10.6 Using an Alternative to Access Lists
10.6.1 The null 0 interface
You cannot get the benefits of access lists or CBAC without paying a price. If you apply an access list to an interface, you force the router to check each packet that passes through it, resulting in increased latency. Although, in some cases you can secure your network without impacting performance. If you want to restrict all traffic to a particular destination, you can configure a static route to null0.

The null0 interface is a software-only interface that functions as a "destination" for discarded information. In a sense, null0 is a garbage bin.

Instead of using an access list to filter traffic destined for network 10.0.0.0/8, you can configure a static route to null0, with the same result:

RTA(config)#ip route 10.0.0.0 255.0.0.0 null0

RTA will install a route to the 10.0.0.0/8 network into its routing table. That route points to null0. So, when RTA receives traffic destined for 10.0.0.0/8, it will perform a table lookup, find the route, and send the packets to null0. The end result? Traffic destined for 10.0.0.0/8 cannot pass through RTA because it is routed to nowhere.

Static routes to null0 can be used as traffic filters only when you want to completely prohibit a destination network. Filtering based on source address would have to be done using a route map.

The figure compares filtering with an access list to filtering with a route to null0. A route to null0 makes far fewer demands on the router's CPU. There are no access lists statements which have to be matched upon receiving the packet. Essentially, the packet is routed to nowhere.