ACL blocking ping
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-02-2019 09:42 AM
Hi,
I have 2 vsp 7k connected via V-Ist and I have 2 vsp 4k connected in those 7k using spb.
All the routing and l3 vlan are created in the vsp 7k.
vlan mgmt is 1000 (172.16.10.0/26) and I also have other vlans configured.
I plugged my notebook on the VSP4k with a static IP 10.222.10.100 and I can ping 172.16.10.0 network normally.
I am trying to block ping from vlan 12 (10.222.12.0/24)
I create a ACL trying to block this but didnt work. I still pinging from my pc.
filter acl 1 type inVlan name "ICMP_BLOCK"
filter acl vlan 1 1000
filter acl ace 1 5 name "Vlan 1000"
filter acl ace action 1 5 deny
filter acl ace ethernet 1 5 ether-type eq ip
filter acl ace ip 1 5 src-ip eq 10.222.12.100
filter acl ace ip 1 5 dst-ip eq 172.16.10.1
filter acl ace ethernet 1 5ether-type eq ip
filter acl ace ip 1 5 ip-protocol-type eq icmp
filter acl ace 1 5 enable
Anything that could help!
Thanks
I have 2 vsp 7k connected via V-Ist and I have 2 vsp 4k connected in those 7k using spb.
All the routing and l3 vlan are created in the vsp 7k.
vlan mgmt is 1000 (172.16.10.0/26) and I also have other vlans configured.
I plugged my notebook on the VSP4k with a static IP 10.222.10.100 and I can ping 172.16.10.0 network normally.
I am trying to block ping from vlan 12 (10.222.12.0/24)
I create a ACL trying to block this but didnt work. I still pinging from my pc.
filter acl 1 type inVlan name "ICMP_BLOCK"
filter acl vlan 1 1000
filter acl ace 1 5 name "Vlan 1000"
filter acl ace action 1 5 deny
filter acl ace ethernet 1 5 ether-type eq ip
filter acl ace ip 1 5 src-ip eq 10.222.12.100
filter acl ace ip 1 5 dst-ip eq 172.16.10.1
filter acl ace ethernet 1 5ether-type eq ip
filter acl ace ip 1 5 ip-protocol-type eq icmp
filter acl ace 1 5 enable
Anything that could help!
Thanks
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-02-2019 04:05 PM
I didnt set this configuration to a specific port. I configured to the whole vlan.
If I put src and dst IP to mask I keep pinging the another vlan.
I tried it as well, without success.
filter acl 1 type inVlan name "ACL-1"
filter acl vlan 1 1000
filter acl ace 1 1 name "MGMT_Ping"
filter acl ace action 1 1 permit
filter acl ace ethernet 1 1 ether-type eq ip
filter acl ace ip 1 1 src-ip mask 10.222.12.0 0.0.0.255
filter acl ace ip 1 1 dst-ip eq 172.16.10.1
filter acl ace 1 1 enable
filter acl ace 1 2 name "ACE-deny"
filter acl ace action 1 2 deny
filter acl ace ethernet 1 2 ether-type eq ip
filter acl ace 1 2 enable
If I put src and dst IP to mask I keep pinging the another vlan.
I tried it as well, without success.
filter acl 1 type inVlan name "ACL-1"
filter acl vlan 1 1000
filter acl ace 1 1 name "MGMT_Ping"
filter acl ace action 1 1 permit
filter acl ace ethernet 1 1 ether-type eq ip
filter acl ace ip 1 1 src-ip mask 10.222.12.0 0.0.0.255
filter acl ace ip 1 1 dst-ip eq 172.16.10.1
filter acl ace 1 1 enable
filter acl ace 1 2 name "ACE-deny"
filter acl ace action 1 2 deny
filter acl ace ethernet 1 2 ether-type eq ip
filter acl ace 1 2 enable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-02-2019 04:03 PM
I didnt set this configuration to a specific port. I configured to the whole vlan.
If I put src and dst IP to mask I keep pinging the another vlan.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-02-2019 01:57 PM
Silly question - Did you assign that ACL to the correct port?
What happens if you change eq to mask and us 10.222.12.0 0.0.0.255 and 172.16.10.0 0.0.0.31?
What happens if you change eq to mask and us 10.222.12.0 0.0.0.255 and 172.16.10.0 0.0.0.31?
