Sorry for the delay. I am in all-day meetings through the end
of the week.
If Null0 were a standard interface I would say "yes, definitely
a better method". But since it isn't, I am not sure. I will
try to find out and post tomorrow night (unless someone else
from cisco (or formerly from cisco) pops up the answer first.
GK
Date: Wed, 13 Aug 1997 06:46:58 -0400 (EDT)
From: "C. Jon Larsen" <jlarsen@ajtech.com>
To: Greg Ketell <gketell@cisco.com>
cc: nanog@merit.edu
Subject: Re: Filtering Source Addresses on gw-internetMuch thanks to everyone for their input. Greg, since you have
"Cisco" in your
email address, any comment on whether sending packets to a null
interface is a
quicker / more efficient way blocking unwanted traffic ?
gw-internet is a
little old 68030, with 1MB RAM.
-----BEGIN PGP SIGNED MESSAGE-----
>gw-internet#show access-lists 120
>Extended IP access list 120
> deny ip any 10.0.0.0 0.255.255.255 log
> deny ip any 172.16.0.0 0.0.255.255 log
> deny ip any 172.17.0.0 0.0.255.255 log
> deny ip any 192.168.0.0 0.0.255.255 log
> permit ip a.b.c.0 0.0.0.255 any (27429 matches)
> deny ip any any logLine 2 and 3 could be replaced by
deny ip any 172.16.0.0 0.15.255.255 logwhich would block all 172.16.0.0-172.31.0.0 as per the RFC.
You might also want to block 127.0.0.0.
GK
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBM/DBxW384++etaQJAQGlwAgAoVjoB5EZCaYjzvmwWaVeO5zOPTipegDE
0TX2Xg2L5yIClAeiWD4f0T4E4jCH5BtSwoitlu9fcHlsPo4VRwOutQssIJHL+sUR
Ps1NEot6pwOu+slCwklLhqVwyouv0UHI0Fxal5aCM65X+WNH8+5HvE9g4uBQp8A6
o6HzM++69FKwg8pdQ82HNnjToVZxsqwH41HNSHC0HjLvJG+uZPBFlzLEdnvkNSRg
fikSERpnZAa+QzpTRjtTcK3XC2DEYGAi0wifn9mbyRav9xenzvNl+rUV5Fg/jbFS