Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

To block ping to nei switch

Hi all,

I want to block ping to switch which is connected to fa1/0 interface of router here is my config

access-list 103 deny icmp 192.168.1.1 0.0.0.0 192.168.1.10 0.0.0.0  echo host-unknown  log
access-list 103 permit ip any any

switch IP is 192.168.1.10

Router ip 192.168.1.1

Lan interface of router config

interface FastEthernet1/0
ip dhcp relay information trusted
ip address 192.168.1.1 255.255.255.0
ip access-group 103 out

i tried both   ip access-group 103 out   and in still ping is going?

thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: To block ping to nei switch

mahesh18 wrote:

Hi jon

thanks for reply.

so on switch i can apply the acl like this on switch

2950T(config)#access-list 100 deny icmp 192.168.1.1 0.0.0.0 host 192.168.1.10 echo
2950T(config)#acce
2950T(config)#access-list 100 permit ip any any
2950T(config)#exit

now switch interface fa0/16 is connected  to router should i apply acl on fa0/16 on switch interface?

thanks

mahesh

Mahesh

If this is a 2950 switch you can't apply an IP address to an interface. What have you assigned the IP address to on the switch ?

If is a L3 vlan interface then apply it to that ie.

int vlan 10

ip access-group 100 in

Jon

4 REPLIES
Hall of Fame Super Blue

Re: To block ping to nei switch

mahesh18 wrote:

Hi all,

I want to block ping to switch which is connected to fa1/0 interface of router here is my config

access-list 103 deny icmp 192.168.1.1 0.0.0.0 192.168.1.10 0.0.0.0  echo host-unknown  log
access-list 103 permit ip any any

switch IP is 192.168.1.10

Router ip 192.168.1.1

Lan interface of router config

interface FastEthernet1/0
ip dhcp relay information trusted
ip address 192.168.1.1 255.255.255.0
ip access-group 103 out

i tried both   ip access-group 103 out   and in still ping is going?

thanks

Mahesh

An acl applied outbound on a router interface does not filter traffic generated from that interface. So if you are pinging from the router it will still ping. If you pinged from a device connected to another interface on the router to the switch it should work.

Alternatively if you want to stop the router pinging the switch you need to apply the acl inbound on the switch.

Jon

Community Member

Re: To block ping to nei switch

Hi jon

thanks for reply.

so on switch i can apply the acl like this on switch

2950T(config)#access-list 100 deny icmp 192.168.1.1 0.0.0.0 host 192.168.1.10 echo
2950T(config)#acce
2950T(config)#access-list 100 permit ip any any
2950T(config)#exit

now switch interface fa0/16 is connected  to router should i apply acl on fa0/16 on switch interface?

thanks

mahesh

Hall of Fame Super Blue

Re: To block ping to nei switch

mahesh18 wrote:

Hi jon

thanks for reply.

so on switch i can apply the acl like this on switch

2950T(config)#access-list 100 deny icmp 192.168.1.1 0.0.0.0 host 192.168.1.10 echo
2950T(config)#acce
2950T(config)#access-list 100 permit ip any any
2950T(config)#exit

now switch interface fa0/16 is connected  to router should i apply acl on fa0/16 on switch interface?

thanks

mahesh

Mahesh

If this is a 2950 switch you can't apply an IP address to an interface. What have you assigned the IP address to on the switch ?

If is a L3 vlan interface then apply it to that ie.

int vlan 10

ip access-group 100 in

Jon

Community Member

Re: To block ping to nei switch

Hi Jon,

thanks again.

Best regards

mahesh

592
Views
0
Helpful
4
Replies
CreatePlease to create content