North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Packets from net 10 (no, not the lyrics)

  • From: Randall S. Benn
  • Date: Tue Sep 23 10:59:28 1997

At 06:16 AM 9/23/97 -0700, you wrote:
>
>!	Loopback
>access-list 100 deny   ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
>!	RFC 1918 private blocks
>access-list 100 deny   ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
>access-list 100 deny   ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
>access-list 100 deny   ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
>!	Test Network
>access-list 100 deny   ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255
>!	Tiny networks.
>access-list 100 deny   ip any 255.255.255.128 0.0.0.127
>access-list 100 permit ip any any
>

I think you'll find that your router's CPU will be happier if you just dump
the 1918 networks to the bit bucket on your border routers with a static
route via interface Null0:

   ip route 10.0.0.0 255.0.0.0 null0
   ip route 127.0.0.0 255.0.0.0 null0
   etc.

Considering resource utilization on the router, it is cheaper to do a
routing table look-up than it is to do ACLs.  Also, when you're doing
outbound filtering on the router, you have to do a routing table lookup
first before you can do outbound filtering.  Save a step and just do the
routing table lookup.

Randy