Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Blocking ICMP

Hi;

Is it sufficient to apply the following statement,

deny ip any 10.0.0.0 0.0.0.255

if I want to block PINGs to the 10.0.0.0/8 subnet? Or do I have to use

deny icmp any 10.0.0.0 0.255.255.255?

I am under the impression that the keyword "ip" in the ACL statement is all-encompassing. But that the "icmp" keyword comes in handy if, say, you want to deny icmp, but then allow all other IP traffic

like...

deny icmp any any

permit ip any any

My lab is down, cant try it out now.

Can anyone please do so for me?

Thanks

5 REPLIES
Cisco Employee

Re: Blocking ICMP

If you want to block PING to 10.0.0.0/8, you can just do deny icmp any 10.0.0.0 0.255.255.255 eq echo.

If you use deny ip any 10.0.0.0 0.255.255.255, this will block ALL IP traffic.

Regards,

jerry

Community Member

Re: Blocking ICMP

Thank you, Jerry..

I understand what denying ip any any means in terms of denying all traffic.

My question is specifically about ICMP, though.

Will

"deny ip any 10.0.0.0 0.255.255.255"

block icmp pings? Yes or no? ( I know it will block other ip traffic, but will it ALSO block icmp pings, too?)

In other words, if I want to block ALL traffic, INCLUDING ICMP, is the "ip" keyword sufficient??

Thanks!

Cisco Employee

Re: Blocking ICMP

Yes.

Community Member

Re: Blocking ICMP

Thank you...please dont be offended, but its important..

are you 125% sure? :-)

Thanks

Super Bronze

Re: Blocking ICMP

Since ICMP is part of the IP protocol suite, it should block pings, and all other IP traffic, to destination 10.0.0.0/8, as noted by Jerry.

PS:

Do note, Jerry noted

"deny ip any 10.0.0.0 0.255.255.255"

rather than your OP's

"deny ip any 10.0.0.0 0.0.0.255"

153
Views
9
Helpful
5
Replies
CreatePlease to create content