Hi Jean-Marie, >From a security prospective? The answer unfortunately is maybe because you haven't identified the business requirements or technical constraints/best practices you need to implement. As a single example a default route is useful in attracting traffic that is otherwise directed somewhere else, perhaps you want to attract the traffic to an IDS/Firewall or centralised server for inspection/action/logging - I know of some customers that do this for anomaly detection and then they can take action against actual security breaches or misconfigured equipment.
>From a routing perspective, if it is a stub router then perhaps just giving it a default route is fine since there is only one way out of the site (smaller, more stable routing table think of a default route as a super aggregate), with more specific routing occurring within the backbone. However if you have a low bandwidth WAN link you may want to locally drop traffic that is destined to unknown destinations locally rather than send it up out the WAN and waste precious WAN bandwidth (there is nothing to stop you having egress ACLs on your WAN to restrict traffic, so combine the default route with something like this and it could be a practical solution) On Thu, Apr 5, 2012 at 1:23 AM, JM NGOK <[email protected]> wrote: > Bob, > > Thanks. I think this is ok for filtering purpose. But My concerns is about > the default route which includes everything. > > But for Security prospective is it accurate to inject the default-route? > > > Jean-Marie NGOK > Senior Network Engineer > > > > ________________________________ > From: Bob McCouch <[email protected]> > To: JM NGOK <[email protected]> > Cc: Wilson Tuma <[email protected]>; "[email protected]" < > [email protected]> > Sent: Wednesday, April 4, 2012 10:41 AM > Subject: Re: [OSL | CCIE_RS] Prefix-list doubt > > > JM, > > I believe you're thinking of the 0.0.0.0/0 entry in the context of an > access-list in which anything more specific than the entry will match. A > prefix-list will *not* match a more specific entry unless the "ge" and/or > "le" operators are used. > > Go ahead and lab it up. I just did. R1 and R2 are doing EIGRP over > Ethernet. R1 has a number of prefixes it is injecting, including 0.0.0.0/0. > Here is what I did on R2: > > R2(config)#do sh ip ro eigrp | i D > >D 1.0.0.0/8 [90/409600] via 10.1.12.1, 00:02:31, FastEthernet0/0 > >D 2.2.0.0 [90/409600] via 10.1.12.1, 00:02:31, FastEthernet0/0 > >D 3.3.32.0 [90/409600] via 10.1.12.1, 00:02:31, FastEthernet0/0 > >D 4.4.4.0 [90/409600] via 10.1.12.1, 00:02:31, FastEthernet0/0 > >D 5.5.5.5 [90/409600] via 10.1.12.1, 00:02:31, FastEthernet0/0 > >D* 0.0.0.0/0 [90/281600] via 10.1.12.1, 00:01:59, FastEthernet0/0 > > > > > >!--- This matches the example prefix-list, even though the second line is > redundant with the implicit deny. > >R2(config)#ip prefix-list TEST permit 0.0.0.0/0 > >R2(config)#ip prefix-list TEST deny 0.0.0.0/0 le 32 > > > > > >R2(config)#router eigrp 1 > >R2(config-router)#distribute-list prefix TEST in > >*Mar 1 00:17:03.375: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor > 10.1.12.1 (FastEthernet0/0) is resync: route configuration changed > > > > > >R2(config-router)#do sh ip ro eigrp | i D > >D* 0.0.0.0/0 [90/281600] via 10.1.12.1, 00:03:11, FastEthernet0/0 > >R2(config-router)# > As you can see, that prefix list allows only the *exact* prefix 0.0.0.0/0, > the default route. Other prefixes were not allowed, because none of them > matched *exactly* 0.0.0.0 with a prefix length of 0. > > Hope this helps. > > When it doubt, lab it. > > Best, > Bob > > > On Wed, Apr 4, 2012 at 9:49 AM, JM NGOK <[email protected]> wrote: > > That's my concerns. I think this prefix-list is useless since it allows > the default-route (which includes any route) . > > > >Marko, > > > >Do you think this prefix-list is accurate for filtering ? > > > > > >Thanks > > > > Jean-Marie NGOK > > Senior Network Engineer > > > > > > > > > >________________________________ > > From: Wilson Tuma <[email protected]> > >To: JM NGOK <[email protected]>; "[email protected]" < > [email protected]> > >Sent: Wednesday, April 4, 2012 1:22 AM > >Subject: Re: [OSL | CCIE_RS] Prefix-list doubt > > > > > > > >Hi all, > > > >Prefix List have always been tricky for me. But from my understanding. > > > > ip prefix-list ROUTES seq 10 permit 0.0.0.0/0 : Will permit only a > default route > > > >ip prefix-list ROUTES seq 999 deny 0.0.0.0/0 le 32 : Will deny anything. > > > >Combined it would mean permit default route and deny anything else. > >Which is as good as permitting only the default route Since everything > else is denied by the implied deny all at the end of the prefix-list. > > > >So the final thing should be. > > > >ip prefix-list ROUTES seq 10 permit 0.0.0.0/0 > > > > > >HTH > > > > > >Thanks. > > > >Wilson F. Tuma > >==================================== > >CCNP, CCNA, MCSE, MCSA > > > >Box 1784 Douala > >Cell : +237 77 753 753 > >Email : [email protected] > >==================================== > > > > > >________________________________ > > From: JM NGOK <[email protected]> > >To: "[email protected]" <[email protected]> > >Sent: Tuesday, April 3, 2012 8:09 PM > >Subject: [OSL | CCIE_RS] Prefix-list doubt > > > >Hi all, > > > >Please excuse my foolishness but I want to understand which subnets are > allowed under this prefix-list: > > > > > >ip prefix-list ROUTES description INBOUND-ROUTES > >ip prefix-list ROUTES seq 10 permit 0.0.0.0/0 > >ip prefix-list ROUTES seq 999 deny 0.0.0.0/0 le 32 > > > >Again excuse me if this is not a CCIE level question. I just have some > doubts. > > > >Thanks > > > > Jean-Marie NGOK > > Senior Network Engineer > > 347 - 559 - 1172 > >_______________________________________________ > >For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > >Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > >http://onlinestudylist.com/mailman/listinfo/ccie_rs > >_______________________________________________ > >For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > >Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > >http://onlinestudylist.com/mailman/listinfo/ccie_rs > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > http://onlinestudylist.com/mailman/listinfo/ccie_rs > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
