cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
625
Views
0
Helpful
7
Replies

Using a null interface on a Catalyst 6500

astrand
Level 1
Level 1

Hi,

I am trying to filter traffic destined for private networks that we are not using by adding the following routes to our Catalyst 6509:

ip route 10.0.0.0 255.0.0.0 Null0 255

ip route 192.168.0.0 255.255.0.0 Null0 255

However, I can see that traffic bound for unused address is still be passed through the router and not sent to the null interface.

Does anyone know what the reason could be?

Thanks in advance!

Regards,

Harald

1 Accepted Solution

Accepted Solutions

IOS sees a distance of 255 as being completely untrustworthy and ignores it. Try any number lower than 255 for your admin distance for the routes to the Null interface.

Here is a link:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fiprrp_r/ind_r/1rfindp1.htm#1017503

Mark

View solution in original post

7 Replies 7

milan.kulik
Level 10
Level 10

Hi,

I think the problem is the administrative distance metric - the minimum wins.

Try

ip route 10.0.0.0 255.0.0.0 Null0 1

Regards,

Milan

ahojmark
Level 1
Level 1

There are (at least) two possible issues here:

- First, if the router has another route with a lower administrative distance than 255, it will use that. You'll probably want to use the default of 1.

- Second, if the router has a more specific router (say, 10.10.10.0/24, for example) it will use that over the statics that you're entering.

But to say anything definite about this, we'd need to see the routing table for those two networks ('sh ip route 10.0.0.0 255.0.0.0 longer' and 'sh ip route 192.168.0.0 255.255.0.0 longer').

-A

Asbjoern Hoejmark | CTO | CCIE #8525
Wingmen Solutions A/S | Gyngemose Parkvej 50, 1. | DK-2860 Søborg | Denmark
M: +4525162108 | E: ah@wingmen.dk | W: www.wingmen.dk

Thank you very much for your answers!

We are actually using many of the networks in the 10/8 and 192.168/16 networks. I would therefore only like packets sent to unused networks to be dropped (sent to the null interface) in order to avoid routing loops. Do I have to change the administrative distance in order to accomplish that?

Extract from "sh ip route 10.0.0.0 longer" (no route to null inteface appears in the list):

10.0.0.0/8 is variably subnetted, 26 subnets, 5 masks

O IA 10.11.0.0/16 [110/51] via 192.168.130.6, 4d06h, Vlan10

O IA 10.9.0.0/16 [110/51] via 192.168.130.6, 4d06h, Vlan10

O IA 10.2.0.0/16 [110/51] via 192.168.130.6, 4d06h, Vlan10

O IA 10.3.0.0/16 [110/51] via 192.168.130.6, 4d06h, Vlan10

O IA 10.4.0.0/16 [110/49] via 192.168.130.9, 4d06h, Vlan10

Thanks again!

Regards,

Harald

I'd just leave the administrative distance as is (less confusing) and take advantage of the "more specific routes win" rule on Cisco devices. Assuming there are already routes in the routing table for each 10/8 and 192.168/16 subnetwork that you're using, these routes will be preferred over null routes for 10/8 and 192.168/16. So the null routes will only be used when there's not a more specific route in the table; i.e., when the packet is destined to a network that you're not using.

That being said, it sounds like this is pretty much what you already tried other than the administrative distance (which I don't think would make a difference in this case). Was the 'show ip route' command above run with the static route to 10/8 in the config? If so, I'm at a loss as to why the route apparently isn't in the routing table.

IOS sees a distance of 255 as being completely untrustworthy and ignores it. Try any number lower than 255 for your admin distance for the routes to the Null interface.

Here is a link:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fiprrp_r/ind_r/1rfindp1.htm#1017503

Mark

This seems to be the answer to my problem. Thanks to all of you for your help!

No, you don't need to change the admin distance to achieve that. The router will use the more specific routes first.

Also, Mark is correct that if you enter an admin distance of 255, the router will not install the route in the global table, which is why you don't see the statics with 'sh ip route'.

-A

Asbjoern Hoejmark | CTO | CCIE #8525
Wingmen Solutions A/S | Gyngemose Parkvej 50, 1. | DK-2860 Søborg | Denmark
M: +4525162108 | E: ah@wingmen.dk | W: www.wingmen.dk
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: