1 2 Previous Next 16 Replies Latest reply: Nov 3, 2018 1:37 AM by Shakir RSS

    ping ACL for dhcp server

    Shakir

      Using CISCO packet tracer ver 7.2

       

      i created vlan 50 for DHCP server and given the address 10.50.50.50 from 10.50.50.0 / 24 subnet on cisco 3560 switch with ip routing enable. interface vlan 50 with ip address 10.50.50.1 255.255.255.0 is also given.

       

      my question is that i want to deny ping request from any pc or from any network for this DHCP server.

      i have written this extended ACL
      ip access-list extended noping

      deny icmp any host 10.50.50.50

      permit ip any any

       

      applied this acl on interface vlan 50

      ip access-group noping in

       

       

      but ping is not working ????

       

      switch show me this output

      CoreSwitch1#sh access-lists

      Extended IP access list noping

        10 deny icmp any host 10.50.50.50

        20 permit ip any any (20 match(es))

       

      can any one tell me where is my mistake

       

      Thanks

        • 1. Re: ping ACL for dhcp server
          Ing_Percy

          Hi!

           

          Are your PCs and the DHCP is in different subnets? If it is not so, then, you must apply vlan access-map or private vlans, but Packet Tracer not support these features.


          Now, if your PCs and DHCP is in different subnets, then put the topology to see which connections they have.


          Best regards!

          • 2. Re: ping ACL for dhcp server
            Shakir

            Hi
            yes my PC and DHCP server are in different subnets. each subnets are different vlans. my current level of study is CCNA R&S, and i think access-map and private vlans are CCNP level topics. i am attaching my file.

            DHCP.JPG

            • 3. Re: ping ACL for dhcp server
              Ing_Percy

              Hi!

               

              The subnet of your DHCP is in the interface vlan 50, then you must apply the ACL of this form:

              ip access-list extended noping

              deny icmp host 10.50.50.50 any echo

              permit ip any any

               

              interface vlan 50

              ip access-group noping in

               

              if you can attach the PT file, I can help more.

               

              Best regards!

              • 4. Re: ping ACL for dhcp server
                Shakir

                Thanks for Reply Mr. Percy

                 

                my goal is that, from any subnet no one can ping to DHCP Server which is 10.50.50.50.
                i applied this extended ACL which didn't worked
                ip access-list extended noping

                deny icmp any host 10.50.50.50 echo (no one can ping to host 10.50.50.50 which is my DHCP server, but this acl is not working)
                permit ip any any

                 

                you replied me with this ACL

                ip access-list extended noping

                deny icmp host 10.50.50.50 any echo (it means that only host 10.50.50.50 can't ping to anyone which is not my requirement)

                permit ip any any

                 

                thanks

                • 5. Re: ping ACL for dhcp server
                  Samer

                  you need to adjust the source and destination of the ACL and it will work, see below:

                  ip access-list extended NOPING

                  deny   icmp any host 10.50.50.50

                  permit ip any any

                  • 6. Re: ping ACL for dhcp server
                    Shakir

                    their no is file attachment option.
                    so i am sending you my running configuration.

                     

                    CoreSwitch1#sh running-config

                    Building configuration...

                     

                    Current configuration : 3040 bytes

                    !

                    version 12.2(37)SE1

                    no service timestamps log datetime msec

                    no service timestamps debug datetime msec

                    no service password-encryption

                    !

                    hostname CoreSwitch1

                    !

                    !

                    !

                    !

                    !

                    !

                    ip routing

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    spanning-tree mode rapid-pvst

                    spanning-tree vlan 1,10,20 priority 24576

                    spanning-tree vlan 30,40 priority 28672

                    !

                    !

                    !

                    !

                    !

                    !

                    interface Port-channel1

                    switchport trunk encapsulation dot1q

                    switchport mode trunk

                    !

                    interface FastEthernet0/1

                    description connection-to-accessSwitch1

                    switchport trunk encapsulation dot1q

                    switchport mode trunk

                    !

                    interface FastEthernet0/2

                    switchport trunk encapsulation dot1q

                    switchport mode trunk

                    !

                    interface FastEthernet0/3

                    switchport trunk encapsulation dot1q

                    switchport mode trunk

                    !

                    interface FastEthernet0/4

                    switchport trunk encapsulation dot1q

                    switchport mode trunk

                    !

                    interface FastEthernet0/5

                    !

                    interface FastEthernet0/6

                    !

                    interface FastEthernet0/7

                    !

                    interface FastEthernet0/8

                    !

                    interface FastEthernet0/9

                    !

                    interface FastEthernet0/10

                    no switchport

                    ip address 10.10.10.1 255.255.255.252

                    duplex auto

                    speed auto

                    !

                    interface FastEthernet0/11

                    !

                    interface FastEthernet0/12

                    !

                    interface FastEthernet0/13

                    !

                    interface FastEthernet0/14

                    !

                    interface FastEthernet0/15

                    !

                    interface FastEthernet0/16

                    !

                    interface FastEthernet0/17

                    !

                    interface FastEthernet0/18

                    !

                    interface FastEthernet0/19

                    !

                    interface FastEthernet0/20

                    !

                    interface FastEthernet0/21

                    !

                    interface FastEthernet0/22

                    !

                    interface FastEthernet0/23

                    no switchport

                    ip address 192.168.10.2 255.255.255.252

                    duplex auto

                    speed auto

                    !

                    interface FastEthernet0/24

                    switchport access vlan 50

                    switchport mode access

                    switchport nonegotiate

                    switchport port-security

                    switchport port-security mac-address sticky

                    switchport port-security mac-address sticky 0060.3E4E.0847

                    spanning-tree portfast

                    spanning-tree bpduguard enable

                    !

                    interface GigabitEthernet0/1

                    switchport trunk encapsulation dot1q

                    switchport mode trunk

                    channel-group 1 mode auto

                    !

                    interface GigabitEthernet0/2

                    switchport trunk encapsulation dot1q

                    switchport mode trunk

                    channel-group 1 mode auto

                    !

                    interface Vlan1

                    ip address 192.168.1.2 255.255.255.0

                    !

                    interface Vlan10

                    mac-address 0009.7c43.5601

                    ip address 172.10.10.1 255.255.255.0

                    ip helper-address 10.50.50.50

                    !

                    interface Vlan20

                    mac-address 0009.7c43.5603

                    ip address 172.20.20.1 255.255.255.0

                    ip helper-address 10.50.50.50

                    !

                    interface Vlan30

                    mac-address 0009.7c43.5604

                    ip address 172.30.30.1 255.255.255.0

                    ip helper-address 10.50.50.50

                    !

                    interface Vlan40

                    mac-address 0009.7c43.5605

                    ip address 172.40.40.1 255.255.255.0

                    ip helper-address 10.50.50.50

                    !

                    interface Vlan50

                    mac-address 0009.7c43.5606

                    ip address 10.50.50.1 255.255.255.0

                    ip access-group noping in

                    !

                    router eigrp 100

                    network 0.0.0.0

                    no auto-summary

                    !

                    ip classless

                    !

                    ip flow-export version 9

                    !

                    !

                    ip access-list extended noping

                    deny icmp host 10.50.50.50 any echo

                    permit ip any any

                    !

                    !

                    !

                    !

                    !

                    !

                    line con 0

                    !

                    line aux 0

                    !

                    line vty 0 4

                    login

                    !

                    !

                    !

                    ntp authentication-key 1234 md5 08224F4008 7

                    ntp server 10.50.50.50

                    ntp master 2

                    ntp update-calendar

                    !

                    end

                    • 7. Re: ping ACL for dhcp server
                      Samer

                      your original configs was correct, but to test this, dont ping the server from the same switch you configured the ACL on

                      so if you have PC ------ SWITCH(ACL HERE) ------server    then ping from the PC, not from the switch

                      • 8. Re: ping ACL for dhcp server
                        Shakir

                        Hi Samer

                         

                        i am pinging from PC but ping is working, not blocking by ACL.

                        Packet Tracer PC Command Line 1.0

                        C:\>ping 10.50.50.50

                         

                        Pinging 10.50.50.50 with 32 bytes of data:

                         

                        Reply from 10.50.50.50: bytes=32 time=26ms TTL=127

                        Reply from 10.50.50.50: bytes=32 time<1ms TTL=127

                        Reply from 10.50.50.50: bytes=32 time=132ms TTL=127

                        Reply from 10.50.50.50: bytes=32 time=1ms TTL=127

                         

                        Ping statistics for 10.50.50.50:

                          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

                        Approximate round trip times in milli-seconds:

                          Minimum = 0ms, Maximum = 132ms, Average = 39ms

                         

                        C:\>

                        • 9. Re: ping ACL for dhcp server
                          Mark Holm - 3xCCIE #34763/CCDE #2016::20

                          Hi Shakir,

                           

                          Your current access-list only prevents ICMP ping requests from 10.50.50.50 - it does not prevent the response from 10.50.50.50 from being forwarded. The ICMP packet sent in response to a ping request is a different ICMP type. So your access-list should read:

                           

                          ip access-list extended noping
                           deny icmp host 10.50.50.50 any echo-reply
                           permit ip any any
                          

                           

                          This will give you the desired effect. However, this will not prevent users from pinging the server nor prevent the server from responding to the pings. It just prevents the user from receiving the response. So if someone wants to perform a ping flood to the DHCP server, it won't be prevented. To prevent this, you can place the access-list outbound instead:

                           

                          ip access-list extended noping
                           deny icmp any host 10.50.50.50 echo
                           permit ip any any
                          !
                          interface Vlan50
                           no ip access-group noping in
                           ip access-group noping out
                          !
                          

                           

                          Alternatively, you can apply the noping access-list on all of the other SVIs in an inbound direction - this way the switch don't have to forward the traffic either.

                          ip access-list extended noping
                           deny icmp any host 10.50.50.50 echo
                           permit ip any any
                          !
                          interface Vlan10
                           ip access-group noping in
                          !
                          interface Vlan20
                           ip access-group noping in
                          !
                          interface Vlan30
                           ip access-group noping in
                          !
                          interface Vlan40
                           ip access-group noping in
                          !
                          

                           

                          Personally, I prefer to use inbound access-lists whenever I can. But either will work.

                          • 10. Re: ping ACL for dhcp server
                            Shakir

                            wow

                            thanks Mr. Holm. i am very happy and excited that a CCIEx3 have answered my question. Great respect for you sir.

                            i have applied that ACL in outbound too and now its working.

                            i have one question ?

                             

                            why this ACL is working on outbound?

                            kindly explain me

                            i am CCNA student.

                             

                            Thanks

                            • 11. Re: ping ACL for dhcp server
                              Ing_Percy

                              HI!

                               

                              If you want to apply "in" in your access-list, you could put:

                              ip access-list extended noping

                              deny icmp host 10.50.50.50 any echo-reply

                              permit ip any any

                              !

                              interface Vlan50

                              ip access-group noping in

                               

                              ...but the objective is that no packets will arrive to your server, for that reason, the "out" in the ACL is more effective.

                               

                              Best regards!

                              • 12. Re: ping ACL for dhcp server
                                Shakir

                                Thank you

                                • 13. Re: ping ACL for dhcp server
                                  Juergen Ilse CCNA R&S

                                  Ing_Percy schrieb:

                                   

                                  HI!

                                   

                                  If you want to apply "in" in your access-list, you could put:

                                  ip access-list extended noping

                                  deny icmp host 10.50.50.50 any echo-reply

                                  permit ip any any

                                  !

                                  interface Vlan50

                                  ip access-group noping in

                                   

                                  ...but the objective is that no packets will arrive to your server, for that reason, the "out" in the ACL is more effective.

                                  In this case, it will not prevent, that the ping reaches the DHCP server, it will only prevent, that the pinging host gets an answer to the ping. So i would prefer to filter icmp echo instead of icmp echo-reply an either put the ACL as out ACL on interface VLAN50 or as in ACL on all other interfaces.

                                  • 14. Re: ping ACL for dhcp server
                                    Shakir

                                    Thanks

                                     

                                    ACL should be like this
                                    Deny icmp any host 10.50.50.50 echo-reply

                                     

                                    you have written

                                    deny icmp host 10.50.50.50 any echo-reply


                                    first we have source then destination

                                    1 2 Previous Next