HPE Community
Switches, Hubs, and Modems
1822200 Members
3800 Online
109640 Solutions
New Discussion юеВ

Re: How to stop broadcast ping in a vlan

 
Libras
Occasional Advisor

тАО09-30-2008 05:28 AM

тАО09-30-2008 05:28 AM

How to stop broadcast ping in a vlan

Within a vlan ( single vlan ) is it possible to stop Broadcast ping. so that no machine in the vlan should respond for ping 192.168.109.255 -b or ping 192.168.109.0 -b

Libras
0 Kudos
9 REPLIES 9
RicN
Valued Contributor

тАО10-01-2008 01:01 AM

тАО10-01-2008 01:01 AM

Re: How to stop broadcast ping in a vlan


This might not help you, but if the ping is coming from outside the VLAN I guess disabling directed broadcasts could help.

no ip directed-broadcast

(I am not sure if this is default or not?)
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО10-01-2008 11:36 PM

тАО10-01-2008 11:36 PM

Re: How to stop broadcast ping in a vlan

Hi

Starting from the End user PCs, you can disable ping using Firewall software (Windows Firewall).

If you have an Intelligent Switch (5400, 3500, 5300 ...) you can use an Access control list ACL to stop the echo reply.

http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-10-ACLs.pdf

Good Luck !!!
Science for Everyone
0 Kudos
Libras
Occasional Advisor

тАО10-02-2008 03:32 AM

тАО10-02-2008 03:32 AM

Re: How to stop broadcast ping in a vlan

Hi

Thanks but i think we can choose a subnet as src and destination. Is it possible to choose broadcast I.P like 192.168.108.0 or 192.168.108.255 as destination .

10 deny icmp any echo-reply log

Can somone help with destination format for broadcast.

Libras
0 Kudos
RicN
Valued Contributor

тАО10-02-2008 03:42 AM

тАО10-02-2008 03:42 AM

Re: How to stop broadcast ping in a vlan


>10 deny icmp any echo-reply log

Since the echo-replies would come from unicast addresses I assume it would be better to try to stop the icmp echo-request from being sent to the LAN broadcast address?
0 Kudos
Libras
Occasional Advisor

тАО10-02-2008 11:51 PM

тАО10-02-2008 11:51 PM

Re: How to stop broadcast ping in a vlan

There is no echo-request. only echo
and echo-reply is there.

If i block echo-reply normal unicast ping i.e Ping to a individual I.P like 192.168.108.22 is also getting blocked. My requirement is individual ping has to work . Only ping to broadcast I.P has to get blocked. like ping 192.168.108.0 - b or ping 192.168.108.255 -b

Thanks
Libras


0 Kudos
RicN
Valued Contributor

тАО10-03-2008 12:07 AM

тАО10-03-2008 12:07 AM

Re: How to stop broadcast ping in a vlan


>There is no echo-request. only echo
>and echo-reply is there.

There is no "echo". : )

Technicaly the thing you are describing is called "echo request" (icmp type 8, code 0), used for example by the ping utility.

However, it might be called just "echo" in the procurve CLI, I do not remember.

>My requirement is individual ping has to
>work . Only ping to broadcast I.P has to
>get blocked.

Then you must block the echo request (i.e. "echo") from leaving the switch if the destination is a broadcast address.

I do not have the correct syntax at the moment, but perhaps something like:

deny icmp any 192.168.108.255 echo
0 Kudos
Libras
Occasional Advisor

тАО10-03-2008 07:01 AM

тАО10-03-2008 07:01 AM

Re: How to stop broadcast ping in a vlan

Hi

Thanks for continuous help. I tried

10 deny icmp any 192.168.109.255 0.0.0.0 echo

but the problem is both the broadcast ping and direct ping is getting block. it is not blocking only the broadcast. it totally stops ping.

Libras
0 Kudos
Libras
Occasional Advisor

тАО10-05-2008 07:41 AM

тАО10-05-2008 07:41 AM

Re: How to stop broadcast ping in a vlan

Hi All

the one which worked ( but in another way )

10 deny icmp 0.0.0.0 255.255.255.255 192.168.108.255 0.0.0.0 8
20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

My requirement is to make the hosts not to respond to 192.168.108.255 . But this ACL achives this in another way i.e this will not allow the host to send 192.168.108.255 out. So i cannot not run a command ping 192.168.108.255 -b in all the machines where is ACL is applied because this ACL blocks outward traffic to .255.

Though it is not the required way this can also be used.

Thanks

Libras
0 Kudos
Libras
Occasional Advisor

тАО10-05-2008 07:43 AM

тАО10-05-2008 07:43 AM

Re: How to stop broadcast ping in a vlan

But will this Broadcast blocking within a VLAN will give any problem to DHCP environment and any ARP problem to switch.

Libras
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.