|
You cannot get the benefits of access
lists or CBAC without paying a price. If you apply an access list to
an interface, you force the router to check each packet that passes
through it, resulting in increased latency. Although, in some cases you
can secure your network without impacting performance. If you want
to restrict all traffic to a particular destination, you can configure
a static route to null0.
The null0 interface is a
software-only interface that functions as a "destination"
for discarded information. In a sense, null0 is a garbage bin.
Instead of using an access list to
filter traffic destined for network 10.0.0.0/8, you can configure a
static route to null0, with the same result:
RTA(config)#ip route 10.0.0.0
255.0.0.0 null0
RTA will install a route to the
10.0.0.0/8 network into its routing table. That route points to
null0. So, when RTA receives traffic destined for 10.0.0.0/8, it
will perform a table lookup, find the route, and send the packets to
null0. The end result? Traffic destined for 10.0.0.0/8 cannot pass
through RTA because it is routed to nowhere.
Static routes to null0 can be used as
traffic filters only when you want to completely prohibit a
destination network. Filtering based on source address would have to
be done using a route map.
The figure compares filtering with an
access list to filtering with a route to null0. A route to null0
makes far fewer demands on the router's CPU. There are no access
lists statements which have to be matched upon receiving the packet.
Essentially, the packet is routed to nowhere.
|