Best practices for blocking traffic

Unanswered Question
Mar 10th, 2009

I want to start blocking traffic based on it's source (e.g. China) and need input as to the best way to do so.


I assume that blocking it at the edge router is better than at the firewall but is it better (performance wise) to block it using an ACL or by routing it to null0...or is there another preferred method I do not know of?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bhpci Tue, 03/10/2009 - 11:37

Thanks Jorge. I understand filtering at the edge as we already are using ACLs. We allow only certain types of traffic to the outside interface of our firewall but what I want to do is limit where the traffic comes FROM not where it's going to. My question was related more to performance - when you block traffic from the IP address space of China you will have over 1300 lines in your config dedicated to this. For instance, is


ip route 222.222.0.0/15 null0

ip route 222.240.0.0/13 null0

ip route 222.248.0.0/16 null0

ip route 222.249.0.0/17 null0

ip route 222.249.160.0/20 null0

ip route 222.249.176.0/20 null0


more efficient than


access-list 120 deny 222.222.0.0/15

access-list 120 deny 222.240.0.0/13

access-list 120 deny 222.248.0.0/16

access-list 120 deny 222.249.0.0/17

access-list 120 deny 222.249.160.0/20

access-list 120 deny 222.249.176.0/20


Jesse Wiener Wed, 03/18/2009 - 10:47

I would say using an acl is more efficient. From previous reading I recall that the acl happens before the route lookup. So you do not want to waste your resources going those extra steps to get to and do a route lookup. Here is a link about NAT order of operation, but it does also show acl lookup happens before routing.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


I would use null0 when I could do an acl on the interface or needed to only drop it for certain traffic with PBR.



-Jesse


Actions

This Discussion