Re: Packets from net 10 (no, not the lyrics)
At 06:16 AM 9/23/97 -0700, you wrote:
! Loopback access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 ! RFC 1918 private blocks access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 ! Test Network access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 ! Tiny networks. access-list 100 deny ip any 255.255.255.128 0.0.0.127 access-list 100 permit ip any any
I think you'll find that your router's CPU will be happier if you just dump the 1918 networks to the bit bucket on your border routers with a static route via interface Null0: ip route 10.0.0.0 255.0.0.0 null0 ip route 127.0.0.0 255.0.0.0 null0 etc. Considering resource utilization on the router, it is cheaper to do a routing table look-up than it is to do ACLs. Also, when you're doing outbound filtering on the router, you have to do a routing table lookup first before you can do outbound filtering. Save a step and just do the routing table lookup. Randy
Date: Tue, 23 Sep 1997 10:45:19 -0400 From: "Randall S. Benn" <rbenn@clark.net>
I think you'll find that your router's CPU will be happier if you just dump the 1918 networks to the bit bucket on your border routers with a static route via interface Null0:
ip route 10.0.0.0 255.0.0.0 null0 ip route 127.0.0.0 255.0.0.0 null0 etc.
Considering resource utilization on the router, it is cheaper to do a routing table look-up than it is to do ACLs. Also, when you're doing outbound filtering on the router, you have to do a routing table lookup first before you can do outbound filtering. Save a step and just do the routing table lookup.
I don't think so. The static routes will require processing every packet destined for the 10.0.0.0/8 and 127.0.0.0/8 nets, but you will still have the bad route. The CPU will have to deal with any traffic for 10.0.0.0/8 and any interior routers will forward packets since you have a route. On the other hand, a filter on the BGP session will block the route from being accepted and only require CPU action once...when it is announced. You have no route to these nets and can't propagate the routes since you don't have them. Andrew clearly has the correct approach. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
I think you'll find that your router's CPU will be happier if you just dump the 1918 networks to the bit bucket on your border routers with a static route via interface Null0:
Access-lists like this can also be used for filtering incoming BGP updates. Bill et al. are referring to this rather than to inbound packet filtering. The rest of the configuration goes something along the lines of: router bgp xxxx neighbor x.y.z.w distribute-list 100 in If you're using default-free routing, this will prevent the prefixes from appearing in your routing table, and the networks will be unreachable. The routing entries will also not be propagated any further than necessary. Nick
participants (3)
-
Kevin Oberman
-
Nick Hilliard
-
Randall S. Benn