Solved: Protect Loopback

Krasnoperov · ‎11-08-2011

Hi

how can I protect my loopback interface, extended ACL doesn works :-(

interface Loopback 1

ip address 1.1.1.1 255.255.255.128

ip address 1.1.1.2 255.255.255.128 secondary

ip address 1.1.1.3 255.255.255.128 secondary

ip access-group JUST_ICMP in

ip access-list extended JUST_ICMP

permit icmp any host 1.1.1.2

deny any any

When I ping from remote-->1.1.1.3 it's pingable and no matching in ACL (even in deny)

Why?

thanks

Richard Burts · ‎11-08-2011

To protect the loopback interface it does not work to put the access list on the loopback interface itself. You would need to put the access list on the interface on which the packet got to the router. So you potentially would need the access list on several interfaces.

The reason for this is that when you ping a router interface the router does not send the ping all the way to the destination interface. When a packet comes in a router interface and the router looks at how to forward the packet and finds that the router is the destination then the router just processes the packet and does not send the packet all the way to the destination interface.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎11-08-2011

To protect the loopback interface it does not work to put the access list on the loopback interface itself. You would need to put the access list on the interface on which the packet got to the router. So you potentially would need the access list on several interfaces.

The reason for this is that when you ping a router interface the router does not send the ping all the way to the destination interface. When a packet comes in a router interface and the router looks at how to forward the packet and finds that the router is the destination then the router just processes the packet and does not send the packet all the way to the destination interface.

HTH

Rick

HTH

Rick