Do you think if our CoPP configuration should be able to block icmp ?

Hi, Do you think if our CoPP configuration can block icmp ? The topology is like this:  R5-------R2-------R3. Originally these three routers can ping each other. Now in R2, we configure it as below. The mac address is from R3 interface connected to R2. So After the configuration in R2, do you think if R3 can still ping R5 ? Thank you



class-map match-all block-mac
 match access-group 700

policy-map mac
 class block-mac
 
class-map match-all block-mac
 match access-group 700

policy-map mac
 class block-mac
   drop

control-plane
 service-policy input mac

access-list 700 deny   cc02.1504.0011 0000.0000.0000
eemoonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
Based on your other question, I'm going to say no since you can't use a mac ACL for COPP.

Which begs the question, what are you trying to accomplish?  Is this an actual task or a hypothetical scenario.  If it's the former, please provide the requirements.  If it's the later, you would would probably be better off actually trying to configure this and see what happens.
eemoonAuthor Commented:
Thank you so much for your fast reply. My work need to allow specific PCs to access all router and switches. We mentioned that we need to use mac address ACL to reach the goal. I thought I could do that. and that was why I promised to do it. After I tried it several times, I found mac-address ACL cannot be used to VTY. That is why I am trying using mac-address ACL with CoPP. I feel that it should work, But Cisco document seems to say this way cannot work.
Don JohnstonInstructorCommented:
That is correct.

If (for reasons I can't begin to understand) you absolutely have to limit telnet access by MAC address, I would use a combination of port security and DHCP snooping with address reservation/manual bindings.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eemoonAuthor Commented:
Hi I think your suggestion should work for my issue. Thank you !!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.