Detailed explanation of Null0 interface and routing black hole generated after the completion of the NAT gateway on the Internet
When it comes to the Null0 interface, let's take a look at the routing black hole. The so-called black hole routing, as its name implies, is to suck all irrelevant routes into it, so that they have endless routes-equivalent to a temporary flood, digging a vast deep hole near the road through the flood, then introduce the flood into it. the black hole routing is actually a special Static Routing, that is, after the data packets whose destination address is the CIDR Block arrive at the device, the packets will be discarded. The biggest advantage of routing black hole is that it makes full use of the router's layer-3 packet forwarding capability, which has little impact on the system load. Therefore, the CPU does not need to perform any special processing to discard packets, therefore, processing a large number of packets will not consume the CPU resources of the device! For example, admin creates a route entry and redirects a destination address to the Null0 interface, which has little impact on the system load. If the same function is used, ACL (Address Access Control List) is used) when the traffic increases, the CPU usage increases significantly. Therefore, setting a black hole route is always the best solution to fixed DOS attacks. The characteristics of black hole routing can be used to avoid the formation of routing loops in the actual networking. The following is the configuration of the black hole route: ip route 1.1.0.0 255.255.248.0 Null 0, which can effectively prevent this routing loop. In addition, when learning the dynamic routing protocol (VPC) combination, whether automatic or manual summarization, a summary route entry with a management distance of 5 and pointing to the Null0 interface is generated in the local routing table to prevent routing loops! The Null0 that appears after the summary matches the address according to the longest matching principle. If no detailed route entries are matched, but the route entries automatically generated after the summary are matched, the data packet is discarded by Null0. The following is an example to illustrate the anti-ring mechanism of the Null0 interface: Assume that both router R1 and router R2. There are four subnets on router R1: 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.4.0/24 router R1 configuration: We have configured a manual summary on router R1, and a default route pointing to router R2. For example, because router R1 is configured with a summary, the router will send the summary route 192.168.0.0/16 to router R2. For example, when the specific route 192.168.1.0/24 on router R1 suddenly goes DOWN. The route summary on vror2 R2 does not change. When router R2 receives a packet forwarded to 192.168.1.0/24 without the Null0 interface, r2 will forward data packets to router R1 (because router R2 will match 192.168.1.0/24 based on the maximum IP address matching principle of the route table. Of course, the detailed route entries cannot be matched at this time, but it will be matched to the summary route 192.168.0.0/16), and the route 192.168.1.0/24 on router R1 has been down, therefore, R1 can only forward the route entries to R2. R2 forwards the route entries to R2. R2 forwards the route entries back to R1. therefore, R1 and R2, the loop is formed. Automatic or manual summary generates a summary route entry with a management distance of 5 and pointing to the null0 interface in the local routing table. When R1 receives a query from R2 about 192.168.1.0/24, R1 finds that 192.168.1.0/24 can be found in the summary path 192.168.0.0/16, which is then thrown to the Null0 interface, the packet is terminated at R1, And the loop is removed! Note: In IOS later versions, once the summary route does not contain a detailed route of the Data Packet Destination, the data packet is directly forwarded to the null0 port and discarded, instead of the default route. So try to disable auto-Summary when collecting the VPN and use manual detailed summary! In OSPF and IS-IS routes, we also recommend creating an null0 route to avoid loops!