cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
358
Views
9
Helpful
5
Replies

Blocking ICMP

visitor68
Level 4
Level 4

Hi;

Is it sufficient to apply the following statement,

deny ip any 10.0.0.0 0.0.0.255

if I want to block PINGs to the 10.0.0.0/8 subnet? Or do I have to use

deny icmp any 10.0.0.0 0.255.255.255?

I am under the impression that the keyword "ip" in the ACL statement is all-encompassing. But that the "icmp" keyword comes in handy if, say, you want to deny icmp, but then allow all other IP traffic

like...

deny icmp any any

permit ip any any

My lab is down, cant try it out now.

Can anyone please do so for me?

Thanks

5 Replies 5

Jerry Ye
Cisco Employee
Cisco Employee

If you want to block PING to 10.0.0.0/8, you can just do deny icmp any 10.0.0.0 0.255.255.255 eq echo.

If you use deny ip any 10.0.0.0 0.255.255.255, this will block ALL IP traffic.

Regards,

jerry

Thank you, Jerry..

I understand what denying ip any any means in terms of denying all traffic.

My question is specifically about ICMP, though.

Will

"deny ip any 10.0.0.0 0.255.255.255"

block icmp pings? Yes or no? ( I know it will block other ip traffic, but will it ALSO block icmp pings, too?)

In other words, if I want to block ALL traffic, INCLUDING ICMP, is the "ip" keyword sufficient??

Thanks!

Yes.

Thank you...please dont be offended, but its important..

are you 125% sure? :-)

Thanks

Since ICMP is part of the IP protocol suite, it should block pings, and all other IP traffic, to destination 10.0.0.0/8, as noted by Jerry.

PS:

Do note, Jerry noted

"deny ip any 10.0.0.0 0.255.255.255"

rather than your OP's

"deny ip any 10.0.0.0 0.0.0.255"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco