Sunday, December 7, 2008

Traffic Filtering - Without an ACL

There is a requirement for R2 to filter traffic to and from neighboring routers R1 and R3. The catch however is that an ACL cannot be used. An unlikely scenario in the real world, but there again something that may be thrown up in a CCIE lab.

R1 ---------------(fa1/0) R2 (fa1/1)--------------- R3

To acheive this a service-policy can be used.

class FROM_R1
match input-interface fa1/0

class FROM_R3
match input-interface fa1/1

policy-map TO_R1
class FROM_R3

policy-map TO_R3
class FROM_R1

int fa1/0
service-policy output TO_R1

int fa1/1
service-policy output TO_R3

Another scenario that might lead to use of a service policy to filter traffic is when an acl cannot be used in isolation to achieve the required filtering results.
For example the requirement may be drop icmp echo and echo replies with a packet length between 300 and 350.

This functionality cannot be achieved using an ACL alone: there is no way of matching on packet length in an acl.
However packet length can be matched in a class map.


ip access-list ext 101
permit icmp any any echo
permit icmp any any echo-reply

class-map match-all ICMP
match access-group 101
match packet length min 300 max 250

policy-map ICMP
class ICMP

int fa0/0
service-policy input ICMP
service-policy output ICMP

No comments: