Filtering ICMP traffic
This option allows configuring an ACE to selectively permit some types of ICMP traffic, while denying other types. An ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet, while not addressing other ICMP traffic types in the same ACE. As a further option, the ACE can include the name of an ICMP packet type.
Syntax:
<deny|permit> icmp
<SA>
<DA> [icmp-type [icmp-code]]
<deny|permit> icmp
<SA>
<DA> [icmp-type-name]
Using
icmp
as the packet protocol type, you can optionally specify an individual ICMP packet type or packet type/code pair to further define the criteria for a match. This option, if used, is entered immediately after the destination IP address (DA) entry.
Two ACEs entered in an ACL context
#permit icmp any any 1 3 #permit icmp any any destination-unreachable
[icmp-type [icmp-code]]
: This option identifies an individual ICMP packet type as criteria for permitting or denying that type of ICMP traffic in an ACE.
icmp-type
This value is in the range of 0 to 255 and corresponds to an ICMP packet type.
icmp-code
This value corresponds to an ICMP code for an ICMP packet type. It is optional and needed only when a particular ICMP subtype is needed as a filtering criterion. Range: 0–255
For example, the following ACE specifies "destination unreachable" (ICMP type 1) where "address unreachable" (3; a subtype of "destination unreachable") is the specific code.
#permit icmp any any 1 3
For more information on ICMP types and codes, visit the Internet Assigned Numbers Authority (IANA) website at www.iana.org, and refer to “Internet Control Message Protocol version 6 (ICMPv6) Type Numbers”.
[icmp-type-name]
[icmp-type [icmp-code]]
methodology described above. For more information, visit the IANA website, also cited above.
- cert-path-advertise
- cert-path-solicit
- destination-unreachable
- echo-reply
- echo-request
- home-agent-reply
- home-agent-request
- cert-path-advertise
- inv-nd-na
- inv-nd-ns
- mcast-router-advertise
- mcast-router-solicit
- mcast-router-terminate
- mld-done
- mld-query
- mld-report
- mobile-advertise
- mobile-solicit
- nd-na
- nd-ns
- node-info
- node-query
- packet-too-big
- parameter-problem
- redirect
- router-advertisement
- router-renum
- router-solicitation
- time-exceeded
- ver2-mld-report