Still i could able to ping the IP address even with the configuration you have mentioned.

That's weird...

Could you post the exact configuration you have got ?

Paresh

The explanation for this is fairly simple. The access list is functioning as expected and it prevents transit traffic (traffic through the router) from being forwarded but it does not prevent traffic generated by the router from being forwarded. This is standard behavior and the IOS has always worked this way. There is not any adjustment to the access list which will prevent the router itself from pinging those addresses.

HTH

Rick

Rick,

That explanation is fine for an outbound access-list. However, an inbound access-list should still be able to filter traffic, regardless of whether it's bound for the router or is transit traffic. The second ACL I specified was for inbound traffic so it should have stopped incmong traffic ....

Paresh

Paresh

The original question was clearly about an outbound access list and why when the access list was applied ping packets from the router were still sent. That is the question that I answered.

Your point that an inbound access list is 100% effective in supressing traffic from that subnet is quite correct. But I believe the original question was how to stop the outbound traffic. And IOS does not give the ability to stop outbound traffic that originates from the router itself. Perhaps the original poster can clarify what he was asking about.

HTH

Rick

Howdy Rick,

Point taken.. it's sometimes hard to understand whether a post is in reply to the last post or the original post so I just wanted to clear that mis-understanding :-)

As you said, there is no way to stop the router sending out the ICMP packet. We can filter out the reply which will prevent ping from working but that does not stop the original echo request from being sent out in the first place.

Cheers,

Paresh

Actually, Rick, I just had a thought. The following could work (haven't tried it out though):

access-list 101 permit icmp any 192.168.1.0 0.0.0.255 echo

access-list 101 permit icmp any 192.168.1.0 0.0.0.255 echo-reply

!

route-map LOCAL_POLICY permit 10

match ip address 101

set interface null0

!

ip local policy route-map LOCAL_POLICY

What do you think ?

Paresh

Paresh

The Policy Routing solution is a very interesting thought. I have not tried it but I believe that it probably would work.

And since I believe that the intent in the original post was to prevent all traffic going to that subnet it might be possible to simplify access list 101 to this:

access-list 101 deny ip any 192.168.1.0 0.0.0.255

HTH

Rick

Just tried out it, Rick... and it works !

So here's the solution for the original poster:

! this first portion is to deny transit traffic to 192.168.1.0/24

int s1/1

ip access-group 101 out

!

access-list 101 deny ip any 192.168.1.0 0.0.0.255

access-list 101 permit ip any any

! this second portion is to deny router-originated traffic to 192.168.1.0/24

access-list 199 permit ip any 192.168.1.0 0.0.0.255

!

route-map LOCAL_POLICY permit 10

match ip address 199

set interface null0

!

ip local policy route-map LOCAL_POLICY

Hope that solves your problem.

Paresh