The goal of a router is to send network traffic to its destination based on its routing table. Some times its necessary to prevent traffic form flowing through a router. This can typically be achieved with access control lists, but a cost. ACLs, particularly long and complicated ones, come with the cost of performance. When preventing access to an entire subnet it is possible to simply route traffic into a “black hole” where it will be discarded. This is achieved without using an ACL.
I could talk about this more but why not just learn by example? For instance, let’s say there is a subnet or host that is bad news, is trying to attack our network or is for some other reason communications are not desirable with. Lets use 220.127.116.11 as an example host.
We can discard traffic to this host by doing something like this:
router1(config)# ip route 18.104.22.168 255.255.255.255 null 0
This will discard traffic to a particular host only. You can widen the range of IP’s by specifying the subnet mask accordingly.
router1(config)# ip route 22.214.171.124 255.255.255.252 null 0
This would prevent traffic to 126.96.36.199-4. If you understand host subnetting works you can take this and apply it almost anywhere.
Another consideration with routing to this interface is that an ICMP destination unreachable message will be generated when traffic hits the null interface. To quiet this down we will want to disable ICMP unreachable messages on the null interface like this:
router1 (config)#interface null 0 router1 (config-if)#no ip unreachables router1(config-if)#exit
I mentioned this is more efficient then using ACLs. One issue, however, is that you cannot log traffic the way you would with the “log” command in an ACL example like this:
access-list 1 deny 188.8.131.52 0.0.0.3 log access-list permit any any
With the null 0 interface you actually get a more robust option; NetFlow. To configure NetFlow exporting form your null 0 interface you will want to configure the router similarly to my example below:
router1 (config)#interface null 0 router1 (config-if)#ip route-cache flow router1(config-if)#exit router1(config)#ip flow-export <netflow server> <netflow port> version <version>
I hope this introduction has been useful to someone. As always, feel free to let comments, questions or suggestions!