Thank you Alain for your answer.

The type of ICMP is ping, we want to disable ping  from a specific IP in that VLAN

SW#sh access-l

Extended IP access list 101

    10 deny icmp any host x.y.z.1 echo-reply

    20 deny icmp any host x.y.z.1 echo

    30 permit ip any any (59 matches)

Hi,

The destination IP must be in another VLAN, is it in the VLAN where you apply the ACL ? in which case do you want to prevent pings within that VLAN or to another VLAN ?

in first case then use a VACL or an ingress PACL and in second case use a RACL like you did but put the host IP as source instead of destination.

Regards

Alain

Don't forget to rate helpful posts.

Thank you again Alain, but still not working.

I know about VACL and PACLs but ithis case is a RACL. The problem is ping's are still working between both VLANs.

VLAN 10 is the destination (a.b.c.0/24)

VLAN 28 is the source (x.y.z.0/24)

I have modified the ACL so I can apply it to any VLAN interface:

!

ip access-list extended ping

deny   icmp a.b.c.0 0.0.0.255 x.y.z.0 0.0.0.255

deny   icmp x.y.z.0 0.0.0.255 a.b.c.0 0.0.0.255

permit ip any any

And then I have applied it to both ways (ingress and egress) in every VLAN interface this way:

!

interface Vlan10

ip address a.b.c.3 255.255.255.0

ip access-group ping in

ip access-group ping out

!

interface Vlan28

ip address x.y.z.3 255.255.255.0

ip access-group ping in

ip access-group ping out

Anyway, no ICMP is filter out when I ping from a host in VLAN 28 to a host in VLAN 10:

Extended IP access list ping

    1 deny icmp 172.31.10.0 0.0.0.255 192.168.128.0 0.0.0.255

    2 deny icmp 192.168.128.0 0.0.0.255 172.31.10.0 0.0.0.255

    20 permit ip any any (1129 matches)

Hi Jesus,

your configuration looks good, can you please confirm that access list is applied on the switch where intervlan routing is happening for these VLANs right ?

Manish

Problem solved, it seems that the routing of the customer was through a firewall, not in the catalyst itself.

Kind regards to all of youo for your help.

Jesus