Re: ping drops on pinging local interface

Hi jack,
Because the packet don't use any interface flow so there's no place to filter it. So if you send the same ping sourcered from loopback or other interface it will be filtered.
Br,
Robclav

BlackBerry de movistar, allm donde estis esta tu oficin@

-----Original Message-----
From: jack daniels <jckdaniels12_at_gmail.com>

Date: Wed, 24 Jun 2009 01:41:12
To: <robclav_at_gmail.com>
Cc: <ccielab_at_groupstudy.com>
Subject: Re: ping drops on pinging local interface

Hi Robclav,

why so as icmp and icmp-echo are both orignated by router so shouldnt match
the acl

Regards

On Tue, Jun 23, 2009 at 1:16 PM, <robclav_at_gmail.com> wrote:

> Hi jack,
> The traffic sourcered from router is not filtered but when this traffic
> reach the interface and then it send a icmp reply, then it is filtered.
> But if you apply this incoming acl to the exit int and you ping to the int
> directly attached to this one, theb it will work.
> Pls confirm if it works,
> Br
> Robclav
>
>
>
> BlackBerry de movistar, allm donde estis esta tu oficin@
>
> -----Original Message-----
> From: jack daniels <jckdaniels12_at_gmail.com>
>
> Date: Tue, 23 Jun 2009 12:29:16
> To: <ccielab_at_groupstudy.com>
> Subject: ping drops on pinging local interface
>
>
> Ping works on my interface , but when I apply inbound acl on the interface
> I can't ping my own interface
> But as per I know on the router u apply acl , it doesn't match the router's
> locally orignated traffic
> so please suggest why it is happening ?
>
>
> R3#sh run interface fastEthernet 0/0
> Building configuration...
>
> Current configuration : 103 bytes
> !
> interface FastEthernet0/0
> ip address 10.1.37.3 255.255.255.0
> duplex half
> no clns route-cache
> end
>
> R3#ping 10.1.37.3
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.1.37.3, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
> R3#cle
> R3#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> R3(config)#int fa
> R3(config)#int fastEthernet 0/0
> R3(config-if)#ip acces
> R3(config-if)#ip access-group 101 in
> R3(config-if)#^Z
> R3#conf t
> 00:53:38: %SYS-5-CONFIG_I: Configured from console by cping 10.1.37.3
> R3#ping 10.1.37.3
> R3#ping 10.1.37.3
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.1.37.3, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> R3#sh running-config | i access-list 101
> access-list 101 deny icmp any host 10.1.37.3
> access-list 101 permit ip any any
>
>
> Blogs and organic groups at http://www.ccie.net
>
>_______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 26 2009 - 07:47:06 ART