[c-nsp] Bogon Filter - Least Resource/CPU intensive method?

Pelle perc69+cnsp at gmail.com
Wed Mar 5 09:31:33 EST 2008


On Wed, Mar 5, 2008 at 8:32 AM, Whisper <whisper555 at gmail.com> wrote:

Which is the prefered method for blocking bogons on the Internet & why?
>

It depends what you wanna do.

> ip route 10.0.0.0 255.0.0.0 Null0
> ip route 127.0.0.0 255.0.0.0 Null0
> ip route 169.254.0.0 255.255.0.0 Null0
> ip route 172.16.0.0 255.240.0.0 Null0
> ip route 192.168.0.0 255.255.0.0 Null0
>

If you route a prefix to Null, you will filter traffic *destined* to that
prefix.


> access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
> access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
> access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
> access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
> access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
>

As the ACL is written here (and applied in the ingress direction), traffic
*sourced* from the prefixes will be filtered. When turning it the other way
around ("deny ip any 10.0.0.0 0.255.255.255") if can also be used for
filtering *destination* traffic.

ACL's are in a sense much more flexible than Null routing, because of the
possibilities to filter on both source and destination, as well as in
ingress or egress.

Is the prefered solution sometimes hardware specific?


Normally the CEF performance is higher than the ACL performance on most
hardware. That means a CEF-based approach (Null routing) is faster than an
ACL-based. On devices where ACL's are done in hardware, I would assume
comparable performance.

-- 
Pelle


More information about the cisco-nsp mailing list