Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Protect Loopback

Hi

how can I protect my loopback interface, extended ACL doesn works :-(

interface Loopback 1

ip address 1.1.1.1 255.255.255.128

ip address 1.1.1.2 255.255.255.128 secondary

ip address 1.1.1.3 255.255.255.128 secondary

ip access-group JUST_ICMP in

ip access-list extended JUST_ICMP

permit icmp any host 1.1.1.2

deny any any

When I ping from remote-->1.1.1.3 it's pingable and no matching in ACL (even in deny)

Why?

thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Protect Loopback

To protect the loopback interface it does not work to put the access list on the loopback interface itself. You would need to put the access list on the interface on which the packet got to the router. So you potentially would need the access list on several interfaces.

The reason for this is that when you ping a router interface the router does not send the ping all the way to the destination interface. When a packet comes in a router interface and the router looks at how to forward the packet and finds that the router is the destination then the router just processes the packet and does not send the packet all the way to the destination interface.

HTH

Rick

1 REPLY
Hall of Fame Super Silver

Protect Loopback

To protect the loopback interface it does not work to put the access list on the loopback interface itself. You would need to put the access list on the interface on which the packet got to the router. So you potentially would need the access list on several interfaces.

The reason for this is that when you ping a router interface the router does not send the ping all the way to the destination interface. When a packet comes in a router interface and the router looks at how to forward the packet and finds that the router is the destination then the router just processes the packet and does not send the packet all the way to the destination interface.

HTH

Rick

435
Views
0
Helpful
1
Replies
CreatePlease login to create content