Solved: Null 0 interface explanation

Frankunpingco · ‎12-24-2013

I'm developing a course concentrating on ACLs and how routers handle traffic. One of the topics I'm discussing is how Null 0 interfaces can be used to remove unwanted traffic. I've read the attached document from CISCO and it states that Null 0 interfaces can be used to remove unwanted traffic without the overhead of ACLs. My question is how does it do that? What's the process? below is how I believe the process to to work.

1. Traffic comes in the device

2. The device first identifies what interface to send data to

3. Data is sent to the Null and immediately dropped

I know there is a lot more to it than this, but I don't want to confuse my audience. I just want to be prepared for the question. Any help or direction to help is appreciated.

Jon Marshall · ‎12-26-2013

Frank

The null0 interface is primarily used when a router advertises a summary address. The idea is that this router has all the more specific routes and so if a packet is received for which the router has no matching route, rather than forward the packet on and potentially creating a routing loop, the packet is dropped ie. routed to null0 which is the same thing.

I have never used null0 interfaces instead of acls though. You could do it but it be would be limited as to how you could use it. For example with an extended acl you could deny traffic based not only on destination IP but also on source IP as well as ports eg.

access-list 101 deny ip 10.5.1.0 0.0.0.255 host 172.16.5.1

access-list 101 permit ip any host 172.16.5.1

the above would obvously drop any packets from any

10.5.1.x address to 172.16.5.1

and then allow all other IPs to

access host 172.16.5.1

You couldn't do this with just a route entry pointing to a null0 interface because you cannot specify the source IPs of the packets ie. you are only filtering based on the destination IP.

In terms of the process used it is pretty much what you describe ie. -

1) a packet arrives at the router with a destination IP of 192.168.5.1

2) the router looks up the route in it's routing table to find the best match for that route

3) if the route it chooses as the best match has a next hop of null0 the packet is simply dropped

The router will probably be using CEF so it would actually look in that table but the same principle applies. It is also important to remember that the router will always choose the longest match so you need to make sure that the packets match the right route so that they get dropped ie. if you had these in your routing table -

192.168.5.0 255.255.255.0 null0

192.168.5.0 255.255.255.128 172.16.5.1

a packet with a src IP of 192.168.5.1 would actually match the second route entry and would be forwarded to 172.16.5.1.

Jon

View solution in original post

Richard Burts · ‎12-27-2013

Jon makes good points about using null 0 when doing route summaries and I would agree that this is the "primary" use of null 0 (especially if that also included static routes to null 0 when configuring BGP to be sure that routes will be present in the ip routing table so that BGP will advertise them). But null 0 as a way to discard traffic instead of

access lists

is also quite valid. I have seen it done a few times.

As far as being able to filter based on source address and/or port numbers there is the possibility of using Policy Based Routing with an

access list

to evaluate source address and/or port number and then setting interface as null 0.

As for what makes null 0 able to do it with less overhead and ACL consider these points

- removing traffic with an ACL involves configuring the ACL and applying it to one or more interfaces with

access-group

Then every packet coming through the interface is impacted since it must be evaluated by the ACL.

- if you remove traffic with a route to null 0 it only impacts that particular traffic. There is no effect on any other traffic coming through an interface.

- you must always make a routing decision for a packet so the null 0 option has no extra overhead. Dropping a packet with an ACL is always some degree of extra overhead.

- dropping a packet with null 0 is a normal routing decision and is NOT an error condition. Dropping a packet with an ACL invokes several steps other than just the action of dropping the packet (such as incrementing ACL counters, generating the ICMP error of administratively prohibited).

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎12-27-2013

I found several articles that discuss using mull 0 routes as a way to remove traffic. I hope that may be interesting to those who are reading this thread.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd80313fac.pdf

http://www.techrepublic.com/blog/data-center/black-hole-routes-the-good-the-bad-and-the-ugly/

HTH

Rick

HTH

Rick

View solution in original post

Jon Marshall · ‎12-26-2013

Frank

The null0 interface is primarily used when a router advertises a summary address. The idea is that this router has all the more specific routes and so if a packet is received for which the router has no matching route, rather than forward the packet on and potentially creating a routing loop, the packet is dropped ie. routed to null0 which is the same thing.

