Reducing Network Traffic: Alternatives to Access Lists

8 Mar

Reducing Network Traffic: Alternatives to Access Lists
Because of the resources required to process access lists, they are not always the most suitable solution. The null interface is a good example of when a technology can be used imaginatively to produce a low-resource solution.

The null interface is a virtual or logical interface that exists only in the operating system of the router. Traffic can be sent to it, but it disappears because the interface has no physical layer. A virtual interface does not physically exist. Administrators have been extremely creative and have used the interface as an alternative to access lists. Access lists require CPU processing to determine which packets to forward. The null interface just forwards the traffic to nowhere.

By default, the router responds to traffic sent to the null interface by sending an Internet Control Message Protocol (ICMP) Unreachable message to the source IP address of the datagram. However, you can configure the router simply and silently drop the datagrams. With this configuration, no error messages are sent to the transmitting node. This has several benefits, one of which is additional security.

To disable the sending of ICMP Unreachable messages in response to packets sent to the null interface, in interface configuration mode, type the following:

Router(config-if)#nnoo iipp uunnrreeaacchhaabblleess The following sections provide examples of how a null interface can be used within the Internet, as well as in an intranet environment.

Internet Example
If the router receives traffic to be forwarded to network 10.0.0.0, it will be dropped through null0 into a “black hole.” Because this is a private network address to be used solely within an organization, never to stray onto the Internet, this is a command that may well be configured on routers within the Internet.

Figure 3-2 shows how you might implement a null interface in an organization. The example shows how it can be used to filter the private network from entering the Internet.
Figure 3-2 Using the Null Interface on the Internet

Reducing Network Traffic

98 Chapter 3: Designing IP Networks

Intranet Example

Configuring the static route to null0 on an internal company router would prevent connectivity to the defined network because all traffic to that destination would be forwarded to the null0 interface
and dropped. This is illustrated in Figure 3-3.

Figure 3-3 Using the Null Interface Within an Organization

illustrated in Figure

In Figure 3-3, Workstation A would not be capable of connecting to Server C, the development server used by the Research and Development department. The result is that the Research and Development department would be capable of seeing the rest of the organization. Indeed, the rest of the world can see the Research and Development department in a routing table. Any attempt to direct traffic to the network will be unsuccessful, however. The first router that sees the traffic will statically route it to the null interface, which metaphorically is a black hole.

NOTE Because the static route is entered into the routing table, it is important to remember that all the rules of static routing apply. By default, if the router hears of the destination route via another source, it is ignored in favor of the static route that has a lower administrative distance (more credible source).

Certain guidelines or key points should be used in the design of an IP network. The following section identifies these guidelines.

Keys Points to Remember When Designing an IP Network
When addressing an IP network, you should consider whether it is for an existing network or a network that is to be created from scratch, because the approaches will differ. Because the concerns are different, the following list considers general points that apply to both kinds of network. This isfollowed by a discussion of points to think about when readdressing an existing network.

You should consider the following list of items when preparing the IP addressing plan for your network, whether it is a new or existing network:

■ Identifying how many hosts and subnets will be required in the future requires communication with other departments, in terms of the growth of personnel and the budget for network growth. Without the standard-issue crystal ball, a wider view must be taken at a high level to answer these questions. The answers need to come from a range of sources, including the seniormanagement and executive team of the organization.

■ The design of the IP network must take into consideration the network equipment and its vendors. Interoperability may well be an issue, particularly with some of the features offered by each product.
■ For route aggregation (summarization) to occur, the address assignments must have topological significance.
■ When using VLSM, the routing protocol must send the extended prefix (subnet mask) with the routing update.
■ When using VLSM, the routing protocol must do a routing table lookup based on the longest match.

■ Make certain that enough bits have been allowed at each level of the hierarchical design to address all devices at that layer. Also be sure that growth of the network at each level has been anticipated. What address space is to be used (Class A, B, C, private, registered), and will it scale with the organization?

NOTE Cisco offers many enhancements in its IOS Software. Most of these enhancements are interoperable. If they are not, Cisco provides solutions for connecting to industry standards (which, of course, are fully supported by Cisco). Check Cisco.com to review the latest features and any connectivity issues.

In many cases, not enough consideration is given to IP address design with regard to the routing process, leaving the decision to be based on the longest address match. Careful consideration of IP addresses is essential to the design of a VLSM network.

Consider a network, as described in Chapter 2 in the section “Assigning IP VLSM Subnets for WAN Connections,” that uses the Class B Internet address 140.100.0.0.

The routing table has the following among its entries:

■ 140.100.0.0/16
■ 140.100.1.0/20
■ 140.100.1.192/26
A packet comes into the router destined for the end host 140.100.1.209. The router will forward to the network 140.100.1.192 because the bit pattern matches the longest bit mask provided. The other routes are also valid, however, so the router has made a policy decision that it will always take the most specific mask, sometimes referred to as the longest match.

This decision is based on the design assumption that has been made by the router that the longest match is directly connected to the router or that the network is reached from the identified interface. If the end host 140.100.1.209 actually resides on network 140.100.1.208/29, this network must be accessible through the interface that has learned of the subnet 140.100.1.192/26. Summarization will have been configured, because 140.100.1.192 is an aggregate of various networks, including the network 140.100.1.208/29.

If the network 140.100.1.208/29 resides out of the interface that has learned about 140.100.1.0/20, no traffic will ever reach the subnet 140.100.1.208/29, because it will always forward based on the longest match in the routing table. The only solution is to turn off summarization and to list every subnet with the corresponding mask. If summarization is turned off, the subnet 140.100.1.208/29 will not be summarized into the network 140.100.1.0/20. It will consequently be the longest match

Criteria in Designing IP Networks 101

in the routing table, and traffic will be sent to the destination network 140.100.1.208/29. Figure 3-4 shows an example of route summarization.

Figure 3-4 Route Summarization and VLSM

Route Summarization and VLSM


No comments yet

Leave a Reply

You must be logged in to post a comment.