Re: ACL to block ICMP

cisconoobie · ‎09-16-2006

I have an HSRP router plugged into port g1/0/15 on a 3750G switch

I want to deny all ICMP traffic, can I use this ACL on this int?

The HSRP Router address is 210.233.44.130

ip access-list extended deny-icmp

permit icmp host 210.233.44.0 any

remark Do not allow ICMP Traffic

deny icmp any any

permit ip any any

Will this work on

int g1/0/15

ip access-list deny-icmp in

chris.baird · ‎09-16-2006

The only issues I see is that you have the network address 210.233.44.0 identified as a host address. Also, if your goal is to block all ICMP...why are you allowing this host?

This will block all ICMP per your request:

ip access-list extended deny-icmp

deny icmp any any

permit ip any any

Please rate if this helps

Thanks,

Chris

cisconoobie · ‎09-16-2006

Because the HSRP router is tracking this port, i'm not sure if HSRP uses ICMP to track interfaces.

Since the router 210.233.44.130 is on the same subnet, I thought it should be permitted.

chris.baird · ‎09-16-2006

Perhaps you should use the .130 address in the ACL instead of .0.

shechter · ‎09-17-2006

Unless you are configure object tracking to use ICMP, HSRP is not using ICMP.

"standby 1 track interface s0/0" does not use ICMP.

HTH

cisconoobie · ‎09-17-2006

Cool thanks.