Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6292
Views
7
Helpful
7
Replies

How to Block Ping of Big size

Go to solution
ahmad82pkn
Level 2
Level 2

‎05-22-2012 06:12 AM - edited ‎03-07-2019 06:50 AM

Hi, i want to block ping bigger than 32 bytes on my network,

how can i do this?

i tried with deny icmp any any packet-too-big and dency icmp any any fragments

but no success.

any suggestions?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7
In response to ahmad82pkn

‎05-22-2012 06:30 AM

Hi,

You can use a class-map / policy-map.

class-map match-all ICMP-BIG

match protocol icmp

match packet length min 1500

policy-map PM_NORMALIZATION

class ICMP-BIG

   drop

Apply the policy-map on the interface.

Dan

View solution in original post

7 Replies 7

Go to solution
Kevin P Sheahan
Level 5
Level 5

‎05-22-2012 06:20 AM

The commands that you've tried will not work because they are meant for giants, or for packets larger than the specified MTU. The lowest that you can go with an explicit MTU configuration is 128 bytes, so you will not be able to accomplish blocking ICMP packets larger than 32 bytes because it is much lower than the lowest configurable MTU.

What are you trying to accomplish by blocking these pings? Perhaps we can approach your desired end goal another way..

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
0 Helpful

Go to solution
ahmad82pkn
Level 2
Level 2
In response to Kevin P Sheahan

‎05-22-2012 06:24 AM

What i am trying to do is, people in my network are doing continuous ping to destination with ping x.x.x -t -l (size)

and that causes high utilization over my internet links

i cant stop them, because they think its best way to check network health if there youtube is loading slow .

i dont want to disable icmp all together since its handy to find out of remote host is down.

what are my options in this case?

0 Helpful

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7
In response to ahmad82pkn

‎05-22-2012 06:30 AM

Hi,

You can use a class-map / policy-map.

class-map match-all ICMP-BIG

match protocol icmp

match packet length min 1500

policy-map PM_NORMALIZATION

class ICMP-BIG

   drop

Apply the policy-map on the interface.

Dan

Go to solution
smehrnia
Level 7
Level 7
In response to ahmad82pkn

‎05-22-2012 06:53 AM

Hi,

your best option is a QoS classification like what Dan wrote for you, in the proper direction on the interface.

that way you have the flexiblity to match packets with the criterias u need, you could use match protocol icmp to make all ICMP packets to be policed or you can write access lists to selectively define who is eligible and who is not, to send large packets. match access-group [access-list]

also for the packet lengh, Dan chose 1500 bytes, you can choose ur desired size.

or you can limit the bandwith for ICMP use. using the police rate [32 kbps] to limit the bandwith for ping instead of packet size (it goes under the policy-map).

CheerZ.

plz Rate if it helped.

Soroush.

Hope it Helps!

Soroush.

Go to solution
ahmad82pkn
Level 2
Level 2

‎05-24-2012 06:42 AM

it Worked

Looks like i need to buy QOS book now, never studied QOS yet. lol.

here is my final config, Also GRE has additional header so it takes few bytes, so if i block packet size of 100bytes then icmp of 90 bytes also dropped due to additional GRE header i guess. so i had to give some cussion,

Also ORION and Solarwinds uses 60+- byte of ICMP for monitoring , so i got quite a few alert when i restricted icmp to 40 bytes initially.

Thank you Dan and Soroushm for your useful information.

class-map match-all ICMP-BIG

match protocol icmp

match packet length min 100 max 2000

!

!

policy-map ICMP-NORMALIZATION

class ICMP-BIG

   drop

int tune 5000

service-policy output ICMP-NORMALIZATION

0 Helpful

Go to solution
smehrnia
Level 7
Level 7
In response to ahmad82pkn

‎05-24-2012 08:41 AM

No problem, more than happy to help!

Hope it Helps!

Soroush.
0 Helpful

Go to solution
Tagir Temirgaliyev
Spotlight
Spotlight
In response to smehrnia

‎05-24-2012 09:36 PM

as was told here I did limit all icmp traffic to reserve bandwidth for usefull aplications.

so nobody can disturb network by icmp

class-map match-any Cl_ICMP

match protocol icmp

class-map match-all voice

match protocol rtp

policy-map pm1

class c1

  priority 50

  set precedence 3

class c2

  priority 256

  set precedence 3

class c3

  priority 480

  set precedence 3

class Cl_ICMP

  shape average 30000                          - here is icmp limited to 30 kbps

class voice

  priority 500

  set precedence 5

class class-default

policy-map pm2                                   -- this policy is applyed to int

class class-default

  shape average 2000000

  service-policy pm1

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card