I've implemented BOGON filtering in access-lists for years along side of my other ingress/egress filtering. I've been considering lately moving my BOGON filtering to null routes to save resources. I believe that is costs less in terms of resources to make a routing decision on a packet than it would to match it against an ACL. This simply means that it would take less resoures to route a BOGON packet to Null0 and discard it than it would to match it via an ACL (with or without logging) applied with access-group. Would everyone agree?
This of course is the general premise behind blackhole routing. I haven't yet created a blackhole router for the network I have in mind, though it is on my to do list as hardware becomes available. From an informational and accounting perspective I'd like to log most of the packets hitting my ingress/egress filters. I'm running short on ideas for logging these packets that don't involve an "deny any any log" ACL which would of course waste resources responding with a TCP RST or ICMP Unreachable. I just want to log the packet and silently discard it.
Does anyone have any suggestions on an implementation that would save resources and still allow me to log these packets? This is complicated even further by the thought of implementing uRPF. I'm researching options in that arena right now as well.
Thanks J