How to Block Ping of Big size

Answered Question
May 22nd, 2012

Hi, i want to block ping bigger than 32 bytes on my network,

how can i do this?

i tried with deny icmp any any packet-too-big and dency icmp any any fragments

but no success.

any suggestions?

I have this problem too.
0 votes
Correct Answer by dancicioiu about 1 year 11 months ago

Hi,

You can use a class-map / policy-map.

class-map match-all ICMP-BIG

match protocol icmp

match packet length min 1500

policy-map PM_NORMALIZATION

class ICMP-BIG

   drop

Apply the policy-map on the interface.

Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (3 ratings)
sheahankp Tue, 05/22/2012 - 06:20

The commands that you've tried will not work because they are meant for giants, or for packets larger than the specified MTU. The lowest that you can go with an explicit MTU configuration is 128 bytes, so you will not be able to accomplish blocking ICMP packets larger than 32 bytes because it is much lower than the lowest configurable MTU.

What are you trying to accomplish by blocking these pings? Perhaps we can approach your desired end goal another way..

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

ahmad82pkn Tue, 05/22/2012 - 06:24

What i am trying to do is, people in my network are doing continuous ping to destination with ping x.x.x -t -l (size)

and that causes high utilization over my internet links

i cant stop them, because they think its best way to check network health if there youtube is loading slow .

i dont want to disable icmp all together since its handy to find out of remote host is down.

what are my options in this case?

Correct Answer
dancicioiu Tue, 05/22/2012 - 06:30

Hi,

You can use a class-map / policy-map.

class-map match-all ICMP-BIG

match protocol icmp

match packet length min 1500

policy-map PM_NORMALIZATION

class ICMP-BIG

   drop

Apply the policy-map on the interface.

Dan

soroushm Tue, 05/22/2012 - 06:53

Hi,

your best option is a QoS classification like what Dan wrote for you, in the proper direction on the interface.

that way you have the flexiblity to match packets with the criterias u need, you could use match protocol icmp to make all ICMP packets to be policed or you can write access lists to selectively define who is eligible and who is not, to send large packets. match access-group [access-list]

also for the packet lengh, Dan chose 1500 bytes, you can choose ur desired size.

or you can limit the bandwith for ICMP use. using the police rate [32 kbps] to limit the bandwith for ping instead of packet size (it goes under the policy-map).

CheerZ.

plz Rate if it helped.

Soroush.

ahmad82pkn Thu, 05/24/2012 - 06:42

it Worked

Looks like i need to buy QOS book now, never studied QOS yet. lol.

here is my final config, Also GRE has additional header so it takes few bytes, so if i block packet size of 100bytes then icmp of 90 bytes also dropped due to additional GRE header i guess. so i had to give some cussion,

Also ORION and Solarwinds uses 60+- byte of ICMP for monitoring , so i got quite a few alert when i restricted icmp to 40 bytes initially.

Thank you Dan and Soroushm for your useful information.

class-map match-all ICMP-BIG

match protocol icmp

match packet length min 100 max 2000

!

!

policy-map ICMP-NORMALIZATION

class ICMP-BIG

   drop

int tune 5000

service-policy output ICMP-NORMALIZATION

ttemirgaliyev Thu, 05/24/2012 - 21:36

as was told here I did limit all icmp traffic to reserve bandwidth for usefull aplications.

so nobody can disturb network by icmp

class-map match-any Cl_ICMP

match protocol icmp

class-map match-all voice

match protocol rtp

policy-map pm1

class c1

  priority 50

  set precedence 3

class c2

  priority 256

  set precedence 3

class c3

  priority 480

  set precedence 3

class Cl_ICMP

  shape average 30000                          - here is icmp limited to 30 kbps

class voice

  priority 500

  set precedence 5

class class-default

policy-map pm2                                   -- this policy is applyed to int

class class-default

  shape average 2000000

  service-policy pm1

Actions

Login or Register to take actions

This Discussion

Posted May 22, 2012 at 6:12 AM
Stats:
Replies:7 Avg. Rating:4
Views:1332 Votes:0
Shares:0
Tags: ping, size, block
+

Related Content

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,725
4 7,083
5 6,742
Rank Username Points
165
82
70
69
55