Bob, Thanks. I think this is ok for filtering purpose. But My concerns is about the default route which includes everything.
But for Security prospective is it accurate to inject the default-route? Jean-Marie NGOK Senior Network Engineer ________________________________ From: Bob McCouch <[email protected]> To: JM NGOK <[email protected]> Cc: Wilson Tuma <[email protected]>; "[email protected]" <[email protected]> Sent: Wednesday, April 4, 2012 10:41 AM Subject: Re: [OSL | CCIE_RS] Prefix-list doubt JM, I believe you're thinking of the 0.0.0.0/0 entry in the context of an access-list in which anything more specific than the entry will match. A prefix-list will *not* match a more specific entry unless the "ge" and/or "le" operators are used. Go ahead and lab it up. I just did. R1 and R2 are doing EIGRP over Ethernet. R1 has a number of prefixes it is injecting, including 0.0.0.0/0. Here is what I did on R2: R2(config)#do sh ip ro eigrp | i D >D 1.0.0.0/8 [90/409600] via 10.1.12.1, 00:02:31, FastEthernet0/0 >D 2.2.0.0 [90/409600] via 10.1.12.1, 00:02:31, FastEthernet0/0 >D 3.3.32.0 [90/409600] via 10.1.12.1, 00:02:31, FastEthernet0/0 >D 4.4.4.0 [90/409600] via 10.1.12.1, 00:02:31, FastEthernet0/0 >D 5.5.5.5 [90/409600] via 10.1.12.1, 00:02:31, FastEthernet0/0 >D* 0.0.0.0/0 [90/281600] via 10.1.12.1, 00:01:59, FastEthernet0/0 > > >!--- This matches the example prefix-list, even though the second line is >redundant with the implicit deny. >R2(config)#ip prefix-list TEST permit 0.0.0.0/0 >R2(config)#ip prefix-list TEST deny 0.0.0.0/0 le 32 > > >R2(config)#router eigrp 1 >R2(config-router)#distribute-list prefix TEST in >*Mar 1 00:17:03.375: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 >(FastEthernet0/0) is resync: route configuration changed > > >R2(config-router)#do sh ip ro eigrp | i D >D* 0.0.0.0/0 [90/281600] via 10.1.12.1, 00:03:11, FastEthernet0/0 >R2(config-router)# As you can see, that prefix list allows only the *exact* prefix 0.0.0.0/0, the default route. Other prefixes were not allowed, because none of them matched *exactly* 0.0.0.0 with a prefix length of 0. Hope this helps. When it doubt, lab it. Best, Bob On Wed, Apr 4, 2012 at 9:49 AM, JM NGOK <[email protected]> wrote: That's my concerns. I think this prefix-list is useless since it allows the default-route (which includes any route) . > >Marko, > >Do you think this prefix-list is accurate for filtering ? > > >Thanks > > Jean-Marie NGOK > Senior Network Engineer > > > > >________________________________ > From: Wilson Tuma <[email protected]> >To: JM NGOK <[email protected]>; "[email protected]" ><[email protected]> >Sent: Wednesday, April 4, 2012 1:22 AM >Subject: Re: [OSL | CCIE_RS] Prefix-list doubt > > > >Hi all, > >Prefix List have always been tricky for me. But from my understanding. > > ip prefix-list ROUTES seq 10 permit 0.0.0.0/0 : Will permit only a default >route > >ip prefix-list ROUTES seq 999 deny 0.0.0.0/0 le 32 : Will deny anything. > >Combined it would mean permit default route and deny anything else. >Which is as good as permitting only the default route Since everything else is >denied by the implied deny all at the end of the prefix-list. > >So the final thing should be. > >ip prefix-list ROUTES seq 10 permit 0.0.0.0/0 > > >HTH > > >Thanks. > >Wilson F. Tuma >==================================== >CCNP, CCNA, MCSE, MCSA > >Box 1784 Douala >Cell : +237 77 753 753 >Email : [email protected] >==================================== > > >________________________________ > From: JM NGOK <[email protected]> >To: "[email protected]" <[email protected]> >Sent: Tuesday, April 3, 2012 8:09 PM >Subject: [OSL | CCIE_RS] Prefix-list doubt > >Hi all, > >Please excuse my foolishness but I want to understand which subnets are >allowed under this prefix-list: > > >ip prefix-list ROUTES description INBOUND-ROUTES >ip prefix-list ROUTES seq 10 permit 0.0.0.0/0 >ip prefix-list ROUTES seq 999 deny 0.0.0.0/0 le 32 > >Again excuse me if this is not a CCIE level question. I just have some doubts. > >Thanks > > Jean-Marie NGOK > Senior Network Engineer > 347 - 559 - 1172 >_______________________________________________ >For more information regarding industry leading CCIE Lab training, please >visit www.ipexpert.com > >Are you a CCNP or CCIE and looking for a job? Check out >www.PlatinumPlacement.com > >http://onlinestudylist.com/mailman/listinfo/ccie_rs >_______________________________________________ >For more information regarding industry leading CCIE Lab training, please >visit www.ipexpert.com > >Are you a CCNP or CCIE and looking for a job? Check out >www.PlatinumPlacement.com > >http://onlinestudylist.com/mailman/listinfo/ccie_rs > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
