Alternatives to access lists
The CPU costs incurred by access lists can be quite high. For this reason, Cisco routers offer a number of alternatives to using access lists for security. I’ll discuss them here.
Routing to the null interface
Occasionally, you may encounter a network or a single host that you absolutely do not trust. In a company, this could be a segment where known outsiders and potentially hostile people are working, or perhaps a lab network that has different Internet access. It could also be a DMZ or a system on the DMZ such as a dial-in terminal server, where you may have some doubts about the security on that network or who is on that system. In any case, the systems and data that you want to protect may be so sensitive that you don’t want to take any chances with traffic or data flowing to the untrustworthy network or host. One tactic you can use for absolute certainty is to route all traffic to a null device with a static route. Here, I use a static route to drop all traffic going to network 192.168.29.0/24:
ip route 192.168.29.0 255.255.255.0 null0
This static route configuration command sends all traffic to network 192.168.29.0 on to a null device, effectively throwing away all packets going to that network. This is a succinct way to completely eliminate traffic going to a given network. Dropping all traffic to a host is much more common. If we were to drop all traffic going to host 192.168.29.1, we would use the route command:
ip route 192.168.29.1 255.255.255.255 ...
Get Cisco IOS Access Lists now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.