Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Best practices for blocking traffic

I want to start blocking traffic based on it's source (e.g. China) and need input as to the best way to do so.

I assume that blocking it at the edge router is better than at the firewall but is it better (performance wise) to block it using an ACL or by routing it to null0...or is there another preferred method I do not know of?

3 REPLIES

Re: Best practices for blocking traffic

You can use your internetedge router for filtering.. this is among good practices for addition layer of filering.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

New Member

Re: Best practices for blocking traffic

Thanks Jorge. I understand filtering at the edge as we already are using ACLs. We allow only certain types of traffic to the outside interface of our firewall but what I want to do is limit where the traffic comes FROM not where it's going to. My question was related more to performance - when you block traffic from the IP address space of China you will have over 1300 lines in your config dedicated to this. For instance, is

ip route 222.222.0.0/15 null0

ip route 222.240.0.0/13 null0

ip route 222.248.0.0/16 null0

ip route 222.249.0.0/17 null0

ip route 222.249.160.0/20 null0

ip route 222.249.176.0/20 null0

more efficient than

access-list 120 deny 222.222.0.0/15

access-list 120 deny 222.240.0.0/13

access-list 120 deny 222.248.0.0/16

access-list 120 deny 222.249.0.0/17

access-list 120 deny 222.249.160.0/20

access-list 120 deny 222.249.176.0/20

New Member

Re: Best practices for blocking traffic

I would say using an acl is more efficient. From previous reading I recall that the acl happens before the route lookup. So you do not want to waste your resources going those extra steps to get to and do a route lookup. Here is a link about NAT order of operation, but it does also show acl lookup happens before routing.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

I would use null0 when I could do an acl on the interface or needed to only drop it for certain traffic with PBR.

-Jesse

134
Views
0
Helpful
3
Replies
CreatePlease to create content