Lab 19 Task 9.2

I was wondering rather than having a  separate access-group on the interface s0/0 for denying the private address space as per SG. can i not have this configured on the Policy-map created for the previous section. This is what i have created as shown below.

ip access-list extended RFC_1918
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit ip any any

class-map match-all RFC_1918
 match access-group name RFC_1918


class-map match-all ICMP
 match protocol icmp
!
!
policy-map QOS_ICMP
 class ICMP
  police cir 8000 bc 1000
    conform-action transmit
   exceed-action drop
 class RFC_1918    <------------------
   drop

 

interface Serial0/0
 service-policy input QOS_ICMP

any comments would be appreciated

Comments

  • This will work, but change the deny to permit in your access-list - you want to match the RFC1918 addresses, not everything else.

  • Hi CCIE_Wannabe and Darrel

    I think we should also take care with the order of the class-maps in the policy-map here:

    ICMP will still be allowed up to a rate of 8k from the private addresses if you put the icmp class on the first place.
    I put the icmp class after the RFC_1918 class.

    best regards

    Matthias

Sign In or Register to comment.