Solved: Denying Echo vs. Echo-Reply?

JoshGarmonCiscoCCNA · ‎10-22-2015

what's the difference between Echo and Echo-Reply?

Which one would you typically deny IN and deny OUT?

Jon Marshall · ‎10-22-2015

The echo request is sent from the source to the destination IP.

The echo reply is the response from the destination IP back to the source.

As to the other part of your question not sure in which context you mean..

If you mean with acls it all depends on what you are trying to do ie. if you wanted to stop ping between two subnets you would typically block echo requests inbound on the L3 interface for the source subnet.

Perhaps you can give an example of what you are referring to ?

Jon

View solution in original post

Jon Marshall · ‎10-22-2015

The echo request is sent from the source to the destination IP.

The echo reply is the response from the destination IP back to the source.

As to the other part of your question not sure in which context you mean..

If you mean with acls it all depends on what you are trying to do ie. if you wanted to stop ping between two subnets you would typically block echo requests inbound on the L3 interface for the source subnet.

Perhaps you can give an example of what you are referring to ?

Jon

JoshGarmonCiscoCCNA · ‎10-22-2015

Hi Jon

When I've denied Ping (Echo-REQUESTS) inbound...my ACL works fine.

But whenever I have tried to deny Echo-REPLIES...whether inbound or outbound...the ping AND response still work.

I don't know if that's a Packet Tracer bug or not.

Karsten Iwen · ‎10-22-2015

Are you talking about the ASA? Then this behavior is expected when icmp-inspection is enabled as the ACLs are not checked for the return-traffic which are the echo-replies.

JoshGarmonCiscoCCNA · ‎10-23-2015

Hey, no this was just on a regular Router.

I got it to work though when I denied the REPLY from going into my closest interface to it.

The thing about ACL interfaces is that at ALL times...traffic is technically going IN-OUT of that interface from BOTH directions.

When you walk out of a door, you technically walk into the doorway and out of the doorway simultaneously.

When you walk back into the door, you're walking in and out simultaneously.

That makes these ACL's confusing.

Jon Marshall · ‎10-23-2015

If it helps I think of in and out in relation to the routers interfaces ie.

c1 -> gi0/0 R1 gi0/1 -> c2

c1 is pinging c2 and you want to block it.

As I said before you usually block closest to the source but all of these should work -

1) an acl applied inbound to gi0/0 denying echo request from c1 to c2

2) an acl applied outbound to gi0/1 denying echo request from c1 to c2

3) an acl applied inbound to gi0/1 denying echo reply to c1

4) an acl applied outbound to gi0/0 denying echo reply to c1

note all of the above is with extended acls where you specify the source and destination.

And you would usually use the first of those acls to stop c1 pinging c2.

Jon

Jon Marshall · ‎10-23-2015

Just to add, the logic is the same for SVIs on a L3 switch in terms of direction which can cause some confusion.

So if you have an SVI for a vlan then an acl applied inbound to the SVI controls traffic from clients in that vlan going to remote subnets and an acl applied outbound to the SVI controls traffic from remote subnets to clients in that vlan.

Jon

Jon Marshall · ‎10-22-2015

As Karsten says if you are using a firewall they will be allowed back in by default.

However if you mean on a L3 switch or router then you should be able to stop it depending on where you apply the acl.

So if you apply an acl inbound on the L3 interface for a vlan then denying echo requests from that vlan/IP subnet it works.

Try using an acl denying echo reply and applying it outbound on that same L3 interface.

Obviously you need to flip the source and destination IP subnets around because it is return traffic.

Note that this is just a test because usually you apply the acl closest to the source but see if it works.

Jon