03-13-2008 04:57 AM - edited 03-05-2019 09:44 PM
I need to do an access-list to deny icmp traffic to a specific subnet (vlan).
I did one yesterday with:
access-list 101 deny icmp any xxx.xx.xx.0 0.0.1.255
access-list 101 permit ip any any
It didn't work.
Help appreciated.
03-13-2008 05:01 AM
Hi
Which direction did you apply it on the vlan interface. It needs to be applied outbound.
Jon
03-13-2008 05:02 AM
Kristen
If you really want to deny all icmp (which could be a separate discussion) then the access list looks reasonable to accomplish that (assuming that the address and mask are correct for that subnet/VLAN). Can you tell us on what interface and in what direction you assigned the access list?
HTH
Rick
03-13-2008 05:06 AM
That was quick! Thanks guys!
Jon said about applying it outbound. When I tried it yesterday, I applied it inbound on the vlan interface.
Which is another question. I am applying this on my distribution switch, therefore I am assuming, I need to apply it to the vlan interface that I want to deny the icmp traffic on. ?????
03-13-2008 05:08 AM
Hi
Think of it like this.
Traffic inbound to a vlan is traffic coming from machines on that vlan.
Traffic outbound to a vlan is traffic going to machines on that vlan.
So you want to apply on the vlan interface where the machines that you want to deny icmp to are located.
HTH
Jon
03-13-2008 05:24 AM
Ok, and apply it outbound on that vlan?
03-13-2008 05:27 AM
Yes.
03-13-2008 06:15 AM
I applied the access list and it works but I can ping the default gateway. No devices are pingable.
03-13-2008 06:23 AM
Hi
Yes you will be able to because the outbound access-list is applied as the traffic is about to be transmitted onto the vlan.
If this is a problem you would need to apply an acl on all your other router interfaces
access-list 102 deny icmp any host
access-list 102 permit ip any any
and then apply this access-list inbound on all the other interfaces.
But this is a lot of trouble and error prone. Is it really an issue ?
Jon
03-13-2008 06:31 AM
It's not an issue for me, but who knows what the higher ups will say. They don't take into account the technical side of things, if they want something done, they just want it done.
Thanks for the help. Much appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide