Access-list to deny icmp

Unanswered Question
Mar 13th, 2008

I need to do an access-list to deny icmp traffic to a specific subnet (vlan).

I did one yesterday with:

access-list 101 deny icmp any xxx.xx.xx.0

access-list 101 permit ip any any

It didn't work.

Help appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Thu, 03/13/2008 - 05:01


Which direction did you apply it on the vlan interface. It needs to be applied outbound.


Richard Burts Thu, 03/13/2008 - 05:02


If you really want to deny all icmp (which could be a separate discussion) then the access list looks reasonable to accomplish that (assuming that the address and mask are correct for that subnet/VLAN). Can you tell us on what interface and in what direction you assigned the access list?



kris55s Thu, 03/13/2008 - 05:06

That was quick! Thanks guys!

Jon said about applying it outbound. When I tried it yesterday, I applied it inbound on the vlan interface.

Which is another question. I am applying this on my distribution switch, therefore I am assuming, I need to apply it to the vlan interface that I want to deny the icmp traffic on. ?????

Jon Marshall Thu, 03/13/2008 - 05:08


Think of it like this.

Traffic inbound to a vlan is traffic coming from machines on that vlan.

Traffic outbound to a vlan is traffic going to machines on that vlan.

So you want to apply on the vlan interface where the machines that you want to deny icmp to are located.



kris55s Thu, 03/13/2008 - 06:15

I applied the access list and it works but I can ping the default gateway. No devices are pingable.

Jon Marshall Thu, 03/13/2008 - 06:23


Yes you will be able to because the outbound access-list is applied as the traffic is about to be transmitted onto the vlan.

If this is a problem you would need to apply an acl on all your other router interfaces

access-list 102 deny icmp any host

access-list 102 permit ip any any

and then apply this access-list inbound on all the other interfaces.

But this is a lot of trouble and error prone. Is it really an issue ?


kris55s Thu, 03/13/2008 - 06:31

It's not an issue for me, but who knows what the higher ups will say. They don't take into account the technical side of things, if they want something done, they just want it done.

Thanks for the help. Much appreciated.


This Discussion