10-11-2019 07:14 AM - edited 10-11-2019 07:15 AM
2 questions that i couldnt figured out.
1 - while configuring ACL in my network, i could deny some host A to communicate with host B (then i see destination host unreachable)
the problem is when i try to use ping fro host B to host A there is session timed out. how do i fix it?
2- port security in network with VLANS and routers on a sticks, while i configure the port security , i have only ping in the same vlan, but not with other vlans. -
interface X
switchport mode access
switchport port-security
switchport port-security sticky
do w
10-11-2019 08:34 AM - edited 10-11-2019 08:50 AM
Hi @Ni0n
If your ACL is like this:
deny A B
Applied to the interface connected to A with address "IN"
So:
Ping A to B -> denied on interface when entering - unreachable destination
Ping B to A -> allowed until destination - reply denied when returning on the interface where A is connected - session timed
10-12-2019 06:02 PM
hi !! @luis_cordova
thank you for reply !!
i didnt really understand that, since when i am deny host A to host B , it is works, however host B cant ping host A back, and i havent figured it out yet. so please explain again.
about port-security , ping failed between vlans when i turn the port security on for some reason.
10-13-2019 08:25 PM
Hi @Ni0n
Assuming that the ACL is applied on the router interface that connects A with direction "IN"
Ping A to B
The ping that leaves A reaches the router interface.
The router compares the incoming packet with the ACL and denies the ping.
Then, the router sends an ICMP packet to A, indicating that it cannot route the ping.
Therefore, the message shown in A is "destinación unreachable"
Ping B to A
The ping that leaves B arrives at the router interface.
The router passes the ping from the incoming interface to the outgoing interface.
The router does not compare the packet with the ACL, as the packet is leaving the router to A and the ACL is configured to be applied to incoming packets (IN).
Then the ping leaves the router and reaches A.
Device A responds to the ping, but when the reply reaches the router, the router compares the incoming reply with the ACL and the reply is denied.
Device B shows the "request time out" message, as it receives no reply within the default time (1 second).
Regards
10-11-2019 08:45 AM
Hi @Ni0n
About portsecurity, I suggest you attach the settings of all the ports of your switch.
Regards
10-13-2019 09:20 AM
Hello Friend,
Typically the ICMP protocol has some packages:
- ICMP Echo (ping)
- ICMP Echo Reply (Ping Reply)
What is common when we are configuring an ACL we deny that a host or an entire network can test connectivity to other devices, which leads us to configure something like this:
access-list 100 deny icmp 172.16.2.0 0.0.0.255 host 168.243.3.14
What happens is that it is implicitly denied taking the echo as echo reply, that is, we cannot ping or ping that network. so you can take into account if you only want to deny that the network can ping other devices you can only deny echo and allow echo replay so that we can test connectivity to that devices.
ip access-list extended incoming
access-list 100 permit icmp 172.18.0.0 0.0.255.255 host 168.243.3.14 echo-reply
outgoing ip access-list extended
access-list 101 permit icmp 172.18.0.0 0.0.255.255 host 168.243.3.14 echo
or
access-list 100 permit icmp 172.18.0.0 0.0.255.255 host 168.243.3.14 echo-reply
access-list 100 deny icmp 172.18.0.0 0.0.255.255 host 168.243.3.14 echo
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide