IOS ACL deny vs. null-route

Unanswered Question
Oct 2nd, 2008
User Badges:

Apologies for what may be an overly-elementary question.

If I wish to block all traffic from one or more IP ranges at a public-facing border router running IOS, which is more efficient from the router's point of view: an access-list deny for the address range, or a static route for that range to Null0?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 10/02/2008 - 12:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

No need to apologize.

You need to use an acl entry because a static route would only work with the return traffic because with incoming traffic the destination is one of your address ranges.

And if you are worried about that range you don't want to allow the traffic in at all.



This Discussion