Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
29291
Views
0
Helpful
7
Replies

Creating an ACL to Deny Pinging to a VLAN

brandinstitute
Level 1
Level 1

‎01-19-2010 02:03 PM - edited ‎03-06-2019 09:21 AM

Hi guys, I just created a new vlan on my network that I want to hide from network scans and pinging. I have created the following 2 rules in an access list

access-list 102 deny icmp any any echo

access-list 102 deny icmp any any echo-reply

I have inserted this rule in my Vlan interface on the core switch. I have a few hosts connected to another switch on the network that are configured to use this vlan but they can still be pinged. Any ideas.

Much appreciated.

Javi

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

‎01-19-2010 02:16 PM 

brandinstitute wrote:
Hi guys, I just created a new vlan on my network that I want to hide from network scans and pinging. I have created the following 2 rules in an access list
access-list 102 deny icmp any any echo
access-list 102 deny icmp any any echo-reply
I have inserted this rule in my Vlan interface on the core switch. I have a few hosts connected to another switch on the network that are configured to use this vlan but they can still be pinged. Any ideas. 
Much appreciated.
Javi

Javi

Well one of the lines should work whichever way you applied it to the vlan interface ie. if you applied it outbound the first line should stop ICMP pings and if you applied it inbound the second line should - your'e not pinging FROM the hosts on this vlan are you ?

So which direction have you applied the acl and are you seeing any hits on the acl ?

Can you post the full acl because there must be more than that otherwise all traffic should be denied either to/from the vlan.

Also can you confirm that the clients you are pinging from are not in the same vlan.

Jon

0 Helpful

s.marino
Level 1
Level 1
In response to Jon Marshall

‎01-19-2010 02:33 PM

Javi,

Have you applied the ip access-group 102 in "or" out on the vlan interface?

Sal

0 Helpful

brandinstitute
Level 1
Level 1
In response to s.marino

‎01-19-2010 03:13 PM

Hi Sal,


I applied the ACL "in" the vlan interface. Just like this:

access-group 102 in

Is this correct?

0 Helpful

brandinstitute
Level 1
Level 1
In response to Jon Marshall

‎01-19-2010 03:15 PM

Hi Jon,

The clients I'm pinging from are in a different VLAN, however I did not try to ping from the vlan that I want to disallow pinging to. I would like that VLan to be able to ping but not to respond to pings or network scans.

I applied the ACL 102 "in" not "out"

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to brandinstitute

‎01-19-2010 03:23 PM 

brandinstitute wrote:
Hi Jon,
The clients I'm pinging from are in a different VLAN, however I did not try to ping from the vlan that I want to disallow pinging to. I would like that VLan to be able to ping but not to respond to pings or network scans. 
I applied the ACL 102 "in" not "out"

If you want that vlan to ping out but not respond to pings then you only need the 2nd line ie.

access-list 102 deny icmp any any echo-reply

and then apply it inbound as you have done. If you include the 1st line in your acl then you will stop clients on that vlan being able to ping out. Bear in mind also that there is an implicit deny at the end of any access-list so the above acl will block any traffic from your new vlan so you would need -

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

if you want to only allow certain IP traffic from your new vlan then the acl will need modifying.

As to why it is not working - are you sure the interface you have applied the acl to is the interface responsible for routing the new vlans traffic ?

Jon

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎01-19-2010 10:30 PM

Hi Javi,

Jon has given brief solution for ACL in vlan which should work in your environment just another way to stop traffic entering into vlan i would suggest VLAN acces map.

VLAN Access-Lists (or VACL) works exactly there At the Intra-VLAN Traffic So everytime you need to filter internal traffic for a particular VLAN, VACL is can do the requirement.

Just a couple more things to have in mind before getting into an example.

   1.  IP Packets can only be processed by IP Access-Lists;
   2.  Non-IP Packets like ARP, MAC-Addresses, and others can only be processed by MAC Access-Lists.

access-list 101 deny src ip add desta ddress icmp any any

Create the VACL (or VLAN Maps, which one you preffer to call it) applying those rules:

vlan access-map Filter-VL7 20
match ip address 101

action forward

!
vlan access-map Filter-VL7 30
action permit

vlan filter Filter-VL7 vlan-list 7

The above sample configuration will block the icmp traffic entering into vlan 7.

Hope that helps out your query !!

Regards

Ganesh.H

0 Helpful

SamSolutions0
Level 1
Level 1

‎11-23-2018 10:57 AM

Troubleshooting the problem starts by studying the ACL!

Echo is to ping, Echo-reply is to be pinged; so Either/Or.

If applied to both in and out interfaces with the corresponding command it should work as you have planned.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card