[c-nsp] dropping traffic for RFC3330 networks
Jeff Kell
jeff-kell at utc.edu
Tue Aug 29 08:12:56 EDT 2006
lee.e.rian at census.gov wrote:
> Dan Armstrong <dan at beanfield.com> wrote on 08/28/2006 09:57:02 PM:
>
>
>> On a related note to this..... what are people's opinions about null
>> routing vs. ACLing bogons?
>>
>
> I always thought null routing was better. ACLs may or may not be applied
> in the fast path and they generate ICMP unreachables
Null routing is the most efficient and scaleable way to obliterate
traffic, but it has two downsides:
* It 'terminates with extreme prejudice' leaving no trail, (does it have
a characteristic netflow?)
* It only drops traffic based on destination address (by itself)
If the hardware supports uRPF then null routing will also drop based on
source address.
The big questions are 'do you care?' about this traffic, and 'what use
is that knowledge?'.
Traffic 'sourced' from or 'destined' to 3330 on your edge ingress should
probably result in a conversation with your upstream :-) ACLs would
reveal the addresses in question for troubleshooting, but having a 3330
source doesn't help much of anything.
Traffic to/from 3330 on your edge egress means you have a problem
internally. ACLs will help identify the traffic, but you really want to
move this sort of filtering closer to your access layers where you can
do ACLs with log-input to hopefully yield a better clue where it's
coming from. By the time you reach the edge, source filtering is too
late to be useful for troubleshooting.
Jeff
More information about the cisco-nsp
mailing list