ip access-list icmp
Use this command to permit or deny ICMP packets based on the given source and destination IP address. Even DSCP, precedence, VLAN identifier, inner VLAN identifier, and fragment number can be configured to permit or deny with the given values.
Use the no form of this command to remove an ACL specification.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Command Syntax
(<1-268435453>|)(deny|permit) (icmp) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (administratively-prohibited| alternate-address| conversion-error|dod-host-prohibited| dod-net-prohibited| echo| echo-reply|general-parameter-problem| host-isolated| host-precedence- unreachable|host-redirect| host-tos-redirect| host-tos-unreachable| host- unknown|host-unreachable| information-reply| information-request| mask- reply|mask-request| mobile-redirect| net-redirect| net-tos-redirect|net-tos- unreachable| net-unreachable| network-unknown| no-room-for-option|option-missing| packet-too-big| parameter-problem| port-unreachable|precedence-unreachable| protocol-unreachable| reassembly-timeout| redirect|router-advertisement| router- solicitation| source-quench|source-route-failed|time-exceeded| timestamp-reply| timestamp-request| traceroute|ttl-exceeded|unreachable|(<0-255> (<0-255>|))|) ((dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef ))| (precedence (<0-7>| critical| flash | flashoverride|immediate| internet| network| priority| routine))|) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|) ((redirect-to-port IFNAME)|)
no (<1-268435453>|)(deny|permit) (icmp) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (administratively- prohibited| alternate-address| conversion-error|dod-host-prohibited| dod-net- prohibited| echo| echo-reply|general-parameter-problem| host-isolated| host- precedence-unreachable|host-redirect| host-tos-redirect| host-tos-unreachable| host-unknown|host-unreachable| information-reply| information-request| mask- reply|mask-request| mobile-redirect| net-redirect| net-tos-redirect|net-tos- unreachable| net-unreachable| network-unknown| no-room-for-option|option-missing| packet-too-big| parameter-problem| port-unreachable|precedence-unreachable| protocol-unreachable| reassembly-timeout| redirect|router-advertisement| router- solicitation| source-quench|source-route-failed|time-exceeded| timestamp-reply| timestamp-request| traceroute|ttl-exceeded|unreachable|(<0-255> (<0-255>|))|) ("dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef ))| (precedence (<0-7>| critical| flash | flashoverride|immediate| internet| network| priority| routine))|) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|)(log|)(sample|) ((redirect-to-port IFNAME)|)
Parameters
<1-268435453>
IPv4 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
icmp
Internet Control Message Protocol packet.
A.B.C.D/M
Source IP prefix and length.
A.B.C.D A.B.C.D
Source IP address and mask.
host A.B.C.D
A single source host IP address.
any
Match any source IP address.
A.B.C.D/M
Destination IP prefix and length.
A.B.C.D A.B.C.D
Destination IP address and mask.
host A.B.C.D
A single destination host IP address.
any
Match any destination IP address.
administratively-prohibited
Administratively prohibited.
alternate-address
Alternate address.
conversion-error
Datagram conversion.
dod-host-prohibited
Host prohibited.
dod-net-prohibited
Net prohibited.
echo
Echo (ping).
echo-reply
Echo reply.
general-parameter-problem
Parameter problem.
host-isolated
Host isolated.
host-precedence-unreachable
Host unreachable for precedence.
host-redirect
Host redirect.
host-tos-redirect
Host redirect for ToS.
host-tos-unreachable
Host unreachable for ToS.
host-unknown
Host unknown.
host-unreachable
Host unreachable.
information-reply
Information replies.
information-request
Information requests.
mask-reply
Mask replies.
mask-request
Mask requests.
mobile-redirect
Mobile host redirect.
net-redirect
Network redirect.
net-tos-redirect
Net redirect for ToS.
net-tos-unreachable
Network unreachable for ToS.
net-unreachable
Net unreachable.
network-unknown
Network unknown.
no-room-for-option
Parameter required but no room.
option-missing
Parameter required but not present.
packet-too-big
Fragmentation needed and DF set.
parameter-problem
All parameter problems.
port-unreachable
Port unreachable.
precedence-unreachable
Precedence cutoff.
protocol-unreachable
Protocol unreachable.
reassembly-timeout
Reassembly timeout.
redirect
All redirects.
router-advertisement
Router discovery advertisements.
router-solicitation
Router discovery solicitations.
source-quench
Source quenches.
source-route-failed
Source route failed.
time-exceeded
All time-exceeded messages.
timestamp-reply
Time-stamp replies.
timestamp-request
Time-stamp requests.
traceroute
Traceroute.
ttl-exceeded
TTL exceeded.
unreachable
All unreachables.
<0-255>
ICMP type.
<0-255>
ICMP code.
dscp
Match packets with given DSCP value.
<0-63>
Enter DSCP value between 0-63.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
precedence
Match packets with given precedence value.
<0-7>
Enter precedence value 0-7.
critical
Match packets with critical precedence (5).
flash
Match packets with flash precedence (3).
flashoverride
Match packets with flash override precedence (4).
immediate
Match packets with immediate precedence (2).
internet
Match packets with internetwork control precedence (6).
network
Match packets with network control precedence (7).
priority
Match packets with priority precedence (1).
routine
Match packets with routine precedence (0).
fragments
Check non-initial fragments.
vlan
Match packets with given VLAN identifier.
<1-4094>
Enter VLAN identifier.
inner-vlan
Match packets with given inner VLAN identifier.
<1-4094>
Enter inner-VLAN identifier.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
redirect-to-port
Redirect the packet (in-direction only)
IFNAME
Interface name to which packet to be redirected
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list ip-icmp
(config-ip-acl)#200 permit icmp any any