I have never used null0 interfaces instead of acls though. You could do it but it be would be limited as to how you could use it. For example with an extended acl you could deny traffic based not only on destination IP but also on source IP as well as ports eg.

access-list 101 deny ip 10.5.1.0 0.0.0.255 host 172.16.5.1

access-list 101 permit ip any host 172.16.5.1

the above would obvously drop any packets from any

10.5.1.x address to 172.16.5.1

and then allow all other IPs to

access host 172.16.5.1

You couldn't do this with just a route entry pointing to a null0 interface because you cannot specify the source IPs of the packets ie. you are only filtering based on the destination IP.

In terms of the process used it is pretty much what you describe ie. -

1) a packet arrives at the router with a destination IP of 192.168.5.1

2) the router looks up the route in it's routing table to find the best match for that route

3) if the route it chooses as the best match has a next hop of null0 the packet is simply dropped

The router will probably be using CEF so it would actually look in that table but the same principle applies. It is also important to remember that the router will always choose the longest match so you need to make sure that the packets match the right route so that they get dropped ie. if you had these in your routing table -

192.168.5.0 255.255.255.0 null0

192.168.5.0 255.255.255.128 172.16.5.1

a packet with a src IP of 192.168.5.1 would actually match the second route entry and would be forwarded to 172.16.5.1.

Jon

Leo Laohoo · ‎12-26-2013

I'm developing a course concentrating on ACLs and how routers handle traffic. One of the topics I'm discussing is how Null 0 interfaces can be used to remove unwanted traffic.

Uhhhh ... Must be a "cooincidence", but what's this?

Two people, in a span of a few days, asking about "Null 0". Wierd!

Richard Burts · ‎12-27-2013

Jon makes good points about using null 0 when doing route summaries and I would agree that this is the "primary" use of null 0 (especially if that also included static routes to null 0 when configuring BGP to be sure that routes will be present in the ip routing table so that BGP will advertise them). But null 0 as a way to discard traffic instead of

access lists

is also quite valid. I have seen it done a few times.

As far as being able to filter based on source address and/or port numbers there is the possibility of using Policy Based Routing with an

access list

to evaluate source address and/or port number and then setting interface as null 0.

As for what makes null 0 able to do it with less overhead and ACL consider these points

- removing traffic with an ACL involves configuring the ACL and applying it to one or more interfaces with

access-group

Then every packet coming through the interface is impacted since it must be evaluated by the ACL.

- if you remove traffic with a route to null 0 it only impacts that particular traffic. There is no effect on any other traffic coming through an interface.

- you must always make a routing decision for a packet so the null 0 option has no extra overhead. Dropping a packet with an ACL is always some degree of extra overhead.

- dropping a packet with null 0 is a normal routing decision and is NOT an error condition. Dropping a packet with an ACL invokes several steps other than just the action of dropping the packet (such as incrementing ACL counters, generating the ICMP error of administratively prohibited).

HTH

Rick

HTH

Rick

Richard Burts · ‎12-27-2013

I found several articles that discuss using mull 0 routes as a way to remove traffic. I hope that may be interesting to those who are reading this thread.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd80313fac.pdf

http://www.techrepublic.com/blog/data-center/black-hole-routes-the-good-the-bad-and-the-ugly/

HTH

Rick

HTH

Rick

Frankunpingco · ‎12-27-2013

Thanks for your help gentlemen. Your help was extremely helpful. Richard, where did you get those papers. I searched everywhere and could not find anything like these two articles. I believe it's because they articles deal more with black hole routes and not Null 0 interfaces. Maybe I'll refer to black hole routes instead of Null 0 interfaces. Thanks again gentlemen.

Richard Burts · ‎12-28-2013

Frank

I am glad that our responses were helpful to you. Finding the articles probably reflects a certain amount of Google-luck on my part. Thank you for using the rating system to mark this question as answered. I hope to see more of your posts in the forum.

HTH

Rick

HTH

Rick