The title actually was a request that I encounter during my CCIE RS preparation. Of course, that in the real world, I would go straight forward and implement an access-list do drop selected packets. But since the lab environment is different for the real one, you might get a task like the above one.

Let’s assume that we have a network topology with a central router (R1) that connects 2 routers (R2 and R3), like in a hub and spoke diagram. Communication between R2 and R3 is done through R1. In this environment routing is already functional, implemented by dynamic or static routing (actually doesn’t matter this is not a topic for this presentation) and R2 can reach R3. We will drop all packets from R2 to R3, but telnet related packets (just to do things a little bit more interesting). As I specified before all this has to be achieved without access-list implementation.

Please have a look to this topology, to have a clear picture of the network environment. After you have checked the topology, watch the video presentation below:

How to drop packets with no ACL

Cisco: How to selective drop packets without using an access-list
Tagged on:                         

2 thoughts on “Cisco: How to selective drop packets without using an access-list

  • December 1, 2009 at 10:09
    Permalink

    You used an ACL in the class-map, this could have been replaced with an NBAR protocol match for telnet..

    Reply
  • December 1, 2009 at 10:25
    Permalink

    Hi Jim!

    You’re right, I could have used NBAR, or as well there are other methods to drop packets. The one above is just an example. The same is telnet in the example.

    I used ACL to show that you can match other packets than telnet, and which NBAR is not able to identify (based on DSCP, IP precedence…) and let those packets pass by.

    You’re comment is correct, but in the example was just a matter of choice.

    Thanks for reading!

    Reply

Leave a Reply

%d bloggers like this: