03-26-2008 08:41 AM - edited 03-05-2019 09:59 PM
Hello all,
Lets say I wanted to deny ICMP traffic to a specific portion of a subnet, so users cannot ping my switches / servers, is there a way to go about this using an access list on my switches?
Thanks !
03-26-2008 09:35 AM
Hi There
Yes, I believe this could be achieved with a VLAN ACL (VACL).
Best Regards,
Michael
03-26-2008 09:49 AM
How would I go about doing this ? Currently everything is in the default vlan 1.
03-26-2008 09:54 AM
essentially you will have an ACL that
access-list 102 deny tcp any host 10.1.1.1 eq icmp
You can use a VACL (VLAN Map)
03-26-2008 10:44 AM
Hi Jonathan,
What is (are) the type(s) of switches you are using?
It would be good to know at least if you use layer2 or layer 3 switches?
Thanks:
Istvan
03-26-2008 11:17 AM
Istvan,
We use catalyst 3550's, and 3750's. With a catalyst 4006 as our core..
No problem I figured it out before, just created a permit icmp access list w/ the IP's I needed to be able to ping. Then implictly denied all others. I also allowed ip any / any w/ the access list, and applied it to our vlan interface.
If there's a better way to do this just let me know :)
Thanks.
03-26-2008 11:35 AM
Hi Jonathan,
The way you did is OK. I only can give you an alternative acl:
Deny icmp to the specific switches and servers first.
Then use permit ip any any.
I don't see which one is better, yours or mine, because it depends on the number of sources and destinations permitted and denied, and of course it depends on the placement of the acls.
As this will be an extended access-list and you want to deny traffic to certain destinations, it's better to place the access-lists as close to the destinations as possible.
This way you will provide, that the least possible traffic needs to be examined by the access-lists and the least number of acls or acl lines needs to be configured.
Cheers:
Istvan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: