Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACL for ICMP

I just created one ACL as below for blocking ICMP except host 10.10.1.1. But that host still can't ping this interface or other hosts behind after I applied the ACL to the interface. Don't know why? I know this is a silly question:(

access-list 110 deny icmp any any

access-list 110 permit ip any any

access-list 110 permit icmp host 10.10.1.1 any

access-list 110 permit icmp host 10.10.1.1 any echo-reply

access-list 110 permit icmp host 10.10.1.1 any echo

interface Ethernet1/0

ip address 10.10.1.2 255.255.255.0

ip access-group 110 in

3 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: ACL for ICMP

ACL's are processed line by line from the start and your first line is denying icmp from anywhere. Note that icmp on it's own covers echo and echo-reply.

You need to rewrite your access-list to

access-list 110 permit icmp host 10.10.1.1 any

access-list 110 permit icmp host 10.10.1.1 any echo-reply

access-list 110 permit icmp host 10.10.1.1 any echo

access-list 110 deny icmp any any

access-list 110 permit ip any any

Edit - should have said

the 2 lines

access-list 110 permit icmp host 10.10.1.1 any echo-reply

access-list 110 permit icmp host 10.10.1.1 any echo

are redundant because the line above

access-list 110 permit icmp host 10.10.1.1 any

covers both of the following 2 lines. If you just want to allow ping then leave in those 2 lines and remove from your access-list

access-list 110 permit icmp host 10.10.1.1 any

Jon

Hall of Fame Super Gold

Re: ACL for ICMP

David

There is a simple explanation for your issue. The key to it is that access lists are processed one step at a time, in order, and that the first statement that is a true condition will cause the router to execute that permit or deny and not to look at anything further in the access list. And since the first statement in the list is:

access-list 110 deny icmp any any

it will deny all icmp traffic. And the statements later in the list to permit 10.10.1.1 will never execute. To fix it move the deny icmp any any to the bottom of the list.

HTH

Rick

Hall of Fame Super Blue

Re: ACL for ICMP

Depends on what you want to achieve. Assuming you want to allow host 10.10.1.1 to ping anything outside it's vlan but then stop any other host in the same vlan as 10.10.1.1 from pinging anything then you need to apply your acl inbound on the L3 vlan interface that the host 10.10.1.1 is in.

Jon

15 REPLIES
Hall of Fame Super Blue

Re: ACL for ICMP

ACL's are processed line by line from the start and your first line is denying icmp from anywhere. Note that icmp on it's own covers echo and echo-reply.

You need to rewrite your access-list to

access-list 110 permit icmp host 10.10.1.1 any

access-list 110 permit icmp host 10.10.1.1 any echo-reply

access-list 110 permit icmp host 10.10.1.1 any echo

access-list 110 deny icmp any any

access-list 110 permit ip any any

Edit - should have said

the 2 lines

access-list 110 permit icmp host 10.10.1.1 any echo-reply

access-list 110 permit icmp host 10.10.1.1 any echo

are redundant because the line above

access-list 110 permit icmp host 10.10.1.1 any

covers both of the following 2 lines. If you just want to allow ping then leave in those 2 lines and remove from your access-list

access-list 110 permit icmp host 10.10.1.1 any

Jon

Community Member

Re: ACL for ICMP

It works!

I know that 2 lines are not necessary. I just added it because "access-list 110 permit icmp host 10.10.1.1 any" didn't work at that time...

Many thanks.

Hall of Fame Super Gold

Re: ACL for ICMP

David

There is a simple explanation for your issue. The key to it is that access lists are processed one step at a time, in order, and that the first statement that is a true condition will cause the router to execute that permit or deny and not to look at anything further in the access list. And since the first statement in the list is:

access-list 110 deny icmp any any

it will deny all icmp traffic. And the statements later in the list to permit 10.10.1.1 will never execute. To fix it move the deny icmp any any to the bottom of the list.

HTH

Rick

Hall of Fame Super Blue

Re: ACL for ICMP

Rick

Just a quick point. If the line

access-list 110 deny icmp any any

is moved to the bottom of the access-list then no ICMP will be blocked because of the permit ip any any line. Hence the reason i reordered the ACL.

Jon

Hall of Fame Super Gold

Re: ACL for ICMP

Jon

Point well taken. I focused on the need to move the general deny any below the more specific permits. But anything that follows permit any any does not have any effect. I should have thought more thoroughly in my response.

HTH

Rick

Hall of Fame Super Blue

Re: ACL for ICMP

Rick

No problem, just didn't want to confuse the OP. You are one of the most precise and thoughtful people on these forums and i think the rest of us would be very happy if we were as consistent as you.

Jon

Hall of Fame Super Gold

Re: ACL for ICMP

Jon

I share your concern that the OP not be confused and appreciate your clarification (which was spot on).

I appreciate your compliment about my participation in the forum. I do try to set a pretty high standard, and being human once in a while I fail to meeet that standard. In those instances I appreciate it when someone points out an incomplete or inconsistent aspect of my response. It all helps make the forum better.

HTH

Rick

Community Member

Re: ACL for ICMP

But it doesn't work when I apply it to a switch port. ICMP was blocked from any IP address. Anything wrong? Thanks.

interface GigabitEthernet1/2

switchport access vlan 10

switchport mode access

ip access-group 110 in

Extended IP access list 110

10 permit icmp host 10.10.1.1 any

20 permit icmp host 10.10.1.1 any log

30 permit icmp host 10.10.1.1 any log-input

40 deny icmp any any log (7 matches)

50 deny icmp any any log-input

60 permit ip any any (1809 matches)

Hall of Fame Super Blue

Re: ACL for ICMP

What is the subnet IP range for vlan 10 ?

Jon

Community Member

Re: ACL for ICMP

Jon, it's 27 bits subnet.

Hall of Fame Super Blue

Re: ACL for ICMP

Sorry i meant what is the actual address range. Reason i ask is because the acl is applied inbound so 10.10.1.1 host would have to be in vlan 10. If it isn't that is why you are not getting any matches.

Jon

Community Member

Re: ACL for ICMP

Jon, It's my misunderstanding.

The ip range of vlan 10 is 172.16.2.x.

The switch is a layer 3 switch.Host 10.10.1.1 is on another vlan. They can ping each other without ACL.

If this way is not practicable,should I have to apply the ACL to layer3 port of this switch? or others? Thanks.

Hall of Fame Super Blue

Re: ACL for ICMP

Depends on what you want to achieve. Assuming you want to allow host 10.10.1.1 to ping anything outside it's vlan but then stop any other host in the same vlan as 10.10.1.1 from pinging anything then you need to apply your acl inbound on the L3 vlan interface that the host 10.10.1.1 is in.

Jon

Community Member

Re: ACL for ICMP

Got it. Many thanks.

Community Member

Re: ACL for ICMP

Understood. I always copied the configuration from other example before. So never notice on instance sequence. Need to learn more details. Thanks!

903
Views
0
Helpful
15
Replies
CreatePlease to create content