Re: any icmp access-list mistake.... from marc edwards on 2012-10-01 (Ccielab archives 10/2012)

From: marc edwards <renorider_at_gmail.com>
Date: Mon, 1 Oct 2012 11:40:01 -0700

NP. In summary, through the router (data) can be blocked at interface. To
the router traffic (control) is blocked with CoPP

Marc

On Mon, Oct 1, 2012 at 11:36 AM, ccie99999 <ccie99999_at_gmail.com> wrote:

> OMG.. I know that was easy.. I was confused. Sorry.
>
> @ccie99999
> Il giorno 01/ott/2012 18:11, "marc edwards" <renorider_at_gmail.com> ha
> scritto:
>
> So the ping from R2 through R1 to R3 is blocked becuase the ACL you
>> applied on router 1 is for data forwarding.
>>
>> When you ping loopback of the router, it is control-plane traffic.
>>
>> You can apply CoPP if you want to stop this type of traffic.
>>
>> On R1:
>>
>> !
>> ip access-list extended R1-loop-back
>> permit icmp host 1.1.1.1 any echo-reply
>>
>> !
>> class-map match-all control-ping
>> match access-group name R1-loop-back
>> !
>> policy-map control-ping
>> class control-ping
>> drop
>> !
>> control-plane
>> service-policy output control-ping
>>
>> HTH
>>
>> Marc
>>
>> On Mon, Oct 1, 2012 at 5:25 AM, ccie99999 <ccie99999_at_gmail.com> wrote:
>>
>>> Well, I did lab that and I'm confused.
>>>
>>> I have the same behaviour.
>>>
>>> R3 - R1 - R2
>>>
>>> from R2 I ping R1's L0 and I got replies.
>>> from R3 I ping R3's L0 and I don't get replies.
>>>
>>> R1's Loop0 is 1.1.1.1/24
>>> R3's Loop0 is 1.1.3.1/24
>>>
>>> access-list applied to R1 fa0/0 (side R2) is this one:
>>>
>>> Extended IP access list LOOP
>>> 10 deny icmp 1.1.0.0 0.0.255.255 any echo-reply (10 matches)
>>> 20 permit ip any any
>>>
>>> I've setup 'no ip unreachable' on R1's Loop0 but as far as I get a reply
>>> I
>>> guess this doesn't apply..
>>> or am I missing something?
>>>
>>> R2#ping 1.1.1.1 rep 2
>>>
>>> Type escape sequence to abort.
>>> Sending 2, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
>>> !!
>>>
>>> R2#ping 1.1.3.1 rep 2
>>>
>>> Sending 2, 100-byte ICMP Echos to 1.1.3.1, timeout is 2 seconds:
>>> ..
>>> Success rate is 0 percent (0/2)
>>>
>>>
>>>
>>> thanks
>>>
>>>
>>>
>>> On Mon, Oct 1, 2012 at 9:44 AM, Joseph L. Brunner
>>> <joe_at_affirmedsystems.com>wrote:
>>>
>>> > This is a often overlooked feature - ip unreachables! So even though
>>> the
>>> > router will block your pings from being sent when leaving g0/14 - its
>>> > giving you a little hint to STOP SENDING THEM!
>>> >
>>> > On the loopback interface -
>>> >
>>> > int loop0
>>> > !
>>> > no ip unreachables
>>> > !
>>> >
>>> > I suggest you read this useful link on securing IOS routers -
>>> >
>>> >
>>> >
>>> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
>>> >
>>> > and this timeless whitepaper - which is a great use of our tax money
>>> :0)
>>> >
>>> > http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
>>> >
>>> >
>>> > :)
>>> >
>>> >
>>> > -----Original Message-----
>>> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>>> Of
>>> > muhammad adnan
>>> > Sent: Monday, October 01, 2012 5:29 AM
>>> > To: Cisco certification
>>> > Subject: any icmp access-list mistake....
>>> >
>>> > Dear all group members:-
>>> >
>>> > i am doing small testing. i want to block all ping from my pc attached
>>> at
>>> > gi0/14 to 192.168.x.0 255.255.255.0
>>> >
>>> > when i applied the access-list stated below ping reply block from all
>>> > address 192.168.x.0 255.255.255.0 instead of 192.168.x.1.192.168.x.1 is
>>> > directly connected to my switch but the rest of loopback address are 1
>>> hop
>>> > away.
>>> >
>>> >
>>> > i already clear cef and arp cache.
>>> >
>>> >
>>> > and i am unable to found a stupid mistake or any reason why 192.168.x.1
>>> > give me echo reply
>>> >
>>> > any idea....
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > interface Loopback0
>>> > ip address 192.168.x.1 255.255.255.255
>>> >
>>> > interface GigabitEthernet0/14
>>> > description ......
>>> > no switchport
>>> > ip address x.x.x.x 255.255.255.252
>>> > ip access-group loop-back out
>>> >
>>> >
>>> >
>>> >
>>> > ip access-list extended loop-back
>>> > deny icmp host 192.168.x.1 any echo-reply
>>> > deny icmp 192.168.x.0 0.0.0.255 any echo-reply
>>> > permit ip any any
>>> >
>>> >
>>> > Blogs and organic groups at http://www.ccie.net
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>> >
>>> >
>>> > Blogs and organic groups at http://www.ccie.net
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>>
>>>
>>> --
>>> @ccie99999
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 01 2012 - 11:40:01 ART

This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 10:53:33 ART