Access-lists vs null routes for BOGONs

I've implemented BOGON filtering in access-lists for years along side of my other ingress/egress filtering. I've been considering lately moving my BOGON filtering to null routes to save resources. I believe that is costs less in terms of resources to make a routing decision on a packet than it would to match it against an ACL. This simply means that it would take less resoures to route a BOGON packet to Null0 and discard it than it would to match it via an ACL (with or without logging) applied with access-group. Would everyone agree?

This of course is the general premise behind blackhole routing. I haven't yet created a blackhole router for the network I have in mind, though it is on my to do list as hardware becomes available. From an informational and accounting perspective I'd like to log most of the packets hitting my ingress/egress filters. I'm running short on ideas for logging these packets that don't involve an "deny any any log" ACL which would of course waste resources responding with a TCP RST or ICMP Unreachable. I just want to log the packet and silently discard it.

Does anyone have any suggestions on an implementation that would save resources and still allow me to log these packets? This is complicated even further by the thought of implementing uRPF. I'm researching options in that arena right now as well.

Thanks J

Reply to
Loading thread data ...

I recently implemented BOGON filtering using blackhole routing and like you my main motivation for doing so was to conserve resources. Blackhole routing also has the added benefit of making the job of a spoofer/scanner a little more difficult and if I can contribute in any way to their suffering I'll happily oblige. :-)

You can log blackhole traffic using NetFlow in conjunction with CEF. NetFlow keeps track of traffic flows in the router and can be exported to a NetFlow server for historical and forensic analysis. There's definitely some overhead when you export your flow information but it's small compared to ACL logging and much more useful IMO. This is the kind of information that's logged:

(Note the lines that list Null as the Destination Interface as this is traffic that's been blackholed. I love the fact that you can see how many packets were in the flow.)

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Et0/0 Et1/0.1 01 0000

0C01 51

Et0/0 Null 11 0043

0043 51

Et0/0 Null 11 0045

0045 51

Et0/0 Et1/0.1 01 0000

0800 51

Et0/0 Null 11 0044

0044 51

Et0/0 Null 11 00A2

00A2 51

Here's the Cisco documentation on configuring NetFlow:

formatting link
Hope this helps. Feel free to gmail privately to discuss further if you like.

Regards, Cody Rowland Network Engineer

Reply to
Cody Rowland Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.