Prevent IP Access by Routing to Null

The goal of a router is to send network traffic to its destination based on its routing table. Some times its necessary to prevent traffic form flowing through a router. This can typically be achieved with access control lists, but a cost. ACLs, particularly long and complicated ones, come with the cost of performance. When preventing access to an entire subnet it is possible to simply route traffic into a “black hole” where it will be discarded. This is achieved without using an ACL.

I could talk about this more but why not just learn by example? For instance, let’s say there is a subnet or host that is bad news, is trying to attack our network or is for some other reason communications are not desirable with. Lets use 1.1.1.1 as an example host.
We can discard traffic to this host by doing something like this:

router1(config)# ip route 1.1.1.1 255.255.255.255 null 0

This will discard traffic to a particular host only. You can widen the range of IP’s by specifying the subnet mask accordingly.

router1(config)# ip route 1.1.1.0 255.255.255.252 null 0

This would prevent traffic to 1.1.1.0-4. If you understand host subnetting works you can take this and apply it almost anywhere.
Another consideration with routing to this interface is that an ICMP destination unreachable message will be generated when traffic hits the null interface. To quiet this down we will want to disable ICMP unreachable messages on the null interface like this:

router1 (config)#interface null 0
router1 (config-if)#no ip unreachables
router1(config-if)#exit

I mentioned this is more efficient then using ACLs. One issue, however, is that you cannot log traffic the way you would with the “log” command in an ACL example like this:

access-list 1 deny 1.1.1.0 0.0.0.3 log
access-list permit any any

With the null 0 interface you actually get a more robust option; NetFlow. To configure NetFlow exporting form your null 0 interface you will want to configure the router similarly to my example below:

router1 (config)#interface null 0
router1 (config-if)#ip route-cache flow
router1(config-if)#exit
router1(config)#ip flow-export <netflow server>  <netflow port> version  <version>

I hope this introduction has been useful to someone. As always, feel free to let comments, questions or suggestions!

This entry was posted in Networking and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *