Deny ICMP (Echo Reply)

Unanswered Question
Mar 26th, 2008

Hello all,


Lets say I wanted to deny ICMP traffic to a specific portion of a subnet, so users cannot ping my switches / servers, is there a way to go about this using an access list on my switches?


Thanks !



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jkloza Wed, 03/26/2008 - 09:49

How would I go about doing this ? Currently everything is in the default vlan 1.

Istvan_Rabai Wed, 03/26/2008 - 10:44

Hi Jonathan,


What is (are) the type(s) of switches you are using?


It would be good to know at least if you use layer2 or layer 3 switches?


Thanks:

Istvan

jkloza Wed, 03/26/2008 - 11:17

Istvan,


We use catalyst 3550's, and 3750's. With a catalyst 4006 as our core..


No problem I figured it out before, just created a permit icmp access list w/ the IP's I needed to be able to ping. Then implictly denied all others. I also allowed ip any / any w/ the access list, and applied it to our vlan interface.


If there's a better way to do this just let me know :)


Thanks.

Istvan_Rabai Wed, 03/26/2008 - 11:35

Hi Jonathan,


The way you did is OK. I only can give you an alternative acl:


Deny icmp to the specific switches and servers first.

Then use permit ip any any.


I don't see which one is better, yours or mine, because it depends on the number of sources and destinations permitted and denied, and of course it depends on the placement of the acls.


As this will be an extended access-list and you want to deny traffic to certain destinations, it's better to place the access-lists as close to the destinations as possible.


This way you will provide, that the least possible traffic needs to be examined by the access-lists and the least number of acls or acl lines needs to be configured.


Cheers:

Istvan



Actions

This Discussion