Filtering ICMP traffic

This option allows configuring an ACE to selectively permit some types of ICMP traffic, while denying other types. An ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet, while not addressing other ICMP traffic types in the same ACE. As a further option, the ACE can include the name of an ICMP packet type.

Syntax:

<deny|permit> icmp <SA> <DA> [icmp-type [icmp-code]]

<deny|permit> icmp <SA> <DA> [icmp-type-name]

Using icmp as the packet protocol type, you can optionally specify an individual ICMP packet type or packet type/code pair to further define the criteria for a match. This option, if used, is entered immediately after the destination IP address (DA) entry.

Two ACEs entered in an ACL context

#permit icmp any any 1 3
#permit icmp any any destination-unreachable

[icmp-type [icmp-code]] : This option identifies an individual ICMP packet type as criteria for permitting or denying that type of ICMP traffic in an ACE.
  • icmp-type

    This value is in the range of 0 to 255 and corresponds to an ICMP packet type.

  • icmp-code

    This value corresponds to an ICMP code for an ICMP packet type. It is optional and needed only when a particular ICMP subtype is needed as a filtering criterion. Range: 0–255

For example, the following ACE specifies "destination unreachable" (ICMP type 1) where "address unreachable" (3; a subtype of "destination unreachable") is the specific code. 

#permit icmp any any 1 3

For more information on ICMP types and codes, visit the Internet Assigned Numbers Authority (IANA) website at www.iana.org, and refer to “Internet Control Message Protocol version 6 (ICMPv6) Type Numbers”.

[icmp-type-name]

These name options are an alternative to the [icmp-type [icmp-code]] methodology described above. For more information, visit the IANA website, also cited above.
  • cert-path-advertise
  • cert-path-solicit
  • destination-unreachable
  • echo-reply
  • echo-request
  • home-agent-reply
  • home-agent-request
  • cert-path-advertise
  • inv-nd-na
  • inv-nd-ns
  • mcast-router-advertise
  • mcast-router-solicit
  • mcast-router-terminate
  • mld-done
  • mld-query
  • mld-report
  • mobile-advertise
  • mobile-solicit
  • nd-na
  • nd-ns
  • node-info
  • node-query
  • packet-too-big
  • parameter-problem
  • redirect
  • router-advertisement
  • router-renum
  • router-solicitation
  • time-exceeded
  • ver2-mld-report