- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What if i want to disallowe EVERYTHING except icmp to .254 how should i do that.
You'd just need a permit statement for that traffic prior to a matching drop rule.
Do a logical walkthrough:
Rule 1 =
action: drop
traffic direction: egress
protocol is icmp
source ip address any
destination is no x.x.x.254
This is a drop rule, so it is looking for traffic to drop. Your ICMP packet to x.x.x.254 does not match this rule. The ACL moves on to the next rule.
Rule 2 =
action: drop
tarffic direction: egress
protocol is any
source ip is any
destination ip is any
This is a drop rule, so it is looking for traffic to drop. Your ICMP packet to x.x.x.254 DOES match this rule. The packet is droped.
Instead, make sure Rule 1 is a permit that allows traffic matching your x.x.x.254 traffic. The ACL will match the rule to the traffic and permit it and stop looking at the rules, even if there is a drop rule further down the list.