RE: ACL VS Null Route [7:74267]
P B has a good explanation. However black hole routing is usually done on the fly when you have a DoS attack and can't really change ACL on X routers in your network. Routing an unwanted network into Null is the quick and temporary way. However in the long run it is in good practice to use ACL to block unwanted networks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74383t=74267 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: ACL VS Null Route [7:74267]
In a straight comparison, doing the NULL route is handled more efficiently on the router as its just standard L3 forwarding. If you do an ACL instead, the router has to do additional processing on the packet. If you're running something like a GSR or 7609 and the right LC where ACLs are handled in ASICs, then is probably doesn't matter which approach you use. I don't see configuration complexity being sufficiently more complicated in either case so thats a push. Depending on your network requirements and topology, ACLs might be better as you can check src and dst. The null routes will only catch the traffic based on dst. With Null routing, you can confirm the routing is operating via a show ip route and few simple pings. Doing the same sort of verification when using ACLs to block might be more difficult (depending on where you put the ACLs). Irwan Hadi wrote: I'm curious which one is better to use and why in case I want to filter some IP addresses that I don't want them to talk with my network, by using ACL or by null routing them? Say that I have around 50 to 100 IP addresses. Remember that I just want to filter the IP addresses, so I don't care about extended access-list. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74282t=74267 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: ACL VS Null Route [7:74267]
Are they in the same address block or are they in separate blocks? Best regards, Dom Stocqueler SysDom Technologies Visit our website - www.sysdom.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi Sent: 22 August 2003 23:29 To: [EMAIL PROTECTED] Subject: ACL VS Null Route [7:74267] I'm curious which one is better to use and why in case I want to filter some IP addresses that I don't want them to talk with my network, by using ACL or by null routing them? Say that I have around 50 to 100 IP addresses. Remember that I just want to filter the IP addresses, so I don't care about extended access-list. Thanks **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74268t=74267 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: ACL VS Null Route [7:74267]
I believe that it is best practice to block them via an ACL inbound before they enter the router. If you route them to a Null interface the router has to further process them. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74273t=74267 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: ACL VS Null Route [7:74267]
On Fri, Aug 22, 2003 at 11:48:59PM +, Dom wrote: Are they in the same address block or are they in separate blocks? separate blocks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74271t=74267 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html