Solved: Re: To block ping to nei switch

mahesh18 · ‎04-17-2010

Hi all,

I want to block ping to switch which is connected to fa1/0 interface of router here is my config

access-list 103 deny icmp 192.168.1.1 0.0.0.0 192.168.1.10 0.0.0.0 echo host-unknown log
access-list 103 permit ip any any

switch IP is 192.168.1.10

Router ip 192.168.1.1

Lan interface of router config

interface FastEthernet1/0
ip dhcp relay information trusted
ip address 192.168.1.1 255.255.255.0
ip access-group 103 out

i tried both ip access-group 103 out and in still ping is going?

thanks

Jon Marshall · ‎04-17-2010

mahesh18 wrote:

Hi jon

thanks for reply.

so on switch i can apply the acl like this on switch

2950T(config)#access-list 100 deny icmp 192.168.1.1 0.0.0.0 host 192.168.1.10 echo
2950T(config)#acce
2950T(config)#access-list 100 permit ip any any
2950T(config)#exit

now switch interface fa0/16 is connected to router should i apply acl on fa0/16 on switch interface?

thanks

mahesh

Mahesh

If this is a 2950 switch you can't apply an IP address to an interface. What have you assigned the IP address to on the switch ?

If is a L3 vlan interface then apply it to that ie.

int vlan 10

ip access-group 100 in

Jon

View solution in original post

Jon Marshall · ‎04-17-2010

mahesh18 wrote:

Hi all,

I want to block ping to switch which is connected to fa1/0 interface of router here is my config

access-list 103 deny icmp 192.168.1.1 0.0.0.0 192.168.1.10 0.0.0.0 echo host-unknown log
access-list 103 permit ip any any

switch IP is 192.168.1.10

Router ip 192.168.1.1

Lan interface of router config

interface FastEthernet1/0
ip dhcp relay information trusted
ip address 192.168.1.1 255.255.255.0
ip access-group 103 out

i tried both ip access-group 103 out and in still ping is going?

thanks

Mahesh

An acl applied outbound on a router interface does not filter traffic generated from that interface. So if you are pinging from the router it will still ping. If you pinged from a device connected to another interface on the router to the switch it should work.

Alternatively if you want to stop the router pinging the switch you need to apply the acl inbound on the switch.

Jon

mahesh18 · ‎04-17-2010

Hi jon

thanks for reply.

so on switch i can apply the acl like this on switch

2950T(config)#access-list 100 deny icmp 192.168.1.1 0.0.0.0 host 192.168.1.10 echo
2950T(config)#acce
2950T(config)#access-list 100 permit ip any any
2950T(config)#exit

now switch interface fa0/16 is connected to router should i apply acl on fa0/16 on switch interface?

thanks

mahesh

Jon Marshall · ‎04-17-2010

mahesh18 wrote:

Hi jon

thanks for reply.

so on switch i can apply the acl like this on switch

2950T(config)#access-list 100 deny icmp 192.168.1.1 0.0.0.0 host 192.168.1.10 echo
2950T(config)#acce
2950T(config)#access-list 100 permit ip any any
2950T(config)#exit

now switch interface fa0/16 is connected to router should i apply acl on fa0/16 on switch interface?

thanks

mahesh

Mahesh

If this is a 2950 switch you can't apply an IP address to an interface. What have you assigned the IP address to on the switch ?

If is a L3 vlan interface then apply it to that ie.

int vlan 10

ip access-group 100 in

Jon

mahesh18 · ‎04-17-2010

Hi Jon,

thanks again.

Best regards

mahesh