Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

BOGON Filtering 1

Status
Not open for further replies.
pmoorey

pmoorey

Technical User
Joined
Mar 19, 2007
Messages
144
Location
GB
Hi All,

I am currently viewing the configuration of my two ISP connections.

I am trying to find the Cisco best practise for filtering BOGONS.

We are currently filtering them using an in-bound access-list applied to the ISP facing interfaces.

Would I be correct in saying that it would be more efficient not to utlise access-lists and instead route the networks to NUll0 with 'No ICMP Redirects'?

Thanks,



Peter
CCNA, Cisco Qualified Specialist
 
Sort by date Sort by votes
Thanks Burt,

I stumbled across that very PDF myself when searching prior to posting, its got some good information in it.

We have a large team of engineers so it's not too difficult to maintain and update the filter manually when neccessary. I guess we should trust our ISPs that BOGONs are filtered by them, so we should never receive them, however we also provide ISP connectivity to our customers, and want to ensure that they are not generating illigitimate traffic...

My thoughts were that it would take less processing power on the router to route the packets to null0 than to inspect with an ACL...

I'm trying to simplify and clean up my internet facing routers...

Cheers for your help.



Peter
CCNA, Cisco Qualified Specialist
 
Upvote 0 Downvote
I agree that routing them to Null0 would be better than acl's, yes. Is your main concern DoS/DDoS attacks, or just illigit traffic? There are other measures that can be taken for DDoS that are effective no matter where they come from, like TCP Intercept. Also, are you implementing CBAC, and filtering RFC1918's from generating from the outside?

Burt
 
Upvote 0 Downvote

Hi Burt,

Thank you for your reply, I'm not too concerned about DOS, but more illigit traffic.

Routers facing our ISP don't have any firewalling functionality, this is handled by individual fw's infront of each customer. BOGONs are stopped on the two internet facing routers as a centralised point for making changes.

I notice that some people use BGP prefix-lists to stop BOGONs coming from upstream ISP's, I figured that routing to Null0 would achieve the same result, and also stopping BOGONs coming FROM us...

Rgds,


Peter
CCNA, Cisco Qualified Specialist
 
Upvote 0 Downvote
Just wait until IPv6 is in full swing...

Burt
 
Upvote 0 Downvote

Oh the joys! :D

Peter
CCNA, Cisco Qualified Specialist
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Multivitamin86
  • Locked
  • Question Question
Filtering out External Links in OSPF
Replies
3
Views
255
unclerico
unclerico
hamdinner
  • Locked
  • Question Question
AS path filtering for show ip bgp
Replies
2
Views
254
hamdinner
hamdinner
thebopps
  • Locked
  • Question Question
Cheap switch with MAC filtering
Replies
4
Views
258
dekelley1
dekelley1
Bubbalouie
  • Locked
  • Question Question
Ingress Filtering
Replies
1
Views
157
MrOyvind
MrOyvind
zizoudevinci
  • Locked
  • Question Question
Netflow filtering
Replies
1
Views
154
vipergg
vipergg

Part and Inventory Search

Sponsor

Back
Top