Cisco Support Community
Community Member

Deny ICMP (Echo Reply)

Hello all,

Lets say I wanted to deny ICMP traffic to a specific portion of a subnet, so users cannot ping my switches / servers, is there a way to go about this using an access list on my switches?

Thanks !


Re: Deny ICMP (Echo Reply)

Hi There

Yes, I believe this could be achieved with a VLAN ACL (VACL).

Best Regards,


Community Member

Re: Deny ICMP (Echo Reply)

How would I go about doing this ? Currently everything is in the default vlan 1.

Re: Deny ICMP (Echo Reply)

essentially you will have an ACL that

access-list 102 deny tcp any host eq icmp

You can use a VACL (VLAN Map)

Re: Deny ICMP (Echo Reply)

Hi Jonathan,

What is (are) the type(s) of switches you are using?

It would be good to know at least if you use layer2 or layer 3 switches?



Community Member

Re: Deny ICMP (Echo Reply)


We use catalyst 3550's, and 3750's. With a catalyst 4006 as our core..

No problem I figured it out before, just created a permit icmp access list w/ the IP's I needed to be able to ping. Then implictly denied all others. I also allowed ip any / any w/ the access list, and applied it to our vlan interface.

If there's a better way to do this just let me know :)


Re: Deny ICMP (Echo Reply)

Hi Jonathan,

The way you did is OK. I only can give you an alternative acl:

Deny icmp to the specific switches and servers first.

Then use permit ip any any.

I don't see which one is better, yours or mine, because it depends on the number of sources and destinations permitted and denied, and of course it depends on the placement of the acls.

As this will be an extended access-list and you want to deny traffic to certain destinations, it's better to place the access-lists as close to the destinations as possible.

This way you will provide, that the least possible traffic needs to be examined by the access-lists and the least number of acls or acl lines needs to be configured.



CreatePlease to create content