05-22-2012 06:12 AM - edited 03-07-2019 06:50 AM
Hi, i want to block ping bigger than 32 bytes on my network,
how can i do this?
i tried with deny icmp any any packet-too-big and dency icmp any any fragments
but no success.
any suggestions?
Solved! Go to Solution.
05-22-2012 06:30 AM
Hi,
You can use a class-map / policy-map.
class-map match-all ICMP-BIG
match protocol icmp
match packet length min 1500
policy-map PM_NORMALIZATION
class ICMP-BIG
drop
Apply the policy-map on the interface.
Dan
05-22-2012 06:20 AM
The commands that you've tried will not work because they are meant for giants, or for packets larger than the specified MTU. The lowest that you can go with an explicit MTU configuration is 128 bytes, so you will not be able to accomplish blocking ICMP packets larger than 32 bytes because it is much lower than the lowest configurable MTU.
What are you trying to accomplish by blocking these pings? Perhaps we can approach your desired end goal another way..
Kind Regards,
Kevin
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.
05-22-2012 06:24 AM
What i am trying to do is, people in my network are doing continuous ping to destination with ping x.x.x -t -l (size)
and that causes high utilization over my internet links
i cant stop them, because they think its best way to check network health if there youtube is loading slow .
i dont want to disable icmp all together since its handy to find out of remote host is down.
what are my options in this case?
05-22-2012 06:30 AM
Hi,
You can use a class-map / policy-map.
class-map match-all ICMP-BIG
match protocol icmp
match packet length min 1500
policy-map PM_NORMALIZATION
class ICMP-BIG
drop
Apply the policy-map on the interface.
Dan
05-22-2012 06:53 AM
Hi,
your best option is a QoS classification like what Dan wrote for you, in the proper direction on the interface.
that way you have the flexiblity to match packets with the criterias u need, you could use match protocol icmp to make all ICMP packets to be policed or you can write access lists to selectively define who is eligible and who is not, to send large packets. match access-group [access-list]
also for the packet lengh, Dan chose 1500 bytes, you can choose ur desired size.
or you can limit the bandwith for ICMP use. using the police rate [32 kbps] to limit the bandwith for ping instead of packet size (it goes under the policy-map).
CheerZ.
plz Rate if it helped.
Soroush.
05-24-2012 06:42 AM
it Worked
Looks like i need to buy QOS book now, never studied QOS yet. lol.
here is my final config, Also GRE has additional header so it takes few bytes, so if i block packet size of 100bytes then icmp of 90 bytes also dropped due to additional GRE header i guess. so i had to give some cussion,
Also ORION and Solarwinds uses 60+- byte of ICMP for monitoring , so i got quite a few alert when i restricted icmp to 40 bytes initially.
Thank you Dan and Soroushm for your useful information.
class-map match-all ICMP-BIG
match protocol icmp
match packet length min 100 max 2000
!
!
policy-map ICMP-NORMALIZATION
class ICMP-BIG
drop
int tune 5000
service-policy output ICMP-NORMALIZATION
05-24-2012 08:41 AM
No problem, more than happy to help!
05-24-2012 09:36 PM
as was told here I did limit all icmp traffic to reserve bandwidth for usefull aplications.
so nobody can disturb network by icmp
class-map match-any Cl_ICMP
match protocol icmp
class-map match-all voice
match protocol rtp
policy-map pm1
class c1
priority 50
set precedence 3
class c2
priority 256
set precedence 3
class c3
priority 480
set precedence 3
class Cl_ICMP
shape average 30000 - here is icmp limited to 30 kbps
class voice
priority 500
set precedence 5
class class-default
policy-map pm2 -- this policy is applyed to int
class class-default
shape average 2000000
service-policy pm1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide