Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-list to deny icmp

I need to do an access-list to deny icmp traffic to a specific subnet (vlan).

I did one yesterday with:

access-list 101 deny icmp any xxx.xx.xx.0 0.0.1.255

access-list 101 permit ip any any

It didn't work.

Help appreciated.

9 REPLIES
Hall of Fame Super Blue

Re: Access-list to deny icmp

Hi

Which direction did you apply it on the vlan interface. It needs to be applied outbound.

Jon

Hall of Fame Super Silver

Re: Access-list to deny icmp

Kristen

If you really want to deny all icmp (which could be a separate discussion) then the access list looks reasonable to accomplish that (assuming that the address and mask are correct for that subnet/VLAN). Can you tell us on what interface and in what direction you assigned the access list?

HTH

Rick

New Member

Re: Access-list to deny icmp

That was quick! Thanks guys!

Jon said about applying it outbound. When I tried it yesterday, I applied it inbound on the vlan interface.

Which is another question. I am applying this on my distribution switch, therefore I am assuming, I need to apply it to the vlan interface that I want to deny the icmp traffic on. ?????

Hall of Fame Super Blue

Re: Access-list to deny icmp

Hi

Think of it like this.

Traffic inbound to a vlan is traffic coming from machines on that vlan.

Traffic outbound to a vlan is traffic going to machines on that vlan.

So you want to apply on the vlan interface where the machines that you want to deny icmp to are located.

HTH

Jon

New Member

Re: Access-list to deny icmp

Ok, and apply it outbound on that vlan?

Hall of Fame Super Blue

Re: Access-list to deny icmp

Yes.

New Member

Re: Access-list to deny icmp

I applied the access list and it works but I can ping the default gateway. No devices are pingable.

Hall of Fame Super Blue

Re: Access-list to deny icmp

Hi

Yes you will be able to because the outbound access-list is applied as the traffic is about to be transmitted onto the vlan.

If this is a problem you would need to apply an acl on all your other router interfaces

access-list 102 deny icmp any host

access-list 102 permit ip any any

and then apply this access-list inbound on all the other interfaces.

But this is a lot of trouble and error prone. Is it really an issue ?

Jon

New Member

Re: Access-list to deny icmp

It's not an issue for me, but who knows what the higher ups will say. They don't take into account the technical side of things, if they want something done, they just want it done.

Thanks for the help. Much appreciated.

329
Views
5
Helpful
9
Replies
CreatePlease to create content