". They are "anything shorter than 32", so Part 2 should be "le 32".

To combine Part 1 and Part 2 together, we can say this prefix list line is active on "within the address base range of Part 1, any possible prefix lengths within Part 2".

To achieve the same result with Prefix Lists, the commands now look like these simpler lines.
ip prefix-list ALL-SUBNETS deny le 32
ip prefix-list ALL-SUBNETS permit le 32

router eigrp X
 distribute-list prefix ALL-SUBNETS in
This way is much simpler, isn't it!

One more thing…

There is a common command phrase in Prefix List command: " le 32". This line says, "within the whole internet address base range, any prefixes shorter than 32".

In other word, this command phrase is exactly "any possible subnets".

If we somehow forget to add "le 32", then it would  be active only on "" and nothing else. This is to pick the "default route" only, and this is not correct for the example in this post.
Do you like this post? You really should consider Subscribing by Email!

Related Posts with Thumbnails

No comments:

Post a Comment

Tip: you can also anonymously comment here.

Popular Posts