12-28-2017 09:09 PM - last edited on 03-25-2019 03:50 PM by ciscomoderator
Hello All,
Is there a way that I can allow ICMP ping to a physical or virtual interface of a router and block all other pings. I know this can be achieved using ACL just by permitting the interface IP and block ICMP for all other IP's. But I need to configure this in many routers so wanted check if there is a way to allow it only to one interface like management interface.
Tks,
raghavendra
12-29-2017 05:27 AM
Hello
Control plane policing to do this.
You will negate all the subnets you DONT wish to access the devices, Assuming you would know the network ranges being used in your network thus leaving only the subnet you wish to be allowed to access the device.
Example:
ip access-list extended NO-icmp-ssh-telnet
permit icmp 10.0.0.0 0.255.255.255 any echo
permit icmp 20.0.0.0 0.255.255.255 any echo
permit tcp 10.0.0.0 0.255.255.255 any eq 22
permit tcp 20.0.0.0 0.255.255.255 any eq 22
permit tcp 10.0.0.0 0.255.255.255 any eq telnet
permit tcp 20.0.0.0 0.255.255.255 any eq telnet
class-map match-any NO-icmp-ssh-telnet_CM
match access-group name NO-icmp-ssh-telnet
policy-map NO-icmp-ssh-telnet_PM
class NO-icmp-ssh-telnet_CM
drop
class class-default
control-plane host
service-policy input NO-icmp-ssh-telnet_PM
res
Paul
01-02-2018 06:18 AM
Thank you Paul,
I think this answers my query.
In another case I need to allow LAN users only to ping their default gateway that is LAN or SVI interface in router and block all ping to external network outside the router. How can I achieve this by adding a generic configuration without changing site specific IP ?
Thanks,
Raghavendra
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide