OMG.. I know that was easy.. I was confused. Sorry.
@ccie99999
Il giorno 01/ott/2012 18:11, "marc edwards" <renorider_at_gmail.com> ha
scritto:
> So the ping from R2 through R1 to R3 is blocked becuase the ACL you
> applied on router 1 is for data forwarding.
>
> When you ping loopback of the router, it is control-plane traffic.
>
> You can apply CoPP if you want to stop this type of traffic.
>
> On R1:
>
> !
> ip access-list extended R1-loop-back
> permit icmp host 1.1.1.1 any echo-reply
>
> !
> class-map match-all control-ping
> match access-group name R1-loop-back
> !
> policy-map control-ping
> class control-ping
> drop
> !
> control-plane
> service-policy output control-ping
>
> HTH
>
> Marc
>
> On Mon, Oct 1, 2012 at 5:25 AM, ccie99999 <ccie99999_at_gmail.com> wrote:
>
>> Well, I did lab that and I'm confused.
>>
>> I have the same behaviour.
>>
>> R3 - R1 - R2
>>
>> from R2 I ping R1's L0 and I got replies.
>> from R3 I ping R3's L0 and I don't get replies.
>>
>> R1's Loop0 is 1.1.1.1/24
>> R3's Loop0 is 1.1.3.1/24
>>
>> access-list applied to R1 fa0/0 (side R2) is this one:
>>
>> Extended IP access list LOOP
>> 10 deny icmp 1.1.0.0 0.0.255.255 any echo-reply (10 matches)
>> 20 permit ip any any
>>
>> I've setup 'no ip unreachable' on R1's Loop0 but as far as I get a reply I
>> guess this doesn't apply..
>> or am I missing something?
>>
>> R2#ping 1.1.1.1 rep 2
>>
>> Type escape sequence to abort.
>> Sending 2, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
>> !!
>>
>> R2#ping 1.1.3.1 rep 2
>>
>> Sending 2, 100-byte ICMP Echos to 1.1.3.1, timeout is 2 seconds:
>> ..
>> Success rate is 0 percent (0/2)
>>
>>
>>
>> thanks
>>
>>
>>
>> On Mon, Oct 1, 2012 at 9:44 AM, Joseph L. Brunner
>> <joe_at_affirmedsystems.com>wrote:
>>
>> > This is a often overlooked feature - ip unreachables! So even though the
>> > router will block your pings from being sent when leaving g0/14 - its
>> > giving you a little hint to STOP SENDING THEM!
>> >
>> > On the loopback interface -
>> >
>> > int loop0
>> > !
>> > no ip unreachables
>> > !
>> >
>> > I suggest you read this useful link on securing IOS routers -
>> >
>> >
>> >
>> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
>> >
>> > and this timeless whitepaper - which is a great use of our tax money :0)
>> >
>> > http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
>> >
>> >
>> > :)
>> >
>> >
>> > -----Original Message-----
>> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> > muhammad adnan
>> > Sent: Monday, October 01, 2012 5:29 AM
>> > To: Cisco certification
>> > Subject: any icmp access-list mistake....
>> >
>> > Dear all group members:-
>> >
>> > i am doing small testing. i want to block all ping from my pc attached
>> at
>> > gi0/14 to 192.168.x.0 255.255.255.0
>> >
>> > when i applied the access-list stated below ping reply block from all
>> > address 192.168.x.0 255.255.255.0 instead of 192.168.x.1.192.168.x.1 is
>> > directly connected to my switch but the rest of loopback address are 1
>> hop
>> > away.
>> >
>> >
>> > i already clear cef and arp cache.
>> >
>> >
>> > and i am unable to found a stupid mistake or any reason why 192.168.x.1
>> > give me echo reply
>> >
>> > any idea....
>> >
>> >
>> >
>> >
>> >
>> > interface Loopback0
>> > ip address 192.168.x.1 255.255.255.255
>> >
>> > interface GigabitEthernet0/14
>> > description ......
>> > no switchport
>> > ip address x.x.x.x 255.255.255.252
>> > ip access-group loop-back out
>> >
>> >
>> >
>> >
>> > ip access-list extended loop-back
>> > deny icmp host 192.168.x.1 any echo-reply
>> > deny icmp 192.168.x.0 0.0.0.255 any echo-reply
>> > permit ip any any
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> @ccie99999
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 01 2012 - 18:36:27 ART
This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 10:53:33 ART