sure, ACLs are one direction so you could just create an extended ACL in to deny icmp echo to the IT department and then permit ip any any. It will deny ping (echo) but allow ping replies (echo-reply)
I tested in switch mode : the ACL is also applied on trunk port / uplink ... Is there a way to avoid the ACL on trunk ? (I restrict IP range on user port with ALC port / port. If I apply ACL on VLAN, I lose internet trafic)
The ACL is going to apply to every port in the vlan. Either just apply to individual interfaces or add another acl to your uplink with a permit ip any any which will override the vlan ACL for priority.
Any tips to be able to ping the VE interface if we apply the ACL "in" on the vlan?
Sure, you didnt say standard or extended but ACLs are always processed top down so at the beginning use a
permit icmp any host
@@TerryHenry Thanks for the answer, but I already tried this and I don't know why it doesn't work. I'll open a ticket. Thanks
Is it possible in acl?. let say IT dept. can ping all other devices in the other dept. But all other devices in other dept cant ping IT dept? Thanks
sure, ACLs are one direction so you could just create an extended ACL in to deny icmp echo to the IT department and then permit ip any any. It will deny ping (echo) but allow ping replies (echo-reply)
@@TerryHenry i forgot to include acl in vlan
I tested in switch mode : the ACL is also applied on trunk port / uplink ...
Is there a way to avoid the ACL on trunk ?
(I restrict IP range on user port with ALC port / port. If I apply ACL on VLAN, I lose internet trafic)
The ACL is going to apply to every port in the vlan. Either just apply to individual interfaces or add another acl to your uplink with a permit ip any any which will override the vlan ACL for priority.
@@TerryHenry Thanks a lot, it's working, excellent tips !