Re: any icmp access-list mistake....

Bobola,

Good point.... So long as ACL is ingress on interface facing R2 the
traffic can be choked before it hits the loopback.

2 solutions to the same problem (unless there are added restrictions
one way or the other....).

On Thu, Oct 4, 2012 at 3:44 AM, Bobola Oke <okebobola_at_gmail.com> wrote:
> Hello,
>
> If you try applying the acl inbound, that should work.
>
>
>
>
> On Mon, Oct 1, 2012 at 7:40 PM, marc edwards <renorider_at_gmail.com> wrote:
>>
>> NP. In summary, through the router (data) can be blocked at interface. To
>> the router traffic (control) is blocked with CoPP
>>
>> Marc
>>
>> On Mon, Oct 1, 2012 at 11:36 AM, ccie99999 <ccie99999_at_gmail.com> wrote:
>>
>> > OMG.. I know that was easy.. I was confused. Sorry.
>> >
>> > @ccie99999
>> > Il giorno 01/ott/2012 18:11, "marc edwards" <renorider_at_gmail.com> ha
>> > scritto:
>> >
>> > So the ping from R2 through R1 to R3 is blocked becuase the ACL you
>> >> applied on router 1 is for data forwarding.
>> >>
>> >> When you ping loopback of the router, it is control-plane traffic.
>> >>
>> >> You can apply CoPP if you want to stop this type of traffic.
>> >>
>> >> On R1:
>> >>
>> >> !
>> >> ip access-list extended R1-loop-back
>> >> permit icmp host 1.1.1.1 any echo-reply
>> >>
>> >> !
>> >> class-map match-all control-ping
>> >> match access-group name R1-loop-back
>> >> !
>> >> policy-map control-ping
>> >> class control-ping
>> >> drop
>> >> !
>> >> control-plane
>> >> service-policy output control-ping
>> >>
>> >> HTH
>> >>
>> >> Marc
>> >>
>> >> On Mon, Oct 1, 2012 at 5:25 AM, ccie99999 <ccie99999_at_gmail.com> wrote:
>> >>
>> >>> Well, I did lab that and I'm confused.
>> >>>
>> >>> I have the same behaviour.
>> >>>
>> >>> R3 - R1 - R2
>> >>>
>> >>> from R2 I ping R1's L0 and I got replies.
>> >>> from R3 I ping R3's L0 and I don't get replies.
>> >>>
>> >>> R1's Loop0 is 1.1.1.1/24
>> >>> R3's Loop0 is 1.1.3.1/24
>> >>>
>> >>> access-list applied to R1 fa0/0 (side R2) is this one:
>> >>>
>> >>> Extended IP access list LOOP
>> >>> 10 deny icmp 1.1.0.0 0.0.255.255 any echo-reply (10 matches)
>> >>> 20 permit ip any any
>> >>>
>> >>> I've setup 'no ip unreachable' on R1's Loop0 but as far as I get a
>> >>> reply
>> >>> I
>> >>> guess this doesn't apply..
>> >>> or am I missing something?
>> >>>
>> >>> R2#ping 1.1.1.1 rep 2
>> >>>
>> >>> Type escape sequence to abort.
>> >>> Sending 2, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
>> >>> !!
>> >>>
>> >>> R2#ping 1.1.3.1 rep 2
>> >>>
>> >>> Sending 2, 100-byte ICMP Echos to 1.1.3.1, timeout is 2 seconds:
>> >>> ..
>> >>> Success rate is 0 percent (0/2)
>> >>>
>> >>>
>> >>>
>> >>> thanks
>> >>>
>> >>>
>> >>>
>> >>> On Mon, Oct 1, 2012 at 9:44 AM, Joseph L. Brunner
>> >>> <joe_at_affirmedsystems.com>wrote:
>> >>>
>> >>> > This is a often overlooked feature - ip unreachables! So even though
>> >>> the
>> >>> > router will block your pings from being sent when leaving g0/14 -
>> >>> > its
>> >>> > giving you a little hint to STOP SENDING THEM!
>> >>> >
>> >>> > On the loopback interface -
>> >>> >
>> >>> > int loop0
>> >>> > !
>> >>> > no ip unreachables
>> >>> > !
>> >>> >
>> >>> > I suggest you read this useful link on securing IOS routers -
>> >>> >
>> >>> >
>> >>> >
>> >>>
>> >>> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
>> >>> >
>> >>> > and this timeless whitepaper - which is a great use of our tax money
>> >>> :0)
>> >>> >
>> >>> > http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
>> >>> >
>> >>> >
>> >>> > :)
>> >>> >
>> >>> >
>> >>> > -----Original Message-----
>> >>> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> >>> Of
>> >>> > muhammad adnan
>> >>> > Sent: Monday, October 01, 2012 5:29 AM
>> >>> > To: Cisco certification
>> >>> > Subject: any icmp access-list mistake....
>> >>> >
>> >>> > Dear all group members:-
>> >>> >
>> >>> > i am doing small testing. i want to block all ping from my pc
>> >>> > attached
>> >>> at
>> >>> > gi0/14 to 192.168.x.0 255.255.255.0
>> >>> >
>> >>> > when i applied the access-list stated below ping reply block from
>> >>> > all
>> >>> > address 192.168.x.0 255.255.255.0 instead of 192.168.x.1.192.168.x.1
>> >>> > is
>> >>> > directly connected to my switch but the rest of loopback address are
>> >>> > 1
>> >>> hop
>> >>> > away.
>> >>> >
>> >>> >
>> >>> > i already clear cef and arp cache.
>> >>> >
>> >>> >
>> >>> > and i am unable to found a stupid mistake or any reason why
>> >>> > 192.168.x.1
>> >>> > give me echo reply
>> >>> >
>> >>> > any idea....
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > interface Loopback0
>> >>> > ip address 192.168.x.1 255.255.255.255
>> >>> >
>> >>> > interface GigabitEthernet0/14
>> >>> > description ......
>> >>> > no switchport
>> >>> > ip address x.x.x.x 255.255.255.252
>> >>> > ip access-group loop-back out
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > ip access-list extended loop-back
>> >>> > deny icmp host 192.168.x.1 any echo-reply
>> >>> > deny icmp 192.168.x.0 0.0.0.255 any echo-reply
>> >>> > permit ip any any
>> >>> >
>> >>> >
>> >>> > Blogs and organic groups at http://www.ccie.net
>> >>> >
>> >>> >
>> >>> > _______________________________________________________________________
>> >>> > Subscription information may be found at:
>> >>> > http://www.groupstudy.com/list/CCIELab.html
>> >>> >
>> >>> >
>> >>> > Blogs and organic groups at http://www.ccie.net
>> >>> >
>> >>> >
>> >>> > _______________________________________________________________________
>> >>> > Subscription information may be found at:
>> >>> > http://www.groupstudy.com/list/CCIELab.html
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>>
>> >>>
>> >>> --
>> >>> @ccie99999
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>>
>> >>> _______________________________________________________________________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Oct 04 2012 - 08:30:42 ART