Re: any icmp access-list mistake.... from Bobola Oke on 2012-10-04 (Ccielab archives 10/2012)

From: Bobola Oke <okebobola_at_gmail.com>
Date: Thu, 4 Oct 2012 11:44:30 +0100

Hello,

If you try applying the acl inbound, that should work.

On Mon, Oct 1, 2012 at 7:40 PM, marc edwards <renorider_at_gmail.com> wrote:

> NP. In summary, through the router (data) can be blocked at interface. To
> the router traffic (control) is blocked with CoPP
>
> Marc
>
> On Mon, Oct 1, 2012 at 11:36 AM, ccie99999 <ccie99999_at_gmail.com> wrote:
>
> > OMG.. I know that was easy.. I was confused. Sorry.
> >
> > @ccie99999
> > Il giorno 01/ott/2012 18:11, "marc edwards" <renorider_at_gmail.com> ha
> > scritto:
> >
> > So the ping from R2 through R1 to R3 is blocked becuase the ACL you
> >> applied on router 1 is for data forwarding.
> >>
> >> When you ping loopback of the router, it is control-plane traffic.
> >>
> >> You can apply CoPP if you want to stop this type of traffic.
> >>
> >> On R1:
> >>
> >> !
> >> ip access-list extended R1-loop-back
> >> permit icmp host 1.1.1.1 any echo-reply
> >>
> >> !
> >> class-map match-all control-ping
> >> match access-group name R1-loop-back
> >> !
> >> policy-map control-ping
> >> class control-ping
> >> drop
> >> !
> >> control-plane
> >> service-policy output control-ping
> >>
> >> HTH
> >>
> >> Marc
> >>
> >> On Mon, Oct 1, 2012 at 5:25 AM, ccie99999 <ccie99999_at_gmail.com> wrote:
> >>
> >>> Well, I did lab that and I'm confused.
> >>>
> >>> I have the same behaviour.
> >>>
> >>> R3 - R1 - R2
> >>>
> >>> from R2 I ping R1's L0 and I got replies.
> >>> from R3 I ping R3's L0 and I don't get replies.
> >>>
> >>> R1's Loop0 is 1.1.1.1/24
> >>> R3's Loop0 is 1.1.3.1/24
> >>>
> >>> access-list applied to R1 fa0/0 (side R2) is this one:
> >>>
> >>> Extended IP access list LOOP
> >>> 10 deny icmp 1.1.0.0 0.0.255.255 any echo-reply (10 matches)
> >>> 20 permit ip any any
> >>>
> >>> I've setup 'no ip unreachable' on R1's Loop0 but as far as I get a
> reply
> >>> I
> >>> guess this doesn't apply..
> >>> or am I missing something?
> >>>
> >>> R2#ping 1.1.1.1 rep 2
> >>>
> >>> Type escape sequence to abort.
> >>> Sending 2, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
> >>> !!
> >>>
> >>> R2#ping 1.1.3.1 rep 2
> >>>
> >>> Sending 2, 100-byte ICMP Echos to 1.1.3.1, timeout is 2 seconds:
> >>> ..
> >>> Success rate is 0 percent (0/2)
> >>>
> >>>
> >>>
> >>> thanks
> >>>
> >>>
> >>>
> >>> On Mon, Oct 1, 2012 at 9:44 AM, Joseph L. Brunner
> >>> <joe_at_affirmedsystems.com>wrote:
> >>>
> >>> > This is a often overlooked feature - ip unreachables! So even though
> >>> the
> >>> > router will block your pings from being sent when leaving g0/14 - its
> >>> > giving you a little hint to STOP SENDING THEM!
> >>> >
> >>> > On the loopback interface -
> >>> >
> >>> > int loop0
> >>> > !
> >>> > no ip unreachables
> >>> > !
> >>> >
> >>> > I suggest you read this useful link on securing IOS routers -
> >>> >
> >>> >
> >>> >
> >>>
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
> >>> >
> >>> > and this timeless whitepaper - which is a great use of our tax money
> >>> :0)
> >>> >
> >>> > http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
> >>> >
> >>> >
> >>> > :)
> >>> >
> >>> >
> >>> > -----Original Message-----
> >>> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> >>> Of
> >>> > muhammad adnan
> >>> > Sent: Monday, October 01, 2012 5:29 AM
> >>> > To: Cisco certification
> >>> > Subject: any icmp access-list mistake....
> >>> >
> >>> > Dear all group members:-
> >>> >
> >>> > i am doing small testing. i want to block all ping from my pc
> attached
> >>> at
> >>> > gi0/14 to 192.168.x.0 255.255.255.0
> >>> >
> >>> > when i applied the access-list stated below ping reply block from all
> >>> > address 192.168.x.0 255.255.255.0 instead of 192.168.x.1.192.168.x.1
> is
> >>> > directly connected to my switch but the rest of loopback address are
> 1
> >>> hop
> >>> > away.
> >>> >
> >>> >
> >>> > i already clear cef and arp cache.
> >>> >
> >>> >
> >>> > and i am unable to found a stupid mistake or any reason why
> 192.168.x.1
> >>> > give me echo reply
> >>> >
> >>> > any idea....
> >>> >
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > interface Loopback0
> >>> > ip address 192.168.x.1 255.255.255.255
> >>> >
> >>> > interface GigabitEthernet0/14
> >>> > description ......
> >>> > no switchport
> >>> > ip address x.x.x.x 255.255.255.252
> >>> > ip access-group loop-back out
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > ip access-list extended loop-back
> >>> > deny icmp host 192.168.x.1 any echo-reply
> >>> > deny icmp 192.168.x.0 0.0.0.255 any echo-reply
> >>> > permit ip any any
> >>> >
> >>> >
> >>> > Blogs and organic groups at http://www.ccie.net
> >>> >
> >>> >
> _______________________________________________________________________
> >>> > Subscription information may be found at:
> >>> > http://www.groupstudy.com/list/CCIELab.html
> >>> >
> >>> >
> >>> > Blogs and organic groups at http://www.ccie.net
> >>> >
> >>> >
> _______________________________________________________________________
> >>> > Subscription information may be found at:
> >>> > http://www.groupstudy.com/list/CCIELab.html
> >>> >
> >>> >
> >>> >
> >>> >
> >>> >
> >>> >
> >>> >
> >>> >
> >>>
> >>>
> >>> --
> >>> @ccie99999
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Oct 04 2012 - 11:44:30 ART

This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 10:53:33 ART