Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
36940
Views
5
Helpful
2
Replies

Enable ICMP ping for an intefrace

raghav.rai
Level 1
Level 1

‎12-28-2017 09:09 PM - last edited on ‎03-25-2019 03:50 PM by Community Manager

Hello All,

 

Is there a way that I can allow ICMP ping to a physical or virtual interface of a router and block all other pings. I know this can be achieved using ACL just by permitting the interface IP and block ICMP for all other IP's. But I need to configure this in many routers so wanted check if there is a way to allow it only to one interface like management interface.

Tks,

raghavendra

 

 

 

 

 

 

 

 

 

2 people had this problem
Labels:
0 Helpful
2 Replies 2

paul driver
VIP
VIP

‎12-29-2017 05:27 AM

Hello

Control plane policing to do this.

You will negate all the subnets you DONT wish to access the devices, Assuming you would know the network ranges being used in your network thus leaving only the subnet you wish to be allowed to access the device.

 

Example:
ip access-list extended NO-icmp-ssh-telnet
permit icmp 10.0.0.0 0.255.255.255 any echo
permit icmp 20.0.0.0 0.255.255.255 any echo
permit tcp 10.0.0.0 0.255.255.255 any eq 22
permit tcp 20.0.0.0 0.255.255.255 any eq 22
permit tcp 10.0.0.0 0.255.255.255 any eq telnet
permit tcp 20.0.0.0 0.255.255.255 any eq telnet

class-map match-any NO-icmp-ssh-telnet_CM
match access-group name NO-icmp-ssh-telnet

policy-map NO-icmp-ssh-telnet_PM
class NO-icmp-ssh-telnet_CM
drop
class class-default

 

control-plane host
service-policy input NO-icmp-ssh-telnet_PM

 

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

raghav.rai
Level 1
Level 1
In response to paul driver

‎01-02-2018 06:18 AM

Thank you Paul,

 

I think this answers my query.

 

In another case I need to allow LAN users only to ping their default gateway that is LAN or SVI interface in router and block all ping to external network outside the router. How can I achieve this by adding a generic configuration without changing site specific IP ?

 

Thanks,

Raghavendra 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card