## Prefix-list
-ACL과 함께 가장 많이 사용되는 Fintering기능이며 ACL로 구성할수 없는 형식으로 Prefix-list를 사용하여 Filtering할수 있다.
[네트워크의 범위를 지정시에만 사용가능하며 방화벽은 구성할수 없다.]
# [기본형식]
ip prefix-list [Name] seq [Permit/Deny] [A.B.C.D] /subnetmask [ge] [le]
ip prefix-list [Name] seq [Permit/Deny] [A.B.C.D] /subnetmask X [le Y]
-Subnetmaks가 X부터 Y까지 모두를 포함
ip prefix-list [Name] seq [Permit/Deny] [A.B.C.D] /subnetmask X [ge Y] [le Z]
-X네트워크 범위 내에서 X부터 Z까지의 Subnetmask를 포함
-Prefix-list는 설정한 Prefix-list로 지정한 나머지 모든 트래픽은 차단한다.
------------------------------------------------------------------------------------------------------------------
EX1) RX는 RY로부터 수신하는 네트워크중 172.16.0.0/24 , 172.16.3.0/24 네트워크 정보만 수신하려고 한다.
ip prefix-list NET172 permit 172.16.0.0/24
ip prefix-list NET172 permit 172.16.3.0/24
!
-----------------------------------------------------------------------------------------------------------------
EX2-1) 172.16.0.0/16 네트워크를 허용 하시오
ip prefix-list NET172 permit 172.16.0.0/16
!
EX2-2) 172.16.0.0/16 네트워크를 허용 하시오 [172.16.0.0 ~ 172.16.255.255]
ip prefix-list NET172 permit 172.16.0.0/16 le 32
-----------------------------------------------------------------------------------------------------------------
# [기본형식]
EX3-1) 10.0.0.0/8 네트워크를 허용
ip prefix-list NET10 permit 10.0.0.0/8
!
EX3-2) 10.0.0.0/8 네트워크를 허용 [10.0.0.0 ~ 10.255.255.255]
ip prefix-list NET10 permit 10.0.0.0/8 le 32
!
-----------------------------------------------------------------------------------------------------------------
EX4) 172.16.0.0/16 네트워크 범위중 Subnetmask가 /24인 네트워크를 허용하시오
ip prefix-list NET172 permit 172.16.0.0/16 ge 24 le 24
!
-----------------------------------------------------------------------------------------------------------------
EX5) 10.0.0.0/8 네트워크 범위중 Subnetmask가 /27인 네트워크를 허용하시오
ip prefix-list NET10 permit 10.0.0.0/8 ge 27 le 27
!
-----------------------------------------------------------------------------------------------------------------
EX6) "172.16.0.0 ~ 172.16.7.255"인 네트워크 범위를 허용하며 나머지 네트워크는 차단
-172.16.00000 000.00000000
~
-172.16.00000 111.11111111
ip prefix-list NET172 permit 172.16.0.0/21 le 32
!
-----------------------------------------------------------------------------------------------------------------
EX7) "100.100.16.0 ~ 100.100.23.255"인 네트워크 범위를 차단하며 나머지 네트워크는 허용
100.100.00010 000.00000000
100.100.00010 001.00000000
100.100.00010 010.00000000
100.100.00010 011.00000000
100.100.00010 100.00000000
100.100.00010 101.00000000
100.100.00010 110.00000000
100.100.00010 111.11111111
ip prefix-list NET100 deny 100.100.16.0/21 le 32
ip prefix-list NET100 permit 0.0.0.0/0 le 32
!
-----------------------------------------------------------------------------------------------------------------
EX9) 사설주소의 범위를 Prefix-list를 사용하여 차단하시오 이외의 모든 네트워크는 허용
-A class : 10.0.0.0 ~ 10.255.255.255
-B class : 172.16.0.0 ~ 172.31.255.255
-C class : 192.168.0.0 ~ 192.168.255.255
ip prefix-list PREVATE deny 10.0.0.0/8 le 32
ip prefix-list PREVATE deny 172.16.0.0/12 le 32
ip prefix-list PREVATE deny 192.168.0.0/16 le 32
ip prefix-list PREVATE permit 0.0.0.0/0 le 32
!
------------------------------------------------------------------------------------------------------------------
## 예제 문제
# R5
interface loopback 172
ip address 172.16.1.1 255.255.255.224
ip address 172.16.2.2 255.255.255.224 secondary
ip address 172.16.3.3 255.255.255.224 secondary
ip address 172.16.4.4 255.255.255.192 secondary
ip address 172.16.5.5 255.255.255.192 secondary
ip address 172.16.6.6 255.255.255.192 secondary
ip address 172.16.7.7 255.255.255.128 secondary
ip address 172.16.8.8 255.255.255.128 secondary
ip address 172.16.9.9 255.255.255.128 secondary
ip address 172.16.10.10 255.255.255.0 secondary
ip address 172.16.11.11 255.255.255.0 secondary
ip address 172.16.12.12 255.255.255.0 secondary
!
router eigrp 100
network 172.16.0.0 0.0.15.255
!
# R4
interface loopback 10
shutdown
!
정보확인
R3# show ip route eigrp | include 172.16
172.16.0.0/16 is variably subnetted, 12 subnets, 4 masks
D 172.16.12.0/24 [90/409600] via 150.3.13.254, 00:01:31, FastEthernet0/0
D 172.16.8.0/25 [90/409600] via 150.3.13.254, 00:01:31, FastEthernet0/0
D 172.16.9.0/25 [90/409600] via 150.3.13.254, 00:01:31, FastEthernet0/0
D 172.16.10.0/24 [90/409600] via 150.3.13.254, 00:01:31, FastEthernet0/0
D 172.16.11.0/24 [90/409600] via 150.3.13.254, 00:01:31, FastEthernet0/0
D 172.16.4.0/26 [90/409600] via 150.3.13.254, 00:01:31, FastEthernet0/0
D 172.16.5.0/26 [90/409600] via 150.3.13.254, 00:01:31, FastEthernet0/0
D 172.16.6.0/26 [90/409600] via 150.3.13.254, 00:01:31, FastEthernet0/0
D 172.16.7.0/25 [90/409600] via 150.3.13.254, 00:01:31, FastEthernet0/0
D 172.16.1.0/27 [90/409600] via 150.3.13.254, 00:01:31, FastEthernet0/0
D 172.16.2.0/27 [90/409600] via 150.3.13.254, 00:01:31, FastEthernet0/0
D 172.16.3.0/27 [90/409600] via 150.3.13.254, 00:01:31, FastEthernet0/0
----------------------------------------------------------------------------------------------------------------
문제1) R3은 R5로부터 수신하는 EIGRP 네트워크 정보중
172.16.1.0/27 , 172.16.4.0/26 , 172.16.7.0/25 , 172.16.10.0/24 네트워크 정보만 수신해야한다.
# R3
ip prefix-list NET172 permit 172.16.1.0/27
ip prefix-list NET172 permit 172.16.4.0/26
ip prefix-list NET172 permit 172.16.7.0/25
ip prefix-list NET172 permit 172.16.10.0/24
!
router eigrp 100
distribute-list prefix NET172 in fastethernet 0/0
!
정보 확인
R3# show ip route eigrp | include FastEthernet0/0
D 172.16.10.0/24 [90/409600] via 150.3.13.254, 00:09:13, FastEthernet0/0
D 172.16.4.0/26 [90/409600] via 150.3.13.254, 00:09:14, FastEthernet0/0
D 172.16.7.0/25 [90/409600] via 150.3.13.254, 00:09:13, FastEthernet0/0
D 172.16.1.0/27 [90/409600] via 150.3.13.254, 00:09:14, FastEthernet0/0
###### 정보 확인 후 Distribute 설정 삭제 ######
# R3
no ip prefix-list NET172
!
router eigrp 100
no distribute-list prefix NET172 in fastethernet 0/0
!
----------------------------------------------------------------------------------------------------------------
문제2) R3은 R5로부터 FastEthernet0/0 interface로 수신하는 EIGRP 네트워크 정보중
172.16.0.0/16 범위내의 네트워크중 SubnetMask가 /24인 트래픽은 수신하지 않아야한다.
172.16.0.0/16 범위이외의 모든 네트워크 정보는 수신해야한다.
# R3
ip prefix-list NET172 deny 172.16.0.0/16 ge 24 le 24
ip prefix-list NET172 permit 0.0.0.0/0 le 32
!
router eigrp 100
distribute-list prefix NET172 in fastethernet 0/0
!
정보 확인
R3# show ip route eigrp | include FastEthernet0/0
D 4.1.1.0 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 172.16.8.0/25 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 172.16.9.0/25 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 172.16.4.0/26 [90/409600] via 150.3.13.254, 00:15:53, FastEthernet0/0
D 172.16.5.0/26 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 172.16.6.0/26 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 172.16.7.0/25 [90/409600] via 150.3.13.254, 00:15:52, FastEthernet0/0
D 172.16.1.0/27 [90/409600] via 150.3.13.254, 00:15:53, FastEthernet0/0
D 172.16.2.0/27 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 172.16.3.0/27 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 128.28.2.0 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 128.128.1.0 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 198.2.3.0/24 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 198.1.1.4 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 198.2.1.0/24 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 198.198.1.0/24 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 198.198.22.0/24 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 13.13.5.0 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 13.13.15.0 [90/307200] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 198.198.4.0/24 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 198.198.21.0/24 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 198.2.5.0/24 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
D 198.198.5.0/24 [90/409600] via 150.3.13.254, 00:03:49, FastEthernet0/0
###### 정보 확인 후 Distribute 설정 삭제 ######
# R3
no ip prefix-list NET172
!
router eigrp 100
no distribute-list prefix NET172 in fastethernet 0/0
!
------------------------------------------------------------------------------------------------------------------
문제3) R3은 R5로부터 172.16.0.0/16 네트워크중 /25 ~ /27인 네트워크 정보만 EIGRP로 수신해야한다.
