11-09-2009 06:47 PM - edited 03-06-2019 08:31 AM
Hi;
Is it sufficient to apply the following statement,
deny ip any 10.0.0.0 0.0.0.255
if I want to block PINGs to the 10.0.0.0/8 subnet? Or do I have to use
deny icmp any 10.0.0.0 0.255.255.255?
I am under the impression that the keyword "ip" in the ACL statement is all-encompassing. But that the "icmp" keyword comes in handy if, say, you want to deny icmp, but then allow all other IP traffic
like...
deny icmp any any
permit ip any any
My lab is down, cant try it out now.
Can anyone please do so for me?
Thanks
11-09-2009 06:51 PM
If you want to block PING to 10.0.0.0/8, you can just do deny icmp any 10.0.0.0 0.255.255.255 eq echo.
If you use deny ip any 10.0.0.0 0.255.255.255, this will block ALL IP traffic.
Regards,
jerry
11-09-2009 07:01 PM
Thank you, Jerry..
I understand what denying ip any any means in terms of denying all traffic.
My question is specifically about ICMP, though.
Will
"deny ip any 10.0.0.0 0.255.255.255"
block icmp pings? Yes or no? ( I know it will block other ip traffic, but will it ALSO block icmp pings, too?)
In other words, if I want to block ALL traffic, INCLUDING ICMP, is the "ip" keyword sufficient??
Thanks!
11-09-2009 07:11 PM
Yes.
11-09-2009 07:40 PM
Thank you...please dont be offended, but its important..
are you 125% sure? :-)
Thanks
11-09-2009 08:23 PM
Since ICMP is part of the IP protocol suite, it should block pings, and all other IP traffic, to destination 10.0.0.0/8, as noted by Jerry.
PS:
Do note, Jerry noted
"deny ip any 10.0.0.0 0.255.255.255"
rather than your OP's
"deny ip any 10.0.0.0 0.0.0.255"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: