[unisog] Cleaning up those networks

Gary Buhrmaster gtb at slac.stanford.edu
Tue Feb 20 20:26:27 GMT 2007


> Is anyone doing this (internally), and if so, how?

I have seen two common ways to accomplish this.
There are probably more interesting possibilities too.
If you are implementing uRPF (or equivalent), adding
a (ipv4)/32 route to a sacrificial block router
(where the /32 is distributed via your favorite
routing protocol to all other routers) to a
null interface on the sacraficial router blocks
traffic in both directions (incoming traffic from
the "bad" host is dropped via uRPF rules, and
all traffic targeted to the host is routed to
the null interface at your sacrificial router).
Another technique is policy routing via internal
bgp to a null routed network.  Your particular
routing architecture and/or network devices
may dictate one or the other (or sometimes
both) techniques.

Gary


More information about the unisog mailing list