Packets from net 10 (no, not the lyrics)
Randall S. Benn
rbenn at clark.net
Tue Sep 23 14:45:19 UTC 1997
At 06:16 AM 9/23/97 -0700, you wrote:
>
>! Loopback
>access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
>! RFC 1918 private blocks
>access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
>access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
>access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
>! Test Network
>access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255
>! Tiny networks.
>access-list 100 deny ip any 255.255.255.128 0.0.0.127
>access-list 100 permit ip any any
>
I think you'll find that your router's CPU will be happier if you just dump
the 1918 networks to the bit bucket on your border routers with a static
route via interface Null0:
ip route 10.0.0.0 255.0.0.0 null0
ip route 127.0.0.0 255.0.0.0 null0
etc.
Considering resource utilization on the router, it is cheaper to do a
routing table look-up than it is to do ACLs. Also, when you're doing
outbound filtering on the router, you have to do a routing table lookup
first before you can do outbound filtering. Save a step and just do the
routing table lookup.
Randy
More information about the NANOG
mailing list