0

I applied inbound ACL to block ping request from host IP to host IP. The effect after that is ping reply from unblocked IP on the interface that has been applied the inbound ACL is slow/loss.

Any comment? Can it be solved by enabling flow control?

Hardware: Cisco 3700 Fastethernet

Improve this question
5
  • 3
    What is slow? How do you know that it is slow? Do you know the response times before the ACL? Have you baselined the response times? Have you enabled any logging? Post your configuration. Commented Sep 8, 2014 at 6:16
  • @DanielDib The speed of reply before and after applying the inbound ACL. Commented Sep 8, 2014 at 9:22
  • Do you have ip cef enabled on the router? You may be process switching, which would be a lot slower. Commented Sep 8, 2014 at 11:48
  • @Ron I enabled ip cache flow. Commented Sep 9, 2014 at 1:48
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer. Commented Nov 20, 2022 at 0:22

1 Answer 1

Reset to default
-1

The problem is that you're using the finest-grained ACL (host-to-host with a specific protocol (icmp)) and it sounds like you're applying it to an interface that hosts a whole bunch of incoming traffic. You're asking the router to pay attention to three different fields to block or allow traffic, so if you could re-work that to two fields you'd likely see better performance.

Not necessarily as a permanent solution, but as a temporary alleviation to the issue, can you apply that ACL in reverse on the exit interface that leads to the 'victim' you're trying to protect? And by reverse I mean don't allow your victim's icmp echo-replies to make it back to the 'attacker'. It's true this won't stop a flood of icmp inbound from attacker-to-victim immediately, but often echo requests are stopped (automagically or manually) after there aren't any replies. And in this manner you'd free that previous interface from the ACL burden you placed on it.

Improve this answer
2
  • 1
    I think it is backward to allow ICMP request to go through and block ICMP reply. The traffic has been identified useless (by me). I think it is waste of bandwidth to allow that traffic to go into backbone. Commented Sep 9, 2014 at 2:04
  • I agree, but you're missing the point. It IS backward, and I went into detail that it is not only backward, but not optimal. It was only suggested as a temporary and testing move, and that intention was stated. Commented Sep 9, 2014 at 5:52

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.