# R3
ip prefix-list NET172 permit 172.16.0.0/16 ge 25 le 27
!
router eigrp 100
distribute-list prefix NET172 in fastethernet 0/0
!
정보 확인
R3# show ip route eigrp | include FastEthernet0/0
D 172.16.8.0/25 [90/409600] via 150.3.13.254, 00:08:08, FastEthernet0/0
D 172.16.9.0/25 [90/409600] via 150.3.13.254, 00:08:08, FastEthernet0/0
D 172.16.4.0/26 [90/409600] via 150.3.13.254, 00:20:12, FastEthernet0/0
D 172.16.5.0/26 [90/409600] via 150.3.13.254, 00:08:08, FastEthernet0/0
D 172.16.6.0/26 [90/409600] via 150.3.13.254, 00:08:08, FastEthernet0/0
D 172.16.7.0/25 [90/409600] via 150.3.13.254, 00:20:12, FastEthernet0/0
D 172.16.1.0/27 [90/409600] via 150.3.13.254, 00:20:13, FastEthernet0/0
D 172.16.2.0/27 [90/409600] via 150.3.13.254, 00:08:08, FastEthernet0/0
D 172.16.3.0/27 [90/409600] via 150.3.13.254, 00:08:08, FastEthernet0/0
###### 정보 확인 후 Distribute 설정 삭제 ######
# R3
no ip prefix-list NET172
!
router eigrp 100
no distribute-list prefix NET172 in fastethernet 0/0
!
# R5
no interface loopback 172
!
# R4
interface loopback 10
no shutdown
!
------------------------------------------------------------------------------------------------------------------
문제4) R1은 R4로부터 수신하는 EIGRP 네트워크 정보중 모든 사설 네트워크를 차단한 모든 네트워크를 허용해야한다.
# R1
ip prefix-list PREVATE deny 10.0.0.0/8 le 32
ip prefix-list PREVATE deny 172.16.0.0/12 le 32
ip prefix-list PREVATE deny 192.168.0.0/16 le 32
ip prefix-list PREVATE permit 0.0.0.0/0 le 32
!
router eigrp 100
distribute-list prefix PREVATE in fastethernet 0/0
!
정보 확인
R1# show ip route eigrp | include FastEthernet0/0
D 199.172.11.0/24 [90/409600] via 150.1.13.254, 02:05:57, FastEthernet0/0
D 199.172.10.0/24 [90/409600] via 150.1.13.254, 02:05:57, FastEthernet0/0
D 199.172.9.0/24 [90/409600] via 150.1.13.254, 02:05:57, FastEthernet0/0
D 199.172.8.0/24 [90/409600] via 150.1.13.254, 02:05:57, FastEthernet0/0
D 199.172.15.0/24 [90/409600] via 150.1.13.254, 02:05:57, FastEthernet0/0
D 199.172.14.0/24 [90/409600] via 150.1.13.254, 02:05:57, FastEthernet0/0
D 199.172.13.0/24 [90/409600] via 150.1.13.254, 02:05:57, FastEthernet0/0
D 192.186.11.0/24 [90/409600] via 150.1.13.254, 00:03:13, FastEthernet0/0
D 199.172.12.0/24 [90/409600] via 150.1.13.254, 02:05:57, FastEthernet0/0
D 199.172.3.0/24 [90/409600] via 150.1.13.254, 01:44:30, FastEthernet0/0
D 199.172.2.0/24 [90/409600] via 150.1.13.254, 01:44:30, FastEthernet0/0
D 199.172.1.0/24 [90/409600] via 150.1.13.254, 01:44:30, FastEthernet0/0
D 199.172.16.0/24 [90/409600] via 150.1.13.254, 01:44:30, FastEthernet0/0
D 199.172.7.0/24 [90/409600] via 150.1.13.254, 01:44:30, FastEthernet0/0
D 199.172.6.0/24 [90/409600] via 150.1.13.254, 01:44:30, FastEthernet0/0
D 13.13.4.0 [90/409600] via 150.1.13.254, 01:44:30, FastEthernet0/0
D 13.13.14.0 [90/307200] via 150.1.13.254, 01:44:30, FastEthernet0/0
D 199.172.5.0/24 [90/409600] via 150.1.13.254, 01:44:30, FastEthernet0/0
D 150.100.1.0 [90/409600] via 150.1.13.254, 01:44:30, FastEthernet0/0
D 199.172.4.0/24 [90/409600] via 150.1.13.254, 01:44:30, FastEthernet0/0
###### 정보 확인 후 Distribute 설정 삭제 ######
# R1
no ip prefix-list PREVATE
!
router eigrp 100
no distribute-list prefix PREVATE in fastethernet 0/0
!
'물리서버' 카테고리의 다른 글
| WildcardMask (0) | 2021.11.24 |
|---|---|
| Route-map (0) | 2021.11.24 |
| Offset-list (0) | 2021.11.24 |
| NTP (Network Time Protocol) (0) | 2021.11.24 |
| TCP Intercept (0) | 2021.11.24 |
