Monday 14 March 2011

The power of access-lists

Today let's talk about access-lists. In many books we can easily find the statements, that prefix-lists are much convenient than access-lists. With prefix-lists, using ge and/or le gives more flexibility. For example imagine, that you have 5 networks: 10.0.0.0/24, 10.0.1.0/25, 10.0.1.128/25, 10.0.2.0/26, 10.0.2.128/25. Next, you want to permit only these networks with prefix length of 25. You can use a simple prefix-list command:

ip prefix-list FILTER permit 10.0.0.0/16 ge 25 le 25

whereas you need to use 3 (or 2) different lines with access-list:

access-list 1 permit 10.0.1.0 0.0.0.127
access-list 1 permit 10.0.1.128 0.0.0.127
access-list 1 permit 10.0.2.128 0.0.0.127

or

access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 10.0.2.128 0.0.0.127


In this example the difference is small, but with more than 50 lines, using standard access-lists can be daunting. However extended access-lists are much more powerful.

For this example, I will use 2 routers directly connected with EIGRP:



R2 has 10 loopbacks with different networks which are being advertised to R1 via EIGRP:

R2#show ip interface | include 192
  Internet address is 192.168.0.1/24
  Internet address is 192.168.1.1/25
  Internet address is 192.168.1.129/25
  Internet address is 192.168.2.1/26
  Internet address is 192.168.2.65/27
  Internet address is 192.168.2.129/27
  Internet address is 192.168.3.1/28
  Internet address is 192.168.3.65/28
  Internet address is 192.168.3.129/29
  Internet address is 192.168.3.161/29

R1#show ip route eigrp
D    192.168.0.0/24 [90/2297856] via 10.0.0.1, 00:01:08, Serial0/0
     192.168.1.0/25 is subnetted, 2 subnets
D       192.168.1.0 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D       192.168.1.128 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
     192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks
D       192.168.2.64/27 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D       192.168.2.0/26 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D       192.168.2.128/27 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
     192.168.3.0/24 is variably subnetted, 4 subnets, 2 masks
D       192.168.3.64/28 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D       192.168.3.0/28 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D       192.168.3.160/29 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D       192.168.3.128/29 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1         1           9           720         1280


We see, that everything works. Now we would like to send to R1 only these prefixes with network length of 27 or more. We will do this using either the prefix-list or extended ACL, and in each case we will use one single matching-command!

First, let's do this using prefix-list:

R2#conf t
R2(config)#ip prefix-list PREF1 permit 192.168.0.0/16 ge 27
R2(config)#route-map PREFOUT1 permit 10
R2(config-route-map)#match ip address prefix-list PREF1
R2(config-route-map)#exit
R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map PREFOUT1 out

And on R1 we've got:


R1#show ip route eigrp
     192.168.2.0/27 is subnetted, 2 subnets
D       192.168.2.64 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
D       192.168.2.128 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
     192.168.3.0/24 is variably subnetted, 4 subnets, 2 masks
D       192.168.3.64/28 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
D       192.168.3.0/28 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
D       192.168.3.160/29 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
D       192.168.3.128/29 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1         0           6           432         768

Now, let's do the same using ACL:


R2#conf t
R2(config)#access-list 100 permit ip 192.168.0.0 0.0.255.255 255.255.255.224 0.0.0.31
R2(config)#route-map ACLOUT1 permit 10
R2(config-route-map)#match ip address 100
R2(config-route-map)#exit
R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map ACLOUT1 out

And what we get on R1? The same!

R1#show ip route eigrp
     192.168.2.0/27 is subnetted, 2 subnets
D       192.168.2.64 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
D       192.168.2.128 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
     192.168.3.0/24 is variably subnetted, 4 subnets, 2 masks
D       192.168.3.64/28 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
D       192.168.3.0/28 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
D       192.168.3.160/29 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
D       192.168.3.128/29 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1         0           6           432         768

Now let's permit only these prefixes, that have the length of 26 to 28. First we can use the prefix-list solution:

R2#configure t
R2(config)#ip prefix-list PREF2 permit 192.168.0.0/16 ge 26 le 28
R2(config)#route-map PREFOUT2 permit 10
R2(config-route-map)#match ip address prefix-list PREF2
R2(config-route-map)#exit
R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map PREFOUT2 out


On R1:

R1#show ip route eigrp
     192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks
D       192.168.2.64/27 [90/2297856] via 10.0.0.1, 00:17:22, Serial0/0
D       192.168.2.0/26 [90/2297856] via 10.0.0.1, 00:02:27, Serial0/0
D       192.168.2.128/27 [90/2297856] via 10.0.0.1, 00:17:22, Serial0/0
     192.168.3.0/28 is subnetted, 2 subnets
D       192.168.3.64 [90/2297856] via 10.0.0.1, 00:17:22, Serial0/0
D       192.168.3.0 [90/2297856] via 10.0.0.1, 00:17:22, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1         0           5           360         640


Now we will use the ACL logic:

R2#configure t
R2(config)#access-list 101 permit ip 192.168.0.0 0.0.255.255 255.255.255.192 0.0.0.48
R2(config)#route-map ACLOUT2 permit 10
R2(config-route-map)#match ip address 101
R2(config-route-map)#exit
R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map ACLOUT2 out

Let's go back to R1:

R1#show ip route eigrp
     192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks
D       192.168.2.64/27 [90/2297856] via 10.0.0.1, 00:24:44, Serial0/0
D       192.168.2.0/26 [90/2297856] via 10.0.0.1, 00:09:49, Serial0/0
D       192.168.2.128/27 [90/2297856] via 10.0.0.1, 00:24:44, Serial0/0
     192.168.3.0/28 is subnetted, 2 subnets
D       192.168.3.64 [90/2297856] via 10.0.0.1, 00:24:44, Serial0/0
D       192.168.3.0 [90/2297856] via 10.0.0.1, 00:24:44, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1         0           5           360         640

Again, we have done the same thing with the ACL that with the prefix-list! And we used the same number of commands!

Here, I tried to prove, that both of them are provide the similar level of flexibility. However prefix-lists have more user-friendly CLI and provide higher performance (use less CPU cycles) and that should be the main motivation to use them.
Posted by at

1 comment:

  1. Paweł Klisiewicz30 March 2011 at 00:11

    Hola amigo! Small correction, the following prefix list:
    ip prefix-list FILTER permit 10.0.0.0/16 ge 25 le 25
    allows only these two prefixes:
    10.0.0.0/25
    10.0.0.128/25

    not all the /25 prefixes from the example:
    10.0.1.0/25
    10.0.1.128/25
    10.0.2.128/25

    ReplyDelete

Subscribe to: Post Comments (Atom)