![]() However, when I discussed how to filter bogon routes in Chapter 7, these ACL commands added quite a bit of length to the ACL. Any traffic destined to the destination network in the static route command is routed to null0 (that is, it is dropped).Īs I mentioned in Chapter 6, "Access List Introduction," and Chapter 7, "Basic Access Lists," you should make your ACLs as short and simple as possible. Notice that the only unique thing about this command is that the destination interface is null0, the black hole. Router(config)# ip route destination_network_# null0 Setting up a black hole route is easy because it uses the static route configuration: Unlike with ACLs, all switching processes of the Cisco IOS, including CEF, can handle black hole routes without any performance degradation. Any traffic that has a destination address that has a best match of the black hole static route automatically is dropped. Static routes are created for destinations that are not desirable, and the static route configuration points to the null interface. In Cisco terminology, a special logical interface, called a null interface, is used to create the black hole. A black hole route is used to forward unwanted or undesirable traffic into a black hole. One problem of packet filtering is performance because the router must examine packet headers to make a filtering decision, thus adding some overhead to the processing of the packets.Ī complementary solution to both routing and filtering is to use black hole routes. ACLs enable you to filter packets based on the information contained in their headers. One of the concepts that you should be familiar with by now is traffic filtering with ACLs. However, you can complement a dynamic routing protocol with static routes to provide optimal protection. In this situation, you might have to run a dynamic routing protocol, such as OSPF. ![]() Null RoutesĮven though static routes are very secure, they present a scalability problem: The more networks that you have, and the more redundant paths that you have to these networks, the more difficult it becomes to manage routing on your router. If you want to set up a default route, specify 0.0.0.0 0.0.0.0 for the destination network number and the subnet mask. You already should be familiar with these two Cisco router commands. Router(config)# ip route destination_network_# When using static routes, one of the two following commands is used: Specific internal routes are used to reach internal resources. With static routes, the following is true:Ī default route is used on the perimeter router to reach external resources. Only one or two paths exist to each destination. You have a small number of destinations to configure. Static routes typically are used in these circumstances: ![]() These are secure from route spoofing attacks because your router does not rely on routing information being sent and received from other routers: You configure all of the routing information locally on your perimeter router. One of the safest routing solutions for your router is to use static routes to provide for Layer 3 connectivity. Question: How to filter out the default route from outgoing BGP advertisements? Assuming you have a static default route that is redistributed because redistribute-static parameter is set to yes, do the following: /routing filter add chain=myfilter prefix=0.0.0.This section covers the use of static routes to provide Layer 3 connectivity, as well as a solution called black hole routing, which is an alternative solution to ACLs when you want to drop unwanted traffic. To create a routing filter that automatically blackholes all prefixes in 10.0.0.0/8 in the BGP feed, issue the following command: /routing filter add prefix=10.0.0.0/8 prefix-length=8-32 set-type=blackhole chain=myfilter Routing filters are the other mean to blackhole a network. First, you can do this manually by adding a blackhole route to the routing table, for example, to blackhole a 10.0.0.0/8 network, issue the following command: /ip route add dst-address=10.0.0.0/8 type=blackhole Question: How to blackhole a network? There are two ways to blackhole a network. if two successive pings fail, the gateway is considered dead. Question: How does /ip route check-gateway work? check-gateway sends pings every 10 seconds.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |