Reducing Network Traffic: Alternatives to Access Lists
Because of the resources required to process access lists, they are not always the most suitable solution. The null interface is a good example of when a technology can be used imaginatively to produce a low-resource solution.
The null interface is a virtual or logical interface that exists only in the operating system of the router. Trafﬁc can be sent to it, but it disappears because the interface has no physical layer. A virtual interface does not physically exist. Administrators have been extremely creative and have used the interface as an alternative to access lists. Access lists require CPU processing to determine which packets to forward. The null interface just forwards the trafﬁc to nowhere.
By default, the router responds to trafﬁc sent to the null interface by sending an Internet Control Message Protocol (ICMP) Unreachable message to the source IP address of the datagram. However, you can conﬁgure the router simply and silently drop the datagrams. With this conﬁguration, no error messages are sent to the transmitting node. This has several beneﬁts, one of which is additional security.
To disable the sending of ICMP Unreachable messages in response to packets sent to the null interface, in interface conﬁguration mode, type the following:
Router(config-if)#nnoo iipp uunnrreeaacchhaabblleess The following sections provide examples of how a null interface can be used within the Internet, as well as in an intranet environment.
If the router receives trafﬁc to be forwarded to network 10.0.0.0, it will be dropped through null0 into a “black hole.” Because this is a private network address to be used solely within an organization, never to stray onto the Internet, this is a command that may well be conﬁgured on routers within the Internet.
Figure 3-2 shows how you might implement a null interface in an organization. The example shows how it can be used to ﬁlter the private network from entering the Internet.
Figure 3-2 Using the Null Interface on the Internet
98 Chapter 3: Designing IP Networks
Conﬁguring the static route to null0 on an internal company router would prevent connectivity to the deﬁned network because all trafﬁc to that destination would be forwarded to the null0 interface
and dropped. This is illustrated in Figure 3-3.
Figure 3-3 Using the Null Interface Within an Organization
In Figure 3-3, Workstation A would not be capable of connecting to Server C, the development server used by the Research and Development department. The result is that the Research and Development department would be capable of seeing the rest of the organization. Indeed, the rest of the world can see the Research and Development department in a routing table. Any attempt to direct trafﬁc to the network will be unsuccessful, however. The ﬁrst router that sees the trafﬁc will statically route it to the null interface, which metaphorically is a black hole.
NOTE Because the static route is entered into the routing table, it is important to remember that all the rules of static routing apply. By default, if the router hears of the destination route via another source, it is ignored in favor of the static route that has a lower administrative distance (more credible source).
Certain guidelines or key points should be used in the design of an IP network. The following section identiﬁes these guidelines.
Keys Points to Remember When Designing an IP Network
When addressing an IP network, you should consider whether it is for an existing network or a network that is to be created from scratch, because the approaches will differ. Because the concerns are different, the following list considers general points that apply to both kinds of network. This isfollowed by a discussion of points to think about when readdressing an existing network.
You should consider the following list of items when preparing the IP addressing plan for your network, whether it is a new or existing network:
■ Identifying how many hosts and subnets will be required in the future requires communication with other departments, in terms of the growth of personnel and the budget for network growth. Without the standard-issue crystal ball, a wider view must be taken at a high level to answer these questions. The answers need to come from a range of sources, including the seniormanagement and executive team of the organization.
■ The design of the IP network must take into consideration the network equipment and its vendors. Interoperability may well be an issue, particularly with some of the features offered by each product.
■ For route aggregation (summarization) to occur, the address assignments must have topological signiﬁcance.
■ When using VLSM, the routing protocol must send the extended preﬁx (subnet mask) with the routing update.
■ When using VLSM, the routing protocol must do a routing table lookup based on the longest match.
■ Make certain that enough bits have been allowed at each level of the hierarchical design to address all devices at that layer. Also be sure that growth of the network at each level has been anticipated. What address space is to be used (Class A, B, C, private, registered), and will it scale with the organization?
NOTE Cisco offers many enhancements in its IOS Software. Most of these enhancements are interoperable. If they are not, Cisco provides solutions for connecting to industry standards (which, of course, are fully supported by Cisco). Check Cisco.com to review the latest features and any connectivity issues.
In many cases, not enough consideration is given to IP address design with regard to the routing process, leaving the decision to be based on the longest address match. Careful consideration of IP addresses is essential to the design of a VLSM network.
Consider a network, as described in Chapter 2 in the section “Assigning IP VLSM Subnets for WAN Connections,” that uses the Class B Internet address 220.127.116.11.
The routing table has the following among its entries:
A packet comes into the router destined for the end host 18.104.22.168. The router will forward to the network 22.214.171.124 because the bit pattern matches the longest bit mask provided. The other routes are also valid, however, so the router has made a policy decision that it will always take the most speciﬁc mask, sometimes referred to as the longest match.
This decision is based on the design assumption that has been made by the router that the longest match is directly connected to the router or that the network is reached from the identiﬁed interface. If the end host 126.96.36.199 actually resides on network 188.8.131.52/29, this network must be accessible through the interface that has learned of the subnet 184.108.40.206/26. Summarization will have been conﬁgured, because 220.127.116.11 is an aggregate of various networks, including the network 18.104.22.168/29.
If the network 22.214.171.124/29 resides out of the interface that has learned about 126.96.36.199/20, no trafﬁc will ever reach the subnet 188.8.131.52/29, because it will always forward based on the longest match in the routing table. The only solution is to turn off summarization and to list every subnet with the corresponding mask. If summarization is turned off, the subnet 184.108.40.206/29 will not be summarized into the network 220.127.116.11/20. It will consequently be the longest match
Criteria in Designing IP Networks 101
in the routing table, and trafﬁc will be sent to the destination network 18.104.22.168/29. Figure 3-4 shows an example of route summarization.
Figure 3-4 Route Summarization and VLSM