cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2156
Views
5
Helpful
9
Replies

Access-list to deny icmp

kris55s
Level 1
Level 1

I need to do an access-list to deny icmp traffic to a specific subnet (vlan).

I did one yesterday with:

access-list 101 deny icmp any xxx.xx.xx.0 0.0.1.255

access-list 101 permit ip any any

It didn't work.

Help appreciated.

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Which direction did you apply it on the vlan interface. It needs to be applied outbound.

Jon

Richard Burts
Hall of Fame
Hall of Fame

Kristen

If you really want to deny all icmp (which could be a separate discussion) then the access list looks reasonable to accomplish that (assuming that the address and mask are correct for that subnet/VLAN). Can you tell us on what interface and in what direction you assigned the access list?

HTH

Rick

HTH

Rick

That was quick! Thanks guys!

Jon said about applying it outbound. When I tried it yesterday, I applied it inbound on the vlan interface.

Which is another question. I am applying this on my distribution switch, therefore I am assuming, I need to apply it to the vlan interface that I want to deny the icmp traffic on. ?????

Hi

Think of it like this.

Traffic inbound to a vlan is traffic coming from machines on that vlan.

Traffic outbound to a vlan is traffic going to machines on that vlan.

So you want to apply on the vlan interface where the machines that you want to deny icmp to are located.

HTH

Jon

Ok, and apply it outbound on that vlan?

Yes.

I applied the access list and it works but I can ping the default gateway. No devices are pingable.

Hi

Yes you will be able to because the outbound access-list is applied as the traffic is about to be transmitted onto the vlan.

If this is a problem you would need to apply an acl on all your other router interfaces

access-list 102 deny icmp any host

access-list 102 permit ip any any

and then apply this access-list inbound on all the other interfaces.

But this is a lot of trouble and error prone. Is it really an issue ?

Jon

It's not an issue for me, but who knows what the higher ups will say. They don't take into account the technical side of things, if they want something done, they just want it done.

Thanks for the help. Much appreciated.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: