[c-nsp] Bogon Filter - Least Resource/CPU intensive method?
Pelle
perc69+cnsp at gmail.com
Wed Mar 5 10:32:52 EST 2008
On Wed, Mar 5, 2008 at 8:32 AM, Whisper <whisper555 at gmail.com> wrote:
Which is the prefered method for blocking bogons on the Internet & why?
It depends what you wanna do.
> ip route 10.0.0.0 255.0.0.0 Null0
> ip route 127.0.0.0 255.0.0.0 Null0
> ip route 169.254.0.0 255.255.0.0 Null0
> ip route 172.16.0.0 255.240.0.0 Null0
> ip route 192.168.0.0 255.255.0.0 Null0
>
If you route a prefix to Null, you will filter traffic *destined* to that
prefix.
> access-list 101 deny ip 10.0.0.0 0.255.255.255 any
> access-list 101 deny ip 127.0.0.0 0.255.255.255 any
> access-list 101 deny ip 169.254.0.0 0.0.255.255 any
> access-list 101 deny ip 172.16.0.0 0.15.255.255 any
> access-list 101 deny ip 192.168.0.0 0.0.255.255 any
>
As the ACL is written here (if applied in the ingress direction), traffic
*sourced* from the prefixes will be filtered. When turning it the other way
around ("deny ip any 10.0.0.0 0.255.255.255") it can also be used for
filtering *destination* traffic.
ACL's are in a sense much more flexible than Null routing, because of the
possibilities to filter on both source and destination, as well as in
ingress or egress.
Is the prefered solution sometimes hardware specific?
Normally the CEF performance is higher than the ACL performance on most
hardware. That means a CEF-based approach (Null routing) is faster than an
ACL-based. On devices where ACL's are done in hardware, I would assume
comparable performance.
--
Pelle
More information about the cisco-nsp
mailing list