[c-nsp] Is there anyway to adjust the administrative distance for 'connected'?

Phil Mayers p.mayers at imperial.ac.uk
Mon Feb 18 11:03:36 EST 2008


Drew Weaver wrote:
> This may sound like an odd question, but I was just curious if there
> is any way to adjust the administrative distance for 'connected'?

No.

> 
> I'm trying to make it impossible for hosts whom are 'blackholed' to
> even send traffic to their 'default gateway' or hosts whom are

Enable this on the client network (very good idea anyway):

ip verify unicast reachable-via rx

...and introduce a /32 pointing to Null0 for the client IP, which it 
sounds like you're already doing. That will block traffic going to the 
host, and when packets come in from it, the router will see that IP is 
not in fact reachable via VlanXX but Null0 and drop it.

> connected to the same 'distribution' switch that the blackholed host

Harder. You'd need to use a layer2 technology. Kicking the host into a 
VLAN within a VRF using mac-auth via Radius (or VMPS on older switches) 
is my preferred choice.

Other techniques like edge switch ACLs and private vlans (with a bit of 
fiddling) will work too.

> are connected to. The Blackhole routes have an administrative

If they're more specific, it doesn't matter. Administrative distance is 
only used to select between routes of the same prefix/mask from 
different protocols.

> distance of 1 currently and as we all know normally 'connected
> networks' have an AD of 0.
> 
> Does anyone know of a way to do this? The Blackhole works fine at the
> edge of the network where the routes are distributed via OSPF but I
> wanted to also prevent traffic from traversing the distribution
> switches to the edge just to be blackholed (seems like a waste of
> resources).

Personally I wouldn't worry about it. But then we got vlan-based banning 
working ;o)


More information about the cisco-nsp mailing list