Solved: Blocking ICMP on Catalyst 3750 switch vlan

snowmizer · ‎04-08-2011

I have set up an ACL on my 3750 switch to deny icmp from PC A on our inside network to PC B on a different VLAN on our inside network using the following ACLs:

deny icmp host 10.1.17.15 host 10.3.10.4

deny icmp host 10.3.10.4 host 10.1.17.15

-- or --

deny icmp host 10.1.17.15 host 10.3.10.4 echo-reply
deny icmp host 10.3.10.4 host 10.1.17.15 echo-reply

These ACLs belong to an access-list that also limits ip traffic to a few specific machines.

When I try pinging from PC A I receive a reply message back from PC B. Shouldn't this configuration block any ICMP from PC A to PC B and from PC B to PC A? I would have expected the first ACL statement to block any packets associated with ICMP and when that didn't work I tried the second configuration.

I'm sure I'm missing something small but am not sure what it is.

Thanks.

cadet alain · ‎04-17-2011

ICMP unreachables and redirects are always sent. I'm wondering if this could be my problem

No, These are ICMP messages from the router not from the host

Do you have to explicitly block every possiblity for ICMP?

No unless you want some specific ICMP messages to be blocked.

500 deny ip any any (200515 matches)

You have no match on your lines 30 and 40 but apparently on line 500 so this is surely not your ping traffic as it is working so I would assume the traffic you want to block is not using the interface Vlan 30.

Can you apply this ACL on a port on the first switch not on an interface.

If it's still failing post sh run of 2 switches as well as sh ip arp.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎04-08-2011

Hi,

Can you provide a quick sketch of the topology and tell us wher you applied the ACL

Regards.

Alain.

Don't forget to rate helpful posts.

snowmizer · ‎04-11-2011

Catalyst 4506--------------------------Catalyst 3750----------------------------PC

VLAN 30 VLAN 30

| ACL is applied on

| VLAN 30 here (inbound interface)

|

Catalyst 3750

|

User PC that shouldn't

be able to ping on VLAN 10

cadet alain · ‎04-11-2011

Hi,

Can you post sh access-list and sh ip int Vlan30

Regards.

Alain.

Don't forget to rate helpful posts.

snowmizer · ‎04-11-2011

Vlan30 is up, line protocol is up
Internet address is 10.3.5.12/21
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is BLDG_ACL
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Access List, MCI Check
Output features: Check hwidb

sh access-list

    10 permit ip host 10.1.17.91 host 10.3.10.4
    20 permit ip host 10.3.10.4 host 10.1.17.91
    30 deny icmp host 10.1.17.15 host 10.3.10.4
    40 deny icmp host 10.3.10.4 host 10.1.17.15
    500 deny ip any any (200515 matches)

Looking at the sh ip int vlan30 it looks like the ICMP unreachables and redirects are always sent. I'm wondering if this could be my problem. Do you have to explicitly block every possiblity for ICMP?

Thanks.

cadet alain · ‎04-17-2011

ICMP unreachables and redirects are always sent. I'm wondering if this could be my problem

No, These are ICMP messages from the router not from the host

Do you have to explicitly block every possiblity for ICMP?

No unless you want some specific ICMP messages to be blocked.

500 deny ip any any (200515 matches)

You have no match on your lines 30 and 40 but apparently on line 500 so this is surely not your ping traffic as it is working so I would assume the traffic you want to block is not using the interface Vlan 30.

Can you apply this ACL on a port on the first switch not on an interface.

If it's still failing post sh run of 2 switches as well as sh ip arp.

Regards.

Alain.

Don't forget to rate helpful posts.

snowmizer · ‎04-18-2011

Applying the ACL on the port worked exactly like I wanted.

Thanks.