Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using a null interface on a Catalyst 6500

Hi,

I am trying to filter traffic destined for private networks that we are not using by adding the following routes to our Catalyst 6509:

ip route 10.0.0.0 255.0.0.0 Null0 255

ip route 192.168.0.0 255.255.0.0 Null0 255

However, I can see that traffic bound for unused address is still be passed through the router and not sent to the null interface.

Does anyone know what the reason could be?

Thanks in advance!

Regards,

Harald

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Using a null interface on a Catalyst 6500

IOS sees a distance of 255 as being completely untrustworthy and ignores it. Try any number lower than 255 for your admin distance for the routes to the Null interface.

Here is a link:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fiprrp_r/ind_r/1rfindp1.htm#1017503

Mark

7 REPLIES

Re: Using a null interface on a Catalyst 6500

Hi,

I think the problem is the administrative distance metric - the minimum wins.

Try

ip route 10.0.0.0 255.0.0.0 Null0 1

Regards,

Milan

New Member

Re: Using a null interface on a Catalyst 6500

There are (at least) two possible issues here:

- First, if the router has another route with a lower administrative distance than 255, it will use that. You'll probably want to use the default of 1.

- Second, if the router has a more specific router (say, 10.10.10.0/24, for example) it will use that over the statics that you're entering.

But to say anything definite about this, we'd need to see the routing table for those two networks ('sh ip route 10.0.0.0 255.0.0.0 longer' and 'sh ip route 192.168.0.0 255.255.0.0 longer').

-A

New Member

Re: Using a null interface on a Catalyst 6500

Thank you very much for your answers!

We are actually using many of the networks in the 10/8 and 192.168/16 networks. I would therefore only like packets sent to unused networks to be dropped (sent to the null interface) in order to avoid routing loops. Do I have to change the administrative distance in order to accomplish that?

Extract from "sh ip route 10.0.0.0 longer" (no route to null inteface appears in the list):

10.0.0.0/8 is variably subnetted, 26 subnets, 5 masks

O IA 10.11.0.0/16 [110/51] via 192.168.130.6, 4d06h, Vlan10

O IA 10.9.0.0/16 [110/51] via 192.168.130.6, 4d06h, Vlan10

O IA 10.2.0.0/16 [110/51] via 192.168.130.6, 4d06h, Vlan10

O IA 10.3.0.0/16 [110/51] via 192.168.130.6, 4d06h, Vlan10

O IA 10.4.0.0/16 [110/49] via 192.168.130.9, 4d06h, Vlan10

Thanks again!

Regards,

Harald

Bronze

Re: Using a null interface on a Catalyst 6500

I'd just leave the administrative distance as is (less confusing) and take advantage of the "more specific routes win" rule on Cisco devices. Assuming there are already routes in the routing table for each 10/8 and 192.168/16 subnetwork that you're using, these routes will be preferred over null routes for 10/8 and 192.168/16. So the null routes will only be used when there's not a more specific route in the table; i.e., when the packet is destined to a network that you're not using.

That being said, it sounds like this is pretty much what you already tried other than the administrative distance (which I don't think would make a difference in this case). Was the 'show ip route' command above run with the static route to 10/8 in the config? If so, I'm at a loss as to why the route apparently isn't in the routing table.

Bronze

Re: Using a null interface on a Catalyst 6500

IOS sees a distance of 255 as being completely untrustworthy and ignores it. Try any number lower than 255 for your admin distance for the routes to the Null interface.

Here is a link:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fiprrp_r/ind_r/1rfindp1.htm#1017503

Mark

New Member

Re: Using a null interface on a Catalyst 6500

This seems to be the answer to my problem. Thanks to all of you for your help!

New Member

Re: Using a null interface on a Catalyst 6500

No, you don't need to change the admin distance to achieve that. The router will use the more specific routes first.

Also, Mark is correct that if you enter an admin distance of 255, the router will not install the route in the global table, which is why you don't see the statics with 'sh ip route'.

-A

254
Views
0
Helpful
7
Replies
CreatePlease login to create content