Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
5
Helpful
7
Replies

deny a big ping

amenash123
Level 1
Level 1

‎08-08-2006 11:53 PM - edited ‎03-03-2019 01:36 PM

hi

how can i deny a big from the world to my router,i want that small ping like for exemple 32 byte will be avalible , but big ping will be deny.

thanks

Labels:
0 Helpful
7 Replies 7

Mikhail.Galiulin
Level 1
Level 1

‎08-09-2006 12:15 AM

Hi,

I think you should check policy-based routing.

There are some possibilities to match packets after its size (match length _min _max). I never used this feature myself but on paper it looks promising... :-)

Check this document for example

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800c75d2.html

//Mikhail Galiulin

0 Helpful

amenash123
Level 1
Level 1

‎08-09-2006 12:22 AM

i don't want to deny addresses i wany to deny a big ping to my interface.

0 Helpful

Mikhail.Galiulin
Level 1
Level 1
In response to amenash123

‎08-09-2006 12:34 AM

This is exactly what I recommend:

use MATCH LENGTH command in route map

//Mikhail Galiulin

0 Helpful

amenash123
Level 1
Level 1
In response to Mikhail.Galiulin

‎08-09-2006 12:43 AM

i understand you

but what if want to move a big packet like 1400

and ping i want to move maximum 32?

0 Helpful

Mikhail.Galiulin
Level 1
Level 1
In response to amenash123

‎08-09-2006 12:52 AM

I guess you need to combine two "match" statements in the same route map - one will be based on extended access-list and choose only ping trafic and another one will check the packet size.

//Mikhail Galiulin

0 Helpful

amenash123
Level 1
Level 1
In response to Mikhail.Galiulin

‎08-09-2006 02:46 AM

i try that and it's not success

0 Helpful

Mikhail.Galiulin
Level 1
Level 1
In response to amenash123

‎08-09-2006 04:00 AM

Hi,

Here is the solution that works (just tried it in my lab on 2 17XX routers):

!

class-map match-all large_ping

match packet length min 1000

match protocol icmp

!

policy-map tst

class large_ping

drop

!

interface FastEthernet0

ip address 192.168.112.252 255.255.255.0

service-policy input tst

Here is the result:

EMBOR1FRA#ping 192.168.112.252 size 1000

Type escape sequence to abort.

Sending 5, 1000-byte ICMP Echos to 192.168.112.252, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

EMBOR1VPNA#ping 192.168.112.252 size 999

Type escape sequence to abort.

Sending 5, 999-byte ICMP Echos to 192.168.112.252, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms

EMBOR1VPNA#

//Mikhail Galiulin

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card