So the ping from R2 through R1 to R3 is blocked becuase the ACL you applied
on router 1 is for data forwarding.
When you ping loopback of the router, it is control-plane traffic.
You can apply CoPP if you want to stop this type of traffic.
On R1:
!
ip access-list extended R1-loop-back
permit icmp host 1.1.1.1 any echo-reply
!
class-map match-all control-ping
match access-group name R1-loop-back
!
policy-map control-ping
class control-ping
drop
!
control-plane
service-policy output control-ping
HTH
Marc
On Mon, Oct 1, 2012 at 5:25 AM, ccie99999 <ccie99999_at_gmail.com> wrote:
> Well, I did lab that and I'm confused.
>
> I have the same behaviour.
>
> R3 - R1 - R2
>
> from R2 I ping R1's L0 and I got replies.
> from R3 I ping R3's L0 and I don't get replies.
>
> R1's Loop0 is 1.1.1.1/24
> R3's Loop0 is 1.1.3.1/24
>
> access-list applied to R1 fa0/0 (side R2) is this one:
>
> Extended IP access list LOOP
> 10 deny icmp 1.1.0.0 0.0.255.255 any echo-reply (10 matches)
> 20 permit ip any any
>
> I've setup 'no ip unreachable' on R1's Loop0 but as far as I get a reply I
> guess this doesn't apply..
> or am I missing something?
>
> R2#ping 1.1.1.1 rep 2
>
> Type escape sequence to abort.
> Sending 2, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
> !!
>
> R2#ping 1.1.3.1 rep 2
>
> Sending 2, 100-byte ICMP Echos to 1.1.3.1, timeout is 2 seconds:
> ..
> Success rate is 0 percent (0/2)
>
>
>
> thanks
>
>
>
> On Mon, Oct 1, 2012 at 9:44 AM, Joseph L. Brunner
> <joe_at_affirmedsystems.com>wrote:
>
> > This is a often overlooked feature - ip unreachables! So even though the
> > router will block your pings from being sent when leaving g0/14 - its
> > giving you a little hint to STOP SENDING THEM!
> >
> > On the loopback interface -
> >
> > int loop0
> > !
> > no ip unreachables
> > !
> >
> > I suggest you read this useful link on securing IOS routers -
> >
> >
> >
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
> >
> > and this timeless whitepaper - which is a great use of our tax money :0)
> >
> > http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
> >
> >
> > :)
> >
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > muhammad adnan
> > Sent: Monday, October 01, 2012 5:29 AM
> > To: Cisco certification
> > Subject: any icmp access-list mistake....
> >
> > Dear all group members:-
> >
> > i am doing small testing. i want to block all ping from my pc attached at
> > gi0/14 to 192.168.x.0 255.255.255.0
> >
> > when i applied the access-list stated below ping reply block from all
> > address 192.168.x.0 255.255.255.0 instead of 192.168.x.1.192.168.x.1 is
> > directly connected to my switch but the rest of loopback address are 1
> hop
> > away.
> >
> >
> > i already clear cef and arp cache.
> >
> >
> > and i am unable to found a stupid mistake or any reason why 192.168.x.1
> > give me echo reply
> >
> > any idea....
> >
> >
> >
> >
> >
> > interface Loopback0
> > ip address 192.168.x.1 255.255.255.255
> >
> > interface GigabitEthernet0/14
> > description ......
> > no switchport
> > ip address x.x.x.x 255.255.255.252
> > ip access-group loop-back out
> >
> >
> >
> >
> > ip access-list extended loop-back
> > deny icmp host 192.168.x.1 any echo-reply
> > deny icmp 192.168.x.0 0.0.0.255 any echo-reply
> > permit ip any any
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> @ccie99999
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 01 2012 - 09:11:14 ART
This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 10:53:33 ART