Switches, Hubs, and Modems
1748225 Members
4565 Online
108759 Solutions
New Discussion юеВ

Re: How to stop broadcast ping in a vlan

 
Libras
Occasional Advisor

How to stop broadcast ping in a vlan

Within a vlan ( single vlan ) is it possible to stop Broadcast ping. so that no machine in the vlan should respond for ping 192.168.109.255 -b or ping 192.168.109.0 -b

Libras
9 REPLIES 9
RicN
Valued Contributor

Re: How to stop broadcast ping in a vlan


This might not help you, but if the ping is coming from outside the VLAN I guess disabling directed broadcasts could help.

no ip directed-broadcast

(I am not sure if this is default or not?)
Mohieddin Kharnoub
Honored Contributor

Re: How to stop broadcast ping in a vlan

Hi

Starting from the End user PCs, you can disable ping using Firewall software (Windows Firewall).

If you have an Intelligent Switch (5400, 3500, 5300 ...) you can use an Access control list ACL to stop the echo reply.

http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-10-ACLs.pdf

Good Luck !!!
Science for Everyone
Libras
Occasional Advisor

Re: How to stop broadcast ping in a vlan

Hi

Thanks but i think we can choose a subnet as src and destination. Is it possible to choose broadcast I.P like 192.168.108.0 or 192.168.108.255 as destination .

10 deny icmp any echo-reply log

Can somone help with destination format for broadcast.

Libras
RicN
Valued Contributor

Re: How to stop broadcast ping in a vlan


>10 deny icmp any echo-reply log

Since the echo-replies would come from unicast addresses I assume it would be better to try to stop the icmp echo-request from being sent to the LAN broadcast address?
Libras
Occasional Advisor

Re: How to stop broadcast ping in a vlan

There is no echo-request. only echo
and echo-reply is there.

If i block echo-reply normal unicast ping i.e Ping to a individual I.P like 192.168.108.22 is also getting blocked. My requirement is individual ping has to work . Only ping to broadcast I.P has to get blocked. like ping 192.168.108.0 - b or ping 192.168.108.255 -b

Thanks
Libras


RicN
Valued Contributor

Re: How to stop broadcast ping in a vlan


>There is no echo-request. only echo
>and echo-reply is there.

There is no "echo". : )

Technicaly the thing you are describing is called "echo request" (icmp type 8, code 0), used for example by the ping utility.

However, it might be called just "echo" in the procurve CLI, I do not remember.

>My requirement is individual ping has to
>work . Only ping to broadcast I.P has to
>get blocked.

Then you must block the echo request (i.e. "echo") from leaving the switch if the destination is a broadcast address.

I do not have the correct syntax at the moment, but perhaps something like:

deny icmp any 192.168.108.255 echo
Libras
Occasional Advisor

Re: How to stop broadcast ping in a vlan

Hi

Thanks for continuous help. I tried

10 deny icmp any 192.168.109.255 0.0.0.0 echo

but the problem is both the broadcast ping and direct ping is getting block. it is not blocking only the broadcast. it totally stops ping.

Libras
Libras
Occasional Advisor

Re: How to stop broadcast ping in a vlan

Hi All

the one which worked ( but in another way )

10 deny icmp 0.0.0.0 255.255.255.255 192.168.108.255 0.0.0.0 8
20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

My requirement is to make the hosts not to respond to 192.168.108.255 . But this ACL achives this in another way i.e this will not allow the host to send 192.168.108.255 out. So i cannot not run a command ping 192.168.108.255 -b in all the machines where is ACL is applied because this ACL blocks outward traffic to .255.

Though it is not the required way this can also be used.

Thanks

Libras
Libras
Occasional Advisor

Re: How to stop broadcast ping in a vlan

But will this Broadcast blocking within a VLAN will give any problem to DHCP environment and any ARP problem to switch.

Libras