chriswahl
Virtuoso
Virtuoso

What if i want to disallowe EVERYTHING except icmp to .254 how should i do that.

You'd just need a permit statement for that traffic prior to a matching drop rule.

Do a logical walkthrough:

Rule 1 =

action: drop

traffic direction: egress

protocol is icmp

source ip address any

destination is no x.x.x.254

This is a drop rule, so it is looking for traffic to drop. Your ICMP packet to x.x.x.254 does not match this rule. The ACL moves on to the next rule.

Rule 2 =

action: drop

tarffic direction: egress

protocol is any

source ip is any

destination ip is any

This is a drop rule, so it is looking for traffic to drop. Your ICMP packet to x.x.x.254 DOES match this rule. The packet is droped.


Instead, make sure Rule 1 is a permit that allows traffic matching your x.x.x.254 traffic. The ACL will match the rule to the traffic and permit it and stop looking at the rules, even if there is a drop rule further down the list.

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
Reply
0 Kudos