There is a requirement for R2 to filter traffic to and from neighboring routers R1 and R3. The catch however is that an ACL cannot be used. An unlikely scenario in the real world, but there again something that may be thrown up in a CCIE lab.
R1 ---------------(fa1/0) R2 (fa1/1)--------------- R3
To acheive this a service-policy can be used.
class FROM_R1
match input-interface fa1/0
class FROM_R3
match input-interface fa1/1
policy-map TO_R1
class FROM_R3
drop
policy-map TO_R3
class FROM_R1
drop
int fa1/0
service-policy output TO_R1
int fa1/1
service-policy output TO_R3
Another scenario that might lead to use of a service policy to filter traffic is when an acl cannot be used in isolation to achieve the required filtering results.
For example the requirement may be drop icmp echo and echo replies with a packet length between 300 and 350.
This functionality cannot be achieved using an ACL alone: there is no way of matching on packet length in an acl.
However packet length can be matched in a class map.
Hence
ip access-list ext 101
permit icmp any any echo
permit icmp any any echo-reply
class-map match-all ICMP
match access-group 101
match packet length min 300 max 250
policy-map ICMP
class ICMP
drop
int fa0/0
service-policy input ICMP
service-policy output ICMP
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment