Search this Blog

Friday, January 3, 2014

How Null 0 interfaces can be used to remove unwanted traffic ?


We are developing a course concentrating on ACLs and how routers handle traffic.  The discussion topic is how Null 0 interfaces can be used to remove unwanted traffic.  Read the attached document from CISCO and it states that Null 0 interfaces can be used to remove unwanted traffic without the overhead of ACLs.  My question is how does it do that?  What's the process?  below is how I believe the process to to work.

1. Traffic comes in the device
2. The device first identifies what interface to send data to
3. Data is sent to the Null and immediately dropped

The null 0 interface is primarily used when a router advertises a summary address. The idea is that this router has all the more specific routes and so if a packet is received for which the router has no matching route, rather than forward the packet on and potentially creating a routing loop, the packet is dropped ie. routed to null0 which is the same thing.

Have never used null 0 interfaces instead of acls though. You could do it but it be would be limited as to how you could use it. For example with an extended acl you could deny traffic based not only on destination IP  but also on source IP as well as ports eg.

access-list 101 deny ip 10.5.1.0 0.0.0.255 host 172.16.5.1
access-list 101 permit ip any host 172.16.5.1

The above would obviously drop any packets from any 10.5.1.x address to 172.16.5.1 and then allow all other IPs to access host 172.16.5.1. You couldn't do this with just a route entry pointing to a null0 interface because you cannot specify the source IPs of the packets ie. you are only filtering based on the destination IP.

In terms of the process used it is pretty much what you describe ie. -

1) a packet arrives at the router with a destination IP of 192.168.5.1

2) the router looks up the route in it's routing table to find the best match for that route

3) if the route it chooses as the best match has a next hop of null0 the packet is simply dropped 

The router will probably be using CEF so it would actually look in that table but the same principle applies. It is also important to remember that the router will always choose the longest match so you need to make sure that the packets match the right route so that they get dropped ie. if you had these in your routing table -

192.168.5.0 255.255.255.0 null0
192.168.5.0 255.255.255.128 172.16.5.1

a packet with a src IP of 192.168.5.1 would actually match the second route entry and would be forwarded to 172.16.5.1.

To add to the above passage, as far as being able to filter based on source address and/or port numbers there is the possibility of using Policy Based Routing with an access list to evaluate source address and/or port number and then setting interface as null 0.

As for what makes null 0 able to do it with less overhead and ACL consider these points
- removing traffic with an ACL involves configuring the ACL and applying it to one or more interfaces with access-group. Then every packet coming through the interface is impacted since it must be evaluated by the ACL.
- if you remove traffic with a route to null 0 it only impacts that particular traffic. There is no effect on any other traffic coming through an interface.
- you must always make a routing decision for a packet so the null 0 option has no extra overhead. Dropping a packet with an ACL is always some degree of extra overhead.
- dropping a packet with null 0 is a normal routing decision and is NOT an error condition. Dropping a packet with an ACL invokes several steps other than just the action of dropping the packet (such as incrementing ACL counters, generating the ICMP error of administratively prohibited).

Please click here for the article that discuss using mull 0 routes as a way to remove traffic. Another article can be found here .

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */