Options for ICMP traffic in extended ACLs

This option is useful where it is necessary to permit some types of ICMP traffic and deny other types, instead of simply permitting or denying all types of ICMP traffic. That is, an ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same ACE. As an optional alternative, the ACE can include the name of an ICMP packet type.

Syntax:

<deny|permit> icmp <SA> <DA> [icmp-type [icmp-code]

<deny|permit> icmp <SA> <DA> [icmp-type-name][]|]

In an extended ACL using icmp as the packet protocol type (see above), you can optionally specify an individual ICMP packet type or packet type/code pair to further define the criteria for a match. This option, if used, is entered immediately after the destination address (DA) entry. The following example shows two ACEs entered in a Named ACL context:

#permit icmp any any host-unknown
#permit icmp any any 3 7

[icmp-type [icmp-code]

This option identifies an individual ICMP packet type as criteria for permitting or denying that type of ICMP traffic in an ACE.

  • icmp-type — This value is in the range of 0 - 255 and corresponds to an ICMP packet type.

  • icmp-code— This value is in the range of 0 - 255 and corresponds to an ICMP code for an ICMP packet type.For more information on ICMP type names, visit the Internet Assigned Numbers Authority (IANA) website at http://www.iana.com, click “Protocol Number Assignment Services”, and then go to the selections under “Internet Control Message Protocol (ICMP) Parameters”.


[icmp-type-name]

These name options are an alternative to the [icmp-type [icmp-code]] methodology described above. For more information, visit the IANA website cited above.

  • administratively-prohibited

  • alternate-address

  • conversion-error

  • dod-host-prohibited

  • dod-net-prohibited

  • echo

  • echo-reply

  • general-parameter-problem

  • host-isolated

  • host-precedence-unreachable

  • host-redirect

  • host-tos-redirect

  • host-tos-unreachable

  • host-unknown

  • host-unreachable

  • information-reply

  • information-request

  • mask-reply

  • mask-request

  • mobile-redirect

  • net-redirect

  • net-tos-redirect

  • net-tos-unreachable

  • net-unreachable

  • network-unknown

  • no-room-for-option

  • option-missing

  • packet-too-big

  • parameter-problem

  • port-unreachable

  • precedence-unreachable

  • protocol-unreachable

  • reassembly-timeout

  • redirect

  • router-advertisement

  • router-solicitation

  • source-quench

  • source-route-failed

  • time-exceeded

  • timestamp-reply

  • timestamp-request

  • traceroute

  • ttl-exceeded

  • unreachable