01-19-2010 02:03 PM - edited 03-06-2019 09:21 AM
Hi guys, I just created a new vlan on my network that I want to hide from network scans and pinging. I have created the following 2 rules in an access list
access-list 102 deny icmp any any echo
access-list 102 deny icmp any any echo-reply
I have inserted this rule in my Vlan interface on the core switch. I have a few hosts connected to another switch on the network that are configured to use this vlan but they can still be pinged. Any ideas.
Much appreciated.
Javi
01-19-2010 02:16 PM
brandinstitute wrote:
Hi guys, I just created a new vlan on my network that I want to hide from network scans and pinging. I have created the following 2 rules in an access list
access-list 102 deny icmp any any echo
access-list 102 deny icmp any any echo-reply
I have inserted this rule in my Vlan interface on the core switch. I have a few hosts connected to another switch on the network that are configured to use this vlan but they can still be pinged. Any ideas.
Much appreciated.
Javi
Javi
Well one of the lines should work whichever way you applied it to the vlan interface ie. if you applied it outbound the first line should stop ICMP pings and if you applied it inbound the second line should - your'e not pinging FROM the hosts on this vlan are you ?
So which direction have you applied the acl and are you seeing any hits on the acl ?
Can you post the full acl because there must be more than that otherwise all traffic should be denied either to/from the vlan.
Also can you confirm that the clients you are pinging from are not in the same vlan.
Jon
01-19-2010 02:33 PM
Javi,
Have you applied the ip access-group 102 in "or" out on the vlan interface?
Sal
01-19-2010 03:13 PM
Hi Sal,
I applied the ACL "in" the vlan interface. Just like this:
access-group 102 in
Is this correct?
01-19-2010 03:15 PM
Hi Jon,
The clients I'm pinging from are in a different VLAN, however I did not try to ping from the vlan that I want to disallow pinging to. I would like that VLan to be able to ping but not to respond to pings or network scans.
I applied the ACL 102 "in" not "out"
01-19-2010 03:23 PM
brandinstitute wrote:
Hi Jon,
The clients I'm pinging from are in a different VLAN, however I did not try to ping from the vlan that I want to disallow pinging to. I would like that VLan to be able to ping but not to respond to pings or network scans.
I applied the ACL 102 "in" not "out"
If you want that vlan to ping out but not respond to pings then you only need the 2nd line ie.
access-list 102 deny icmp any any echo-reply
and then apply it inbound as you have done. If you include the 1st line in your acl then you will stop clients on that vlan being able to ping out. Bear in mind also that there is an implicit deny at the end of any access-list so the above acl will block any traffic from your new vlan so you would need -
access-list 102 deny icmp any any echo-reply
access-list 102 permit ip any any
if you want to only allow certain IP traffic from your new vlan then the acl will need modifying.
As to why it is not working - are you sure the interface you have applied the acl to is the interface responsible for routing the new vlans traffic ?
Jon
01-19-2010 10:30 PM
Hi Javi,
Jon has given brief solution for ACL in vlan which should work in your environment just another way to stop traffic entering into vlan i would suggest VLAN acces map.
VLAN Access-Lists (or VACL) works exactly there At the Intra-VLAN Traffic So everytime you need to filter internal traffic for a particular VLAN, VACL is can do the requirement.
Just a couple more things to have in mind before getting into an example.
1. IP Packets can only be processed by IP Access-Lists;
2. Non-IP Packets like ARP, MAC-Addresses, and others can only be processed by MAC Access-Lists.
access-list 101 deny src ip add desta ddress icmp any any
Create the VACL (or VLAN Maps, which one you preffer to call it) applying those rules:
vlan access-map Filter-VL7 20
match ip address 101
action forward
!
vlan access-map Filter-VL7 30
action permit
vlan filter Filter-VL7 vlan-list 7
The above sample configuration will block the icmp traffic entering into vlan 7.
Hope that helps out your query !!
Regards
Ganesh.H
11-23-2018 10:57 AM
Troubleshooting the problem starts by studying the ACL!
Echo is to ping, Echo-reply is to be pinged; so Either/Or.
If applied to both in and out interfaces with the corresponding command it should work as you have planned.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide