Filtering alternative using null0

Alexander Simbun · ‎01-30-2019

Hello experts !

Just out of my curiosity ... I have an access list which filters unwanted traffic from internal network except the allowable range as shown below:

!

ip access-list standard IntraIPs
permit 10.10.1.0 0.0.255.255
deny any log

!

and activated it at an interface facing to local network.

!

interface GigabitEthernet0/1.1
description Office
encapsulation dot1Q 1 native
ip address 10.10.1.254 255.255.255.0
ip access-group IntraIPs in
ip flow ingress
ip flow egress
no cdp enable
end

!

My question is ... Possible to use ip route filtering to null0 interface as an alternative ? Or is there any way to utilize null0 interface to filter unwanted traffic from local network?

Thanks for your reply.

Georg Pauwen · ‎01-31-2019

Hello,

very good question. I guess both access lists and null routes work. I did some testing to find out what uses more CPU processes, but it seems to be about the same.

In order to achieve the same result as the access list, you would probably need PBR, because otherwise, the null route would simply block traffic originating from anywhere in your network. Here is an example where PBR would block access from 10.10.1.0/24 to 192.168.1.0/24, but allow anything else:

access-list 101 permit ip 10.10.1.0 0.0.0.255 192.168.1.0 0.0.0.255

!

route-map DENY_192_168_1_0 permit 10

match ip address 101

set interface null 0

!

route-map DENY_192_168_1_0 permit 20

Alexander Simbun · ‎01-31-2019

Hello Goerg,
Thank you for your reply. If I want to allow only specific network have an access while denying the rest of the traffic originated from that network. How should I do it ? Thank you.