Scenario:
As part of the security team you are always looking for ways to improve security within the company. You want to get rid of all the local vty/console logins within your network so you decide to implement some AAA security.
Goal:
- All IP addresses have been configured for you, look at the topology picture for the IP addresses.
- OSPF has been preconfigured for you on all routers.
- Configure router Mirror so all ICMP traffic from network 3.3.3.0 /24 larger than 150 bytes will be dropped.
- You are not allowed to apply any access-list on the interfaces.
Topology:
Video Solution:
Configuration Files
You need to register to download the GNS3 topology file. (Registration is free!)Once you are logged in you will find the configuration files right here.
Do you want your CCNA or CCNP Certificate?
The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.
Written by René Molenaar - CCIE #41726
You can use a class map to match ICMP traffic, policy map to drop the traffic, and assign the service policy to the interface. Technically the ACL is not applied to interface, the service policy is.
class-map match-all Block-ICM
match protocol icmp
match packet length min 151
match access-group 101
!
!
policy-map Block_ICMP
class Block-ICM
drop
!
access-list 101 permit icmp 3.3.3.0 0.0.0.255 any
Hi Steve Occh, Your config is correct if only you are able to use access-list. The criteria staes that you are not allowed to use an access-list. Cheers
I used route-map to achieve the goal:
!
interface FastEthernet1/0
ip address 192.168.23.2 255.255.255.0
ip policy route-map ICMP
duplex auto
speed auto
!
route-map ICMP permit 10
match length 151 2147483647
set interface Null0
!
its good, cleared my doubt.. thanks