Null0 routes and route filtering are essential tools for controlling traffic flow and securing networks at the routing level. On the CCNA 200-301 exam, understanding how to use Null0 interfaces for blackholing traffic and how to filter routes using distribute lists, prefix lists, and route maps is critical for 'IP Connectivity' under exam objective 3.3. Real network engineers rely on these techniques to prevent routing loops, block unwanted traffic, and manage route advertisement in complex environments.
Jump to a section
Imagine a large office building with a central mailroom. The mailroom receives all incoming packages and decides where to send them. Now, suppose the building wants to block packages from a known scam company. They could instruct the mailroom to simply discard any package from that company — that's a Null0 route: traffic destined to a specific address is sent into a 'black hole' and dropped. But the building also has a policy: no packages from outside the city should be delivered to the executive floor. The mailroom doesn't need to know every street in the city; instead, they check a list of allowed senders (prefix list) before forwarding. If a package doesn't match, it's rejected. This is route filtering: controlling which routes are accepted or advertised. The mailroom also uses a 'bouncer' (distribute list) that stands at the door of the routing table, checking each route against an access list before allowing it in. If the route is from an untrusted neighbor, it's turned away. The bouncer doesn't care about the content of the package, only the source and destination labels. Together, the sinkhole (Null0) and the bouncer (filtering) keep the network clean and secure.
What is a Null0 Route?
A Null0 route is a static route pointing to the Null0 interface. The Null0 interface is a virtual interface on Cisco routers that acts as a packet sink — any packet routed to Null0 is immediately discarded without any processing or error message. The router does not generate an ICMP unreachable message; the packet simply disappears. This is different from an ACL deny, which also drops packets but may generate an ICMP unreachable depending on configuration. Null0 routes are used primarily for two purposes: blackholing unwanted traffic (e.g., DDoS mitigation) and preventing routing loops.
How Null0 Routes Prevent Routing Loops
Consider a router that has a default route (0.0.0.0/0) pointing to a next-hop, and also receives a more specific route for a prefix via a dynamic routing protocol. If that dynamic route is withdrawn, the router will fall back to the default route. But if the default route points back to the same router that learned the prefix (e.g., in a hub-and-spoke topology), a routing loop can occur. To prevent this, network engineers often configure a static Null0 route for the summary prefix that aggregates the more specific routes. For example, if you have routes for 10.1.1.0/24, 10.1.2.0/24, etc., you can configure ip route 10.1.0.0 255.255.255.0 Null0 to ensure that any traffic for the summary range that doesn't match a more specific route is dropped rather than looping.
Route Filtering Overview
Route filtering is the process of controlling which routes are installed in the routing table (inbound filtering) or advertised to neighbors (outbound filtering). The primary tools in Cisco IOS are: - Distribute lists: Apply an ACL or prefix list to filter routes in or out of a routing protocol process. - Prefix lists: A more efficient and flexible alternative to ACLs for matching routes based on prefix and length. - Route maps: Complex conditional logic that can match routes based on multiple criteria and set attributes.
Distribute Lists
A distribute list is configured under the routing protocol process using the distribute-list command. It can reference an ACL or a prefix list. The ACL matches routes based on the source IP address (the network address of the route) and, for standard ACLs, only the network portion. Extended ACLs can match more granularly but are rarely used. Example:
access-list 10 permit 192.168.1.0 0.0.0.255
router eigrp 100
distribute-list 10 inThis filters inbound EIGRP updates, only allowing routes with network 192.168.1.0/24 (or any /24 within that range) to be installed. For outbound filtering, the out keyword is used, and the ACL matches routes that are allowed to be advertised.
Prefix Lists
Prefix lists are more precise than ACLs because they can match both the prefix and the prefix length. The syntax is:
ip prefix-list NAME [seq number] {permit|deny} network/length [ge ge-length] [le le-length]ge (greater-or-equal) and le (less-or-equal) specify a range of prefix lengths. If neither is specified, the prefix length must match exactly.
Example: ip prefix-list BLOCK_RFC1918 seq 10 deny 10.0.0.0/8 le 32 denies all routes starting with 10.x.x.x of any length.
Prefix lists are processed in sequence order, with an implicit deny at the end.
They can be applied to distribute lists or directly to neighbor statements in BGP.
Route Maps
Route maps are like if-then statements for routes. They can match on prefix list, metric, tag, next-hop, etc., and then set attributes like metric, tag, or next-hop. They are used in redistribution, policy-based routing, and BGP. Example:
route-map SET_METRIC permit 10
match ip address prefix-list SPECIAL
set metric 100This matches routes permitted by the prefix list SPECIAL and sets their metric to 100.
Verification Commands
show ip route – displays the routing table; a Null0 route appears as a directly connected route to Null0.
show ip route null0 – shows only routes pointing to Null0.
show ip prefix-list [name] – displays prefix list entries.
show ip protocols – shows distribute list configuration under each routing protocol.
show route-map [name] – displays route map configuration and match/set clauses.
Example output for show ip route with a Null0 route:
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/8 is directly connected, Null0
S 10.1.1.0/24 [1/0] via 192.168.1.1The 'C' next to the Null0 route indicates it is directly connected (even though it's a static route). This is a common trap: a static route to Null0 appears as a connected route because the router treats Null0 as a local interface.
Interaction with Dynamic Routing Protocols
Null0 routes can be redistributed into dynamic routing protocols, but this is rarely done because it can cause blackholing of traffic on other routers. Typically, Null0 routes are configured locally and not advertised. Route filtering, however, directly controls what is advertised or accepted, preventing unwanted prefixes from propagating.
Configure a Null0 route
To create a Null0 route, use the `ip route` command with the Null0 interface as the outgoing interface. For example, to blackhole traffic to 10.0.0.0/8: `ip route 10.0.0.0 255.0.0.0 Null0`. The router adds this as a directly connected route to Null0. Verify with `show ip route 10.0.0.0`. Note that you can also specify an administrative distance; the default is 1 (same as static route). For summarization, you might use a higher AD to allow the Null0 route to be a backup: `ip route 10.0.0.0 255.0.0.0 Null0 200`.
Create a prefix list for filtering
Define a prefix list to match specific routes. For example, to permit only /24 prefixes in the 192.168.0.0/16 range: `ip prefix-list ALLOW_192_168 seq 10 permit 192.168.0.0/16 ge 24 le 24`. This matches any route with first two octets 192.168 and prefix length exactly 24. Use `show ip prefix-list ALLOW_192_168` to verify. Remember the implicit deny at the end; any route not explicitly permitted is denied.
Apply distribute list with prefix list
Under the routing protocol configuration, apply the prefix list using a distribute list. For inbound filtering on EIGRP: `router eigrp 100` then `distribute-list prefix ALLOW_192_168 in`. This filters all incoming EIGRP updates; only routes matching the prefix list are installed. For outbound filtering, use `out` instead of `in`. Verify with `show ip protocols` – look for 'Filtering' lines showing the distribute list.
Configure a route map for redistribution
Create a route map to control redistribution between protocols. For example, to redistribute OSPF into EIGRP with a metric of 1000, but only for routes matching a prefix list: `route-map OSPF_TO_EIGRP permit 10` then `match ip address prefix-list OSPF_ROUTES` and `set metric 1000`. Then under EIGRP: `redistribute ospf 1 route-map OSPF_TO_EIGRP`. Use `show route-map OSPF_TO_EIGRP` to check.
Verify filtering is working
After applying filters, check the routing table to ensure only desired routes are present: `show ip route | begin 192.168`. Also check the protocols: `show ip eigrp topology` or `show ip ospf database` to see if routes are being received. If a route is missing, use `debug ip routing` (carefully) to see if it is being filtered. For prefix lists, `show ip prefix-list detail` shows hit counts – if a route is being denied, the hit count for the deny entry increments.
Troubleshoot common filtering issues
Common issues: 1) Incorrect prefix list syntax – missing `ge`/`le` can cause unexpected matches. 2) Distribute list applied in wrong direction (in vs out). 3) Implicit deny – if you forget a permit entry, all routes are denied. 4) Order of entries – prefix lists are processed top-down; first match wins. Use `show ip prefix-list` to see the sequence numbers. If using ACLs, remember that standard ACLs only match the source (network) and cannot match prefix length. For BGP, distribute lists are applied per neighbor or per address family.
In enterprise networks, Null0 routes are commonly used for DDoS mitigation. When a specific IP address is targeted by an attack, the network engineer can quickly inject a static Null0 route for that address (or a larger block) to drop all traffic to it, protecting internal infrastructure. This is often automated via BGP Flowspec or RTBH (Remotely Triggered Black Hole) routing. For example, a service provider might configure a trigger router that, upon detecting an attack, announces a /32 route with a next-hop of Null0 to its peers. The peers then install that route and drop traffic.
Route filtering is ubiquitous in redistribution scenarios. Consider a company that uses OSPF internally and EIGRP for a DMVPN network. Without filtering, OSPF routes could be redistributed into EIGRP and vice versa, potentially causing suboptimal routing or loops. A route map with prefix lists ensures only specific prefixes are exchanged. For example, only the corporate subnets (10.0.0.0/8) are allowed into EIGRP, while the DMVPN tunnels (192.168.0.0/16) are blocked from OSPF.
Another common use is filtering private IP addresses (RFC 1918) from being advertised to the internet. Service providers use prefix lists to deny 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 from customer BGP announcements. This prevents private traffic from leaking onto the public internet. Misconfiguration here can cause major outages — for example, accidentally permitting a private prefix could cause that traffic to be routed incorrectly, or a missing deny could allow a customer to hijack a prefix.
Performance considerations: Prefix lists are processed in hardware on modern routers, so they are very efficient even with thousands of entries. ACLs, especially extended ACLs, are more CPU-intensive. Therefore, prefix lists are preferred for route filtering. Null0 routes have minimal performance impact because the drop happens at the forwarding plane. However, if a Null0 route is used for a large prefix (e.g., a /8), it can cause all traffic to that entire block to be dropped, which might be too aggressive in some scenarios.
On the CCNA 200-301 exam, objective 3.3 'Configure and verify IPv4 and IPv6 static routing' includes the concept of Null0 routes. Route filtering is tested under 'Configure and verify routing protocol features' (3.4) and 'Configure and verify redistribution' (3.5). Expect scenario-based questions where you must choose the correct filtering method or identify why a route is not being advertised.
Common trap answers:
1. Using an ACL instead of a prefix list to filter based on prefix length. Candidates often apply a standard ACL to a distribute list and expect it to match only /24 routes, but ACLs cannot differentiate between /24 and /16 — they only match the network portion. The exam will present a scenario where you need to allow only /24 routes; the correct answer is a prefix list with ge 24 le 24.
2. Applying the distribute list in the wrong direction. A common question: 'Routes are being learned from neighbor X but not appearing in the routing table.' The candidate might check the outbound distribute list on the neighbor, but the problem is an inbound filter on the local router. The exam expects you to know that distribute-list in filters routes entering the routing table.
3. Forgetting the implicit deny in prefix lists and route maps. A question may show a prefix list with only a permit entry and ask why other routes are denied. The answer is the implicit deny. Similarly, a route map with only permit statements will still have an implicit deny at the end.
4. Confusing Null0 with interface Null0 as a physical interface. The exam may ask which interface drops packets without ICMP notification. Many candidates answer 'loopback' or 'any interface with no cable', but the correct answer is Null0.
Specific values: The default administrative distance of a static route to Null0 is 1 (same as any static route). The Null0 interface is always up. A route to Null0 appears as a connected route in show ip route (with 'C' flag). Prefix list sequence numbers default to increments of 10 (first entry is 10).
Decision rule: For questions about filtering based on prefix length, always choose prefix list. For questions about filtering based on source/destination of route (like blocking all routes from a specific neighbor), an ACL or prefix list can work, but prefix list is more specific. If the question mentions 'efficiency' or 'flexibility', prefix list is the better answer.
Null0 interface is a virtual sink that drops packets without generating ICMP unreachable.
A static route to Null0 appears as a connected route in the routing table (C flag).
Prefix lists can match both prefix and prefix length using ge and le operators.
Distribute lists can reference an ACL or prefix list to filter routes in/out of a routing protocol.
Route maps use match and set clauses for conditional route manipulation.
Implicit deny exists at the end of all prefix lists and route maps.
Null0 routes are commonly used for DDoS blackholing and loop prevention in summarization.
These come up on the exam all the time. Here's how to tell them apart.
Distribute List with ACL
Matches only network portion (no prefix length).
Uses standard ACL syntax (1-99, 1300-1999).
Less flexible for prefix length filtering.
Can be used for both IPv4 and IPv6 with appropriate ACL.
More CPU-intensive for large lists.
Distribute List with Prefix List
Matches both prefix and prefix length (ge/le).
Uses prefix list syntax (ip prefix-list).
Highly flexible for range of lengths.
IPv4 only; for IPv6, use ipv6 prefix-list.
More efficient, processed in hardware.
Mistake
A Null0 route causes the router to send an ICMP unreachable message to the source.
Correct
A Null0 route silently drops packets; no ICMP message is generated. This is different from an ACL deny which can generate ICMP unreachable if configured.
Candidates confuse Null0 with ACL behavior or think the router must inform the sender.
Mistake
Prefix lists and ACLs are interchangeable for route filtering.
Correct
Prefix lists can match prefix length; ACLs cannot. For filtering based on prefix length, only prefix lists work. ACLs only match the network portion.
Both can be used in distribute lists, so candidates assume they do the same thing.
Mistake
The implicit deny at the end of a prefix list applies only to routes that match the prefix but not the length.
Correct
The implicit deny applies to all routes that do not match any permit entry, regardless of prefix or length.
Candidates think the prefix list only cares about the specified prefix, but it's a sequential matching process.
Mistake
A distribute list applied in the 'out' direction filters routes from the routing table before they are sent.
Correct
A distribute list 'out' filters routes that are being advertised out of the routing protocol process, but the routes are still in the routing table. It does not remove them from the local routing table.
Candidates think 'out' means out of the routing table, but it means out of the routing update.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, but it is generally not recommended. A static route to Null0 can be redistributed into OSPF, EIGRP, or BGP, causing other routers to also blackhole traffic to that prefix. This is sometimes used in RTBH (Remotely Triggered Black Hole) scenarios to propagate a blackhole route across the network. However, for normal operations, you should avoid redistributing Null0 routes to prevent unintentional traffic loss.
A distribute list is a mechanism that applies an ACL or prefix list to filter routes in or out of a routing protocol. A prefix list is a standalone configuration object that matches routes based on prefix and length. You can use a distribute list to reference a prefix list. In short: distribute list is the 'how' (the filter application), prefix list is the 'what' (the filter criteria).
Use `show ip protocols` to see the routing protocol configuration. It will display lines like 'Incoming route filter list: prefix-list ALLOW_192_168' or 'Outgoing route filter list: prefix-list DENY_PRIVATE'. You can also use `show ip prefix-list detail` to see hit counts, which increment when a route matches.
Yes, but the command is `ipv6 prefix-list` instead of `ip prefix-list`. The syntax is similar: `ipv6 prefix-list NAME seq 10 permit 2001:db8::/32 ge 64 le 128`. For distribute lists under OSPFv3 or EIGRP for IPv6, you reference the IPv6 prefix list.
The default sequence number is 10. Subsequent entries added without specifying a sequence number will increment by 10 (10, 20, 30, etc.). You can manually set sequence numbers to insert entries between existing ones.
Very minimal. The Null0 interface is a virtual interface, and the route entry takes up space in the routing table. However, the actual packet drop happens in hardware on most platforms, so CPU impact is negligible. The main consideration is the size of the routing table if many Null0 routes are configured.
Common reasons: 1) The distribute list is applied in the wrong direction (in vs out). 2) The ACL or prefix list does not match the routes correctly (check ge/le). 3) The routing protocol does not support distribute lists (e.g., BGP uses neighbor prefix-list instead). 4) There is a route map overriding the distribute list. Use `show ip protocols` and `debug ip routing` to diagnose.
You've just covered Null0 Routes and Route Filtering — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?