On Wed, Mar 5, 2008 at 8:32 AM, Whisper <[EMAIL PROTECTED]> wrote: Which is the prefered method for blocking bogons on the Internet & why? >
It depends what you wanna do. > ip route 10.0.0.0 255.0.0.0 Null0 > ip route 127.0.0.0 255.0.0.0 Null0 > ip route 169.254.0.0 255.255.0.0 Null0 > ip route 172.16.0.0 255.240.0.0 Null0 > ip route 192.168.0.0 255.255.0.0 Null0 > If you route a prefix to Null, you will filter traffic *destined* to that prefix. > access-list 101 deny ip 10.0.0.0 0.255.255.255 any > access-list 101 deny ip 127.0.0.0 0.255.255.255 any > access-list 101 deny ip 169.254.0.0 0.0.255.255 any > access-list 101 deny ip 172.16.0.0 0.15.255.255 any > access-list 101 deny ip 192.168.0.0 0.0.255.255 any > As the ACL is written here (and applied in the ingress direction), traffic *sourced* from the prefixes will be filtered. When turning it the other way around ("deny ip any 10.0.0.0 0.255.255.255") if can also be used for filtering *destination* traffic. ACL's are in a sense much more flexible than Null routing, because of the possibilities to filter on both source and destination, as well as in ingress or egress. Is the prefered solution sometimes hardware specific? Normally the CEF performance is higher than the ACL performance on most hardware. That means a CEF-based approach (Null routing) is faster than an ACL-based. On devices where ACL's are done in hardware, I would assume comparable performance. -- Pelle _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/