access list deny detaction

Unanswered Question
Jan 12th, 2009

does cisco router using ext access list for filtering, send some kind of reply to denied traffic sender? Is illegal packet just droped?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
John Blakley Mon, 01/12/2009 - 06:38

Illegal packets are dropped, and the sender isn't notified of anything.



Pavel Bykov Mon, 01/12/2009 - 06:45

Yes, sender is notified using ICMP packet - destination administratively prohibited.

Pavel Bykov Thu, 01/15/2009 - 21:49


"ip unreachables" is the default behavior, therefore when router block traffic, it itself will reply with Administratively Prohibited message (ICMP AP). The machine where you ping it from might not intercept it correctly, an just display the dot, but it's there (unless something in the way block it).

To disable locally originated ICMP AP messages: use "no ip unreachables" on interface.

To disable remotely originated ICMP AP messages: use "deny icmp any any administratively-prohibited" then "permit ip any any" and apply on the output.

John Blakley Mon, 01/12/2009 - 06:51

This isn't something I've ever seen. How are you configuring your ace in your acl, and how is the interface configured?

I know that if you have no ip unreachables, it won't tell you when traffic is dropped; you'll just get time-outs.

Let's say that you are on subnet, and you want to ping Your gateway is, but your have an acl that denies you to get to If you have ip unreachables enabled, it will tell you that the destination is unreachable with "Destination unreachable." If you enable "no ip unreachables", you'll get time outs. It doesn't respond to you with an administratively prohibited message.




This Discussion