Creating an ACL to Deny Pinging to a VLAN

Unanswered Question
Jan 19th, 2010

Hi guys, I just created a new vlan on my network that I want to hide from network scans and pinging. I have created the following 2 rules in an access list

access-list 102 deny icmp any any echo

access-list 102 deny icmp any any echo-reply

I have inserted this rule in my Vlan interface on the core switch. I have a few hosts connected to another switch on the network that are configured to use this vlan but they can still be pinged. Any ideas.

Much appreciated.

Javi

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 01/19/2010 - 14:16

brandinstitute wrote:

Hi guys, I just created a new vlan on my network that I want to hide from network scans and pinging. I have created the following 2 rules in an access list

access-list 102 deny icmp any any echo

access-list 102 deny icmp any any echo-reply

I have inserted this rule in my Vlan interface on the core switch. I have a few hosts connected to another switch on the network that are configured to use this vlan but they can still be pinged. Any ideas.

Much appreciated.

Javi

Javi

Well one of the lines should work whichever way you applied it to the vlan interface ie. if you applied it outbound the first line should stop ICMP pings and if you applied it inbound the second line should - your'e not pinging FROM the hosts on this vlan are you ?

So which direction have you applied the acl and are you seeing any hits on the acl ?

Can you post the full acl because there must be more than that otherwise all traffic should be denied either to/from the vlan.

Also can you confirm that the clients you are pinging from are not in the same vlan.

Jon

s.marino Tue, 01/19/2010 - 14:33

Javi,

Have you applied the ip access-group 102 in "or" out on the vlan interface?

Sal

brandinstitute Tue, 01/19/2010 - 15:13

Hi Sal,


I applied the ACL "in" the vlan interface. Just like this:

access-group 102 in

Is this correct?

brandinstitute Tue, 01/19/2010 - 15:15

Hi Jon,

The clients I'm pinging from are in a different VLAN, however I did not try to ping from the vlan that I want to disallow pinging to. I would like that VLan to be able to ping but not to respond to pings or network scans.

I applied the ACL 102 "in" not "out"

Jon Marshall Tue, 01/19/2010 - 15:23

brandinstitute wrote:

Hi Jon,

The clients I'm pinging from are in a different VLAN, however I did not try to ping from the vlan that I want to disallow pinging to. I would like that VLan to be able to ping but not to respond to pings or network scans.

I applied the ACL 102 "in" not "out"

If you want that vlan to ping out but not respond to pings then you only need the 2nd line ie.

access-list 102 deny icmp any any echo-reply

and then apply it inbound as you have done. If you include the 1st line in your acl then you will stop clients on that vlan being able to ping out. Bear in mind also that there is an implicit deny at the end of any access-list so the above acl will block any traffic from your new vlan so you would need -

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

if you want to only allow certain IP traffic from your new vlan then the acl will need modifying.

As to why it is not working - are you sure the interface you have applied the acl to is the interface responsible for routing the new vlans traffic ?

Jon

Ganesh Hariharan Tue, 01/19/2010 - 22:30

Hi Javi,

Jon has given brief solution for ACL in vlan which should work in your environment just another way to stop traffic entering into vlan i would suggest VLAN acces map.

VLAN Access-Lists (or VACL) works exactly there At the Intra-VLAN Traffic So everytime you need to filter internal traffic for a particular VLAN, VACL is can do the requirement.

Just a couple more things to have in mind before getting into an example.

   1.  IP Packets can only be processed by IP Access-Lists;
   2.  Non-IP Packets like ARP, MAC-Addresses, and others can only be processed by MAC Access-Lists.

access-list 101 deny src ip add desta ddress icmp any any

Create the VACL (or VLAN Maps, which one you preffer to call it) applying those rules:

vlan access-map Filter-VL7 20
match ip address 101

action forward

!
vlan access-map Filter-VL7 30
action permit

vlan filter Filter-VL7 vlan-list 7

The above sample configuration will block the icmp traffic entering into vlan 7.

Hope that helps out your query !!

Regards

Ganesh.H

Actions

This Discussion

Related Content