Summary

This chapter showed you the basics of protecting your routing protocols, as well as using your routing protocols to provide an extra layer of protection on your perimeter router. To prevent routing protocol attacks, you should implement MD5 authentication. Not all routing protocols support this feature, but most do. Previously in this book, I discussed the use of ACLs to drop unwanted traffic, such as bogons. However, this can be done more efficiently with a routing protocol with black hole routing, routing unwanted traffic to the router's null interface. This can be accomplished with a variety of methods, including using static routes, route maps, and prefix lists (only BGP). If your router supports CEF and has a single Internet connection, I highly recommend that you use unicast RPF to prevent spoofing instead of black hole routing because little configuration is needed to set up RPF: It uses the current routing table (CEF FIB) to detect spoofing. In addition, RPF can easily be used with other Cisco IOS features, such as ACL filtering.

Next up is Part VII, "Detecting and Preventing Attacks," which shows you how to detect and prevent DoS and other types of attacks, as well as how to use logging to keep track of attempted and successful attacks.