ICMP ACL Configuration

OcNOS-SP : System Management Guide : System Management Configuration Guide : Access Control Lists Configurations : ICMP ACL Configuration

#configure terminal	Enter configure mode.
(config)#ip access-list icmp-acl-01	Create an IP access list named icmp-acl-01.
(config-ip-acl)#10 deny icmp 1.1.1.2/24 2.2.2.2/24 dscp af11	Create an access rule with sequence number 10 to deny ICMP packets from a specific source towards a specific destination with a DSCP value of af11. Note: The sequence number is optional.
(configip-acl)#20 permit icmp 1.1.1.1/24 2.2.2.2/24 precedence flash	Create an access rule with sequence number 20 to permit ICMP packets from a specific source towards a specific destination with precedence as flash.
(config-ip-acl)#exit	Exit access list mode.
(config)#commit	Commit the candidate configuration to the running configuration
(config)#interface xe10	Enter interface mode.
(config-if)#no switchport	Configure the interface as Layer 3.
(config-if)#ip address 1.1.1.3/24	Assign an IP address.
(config-if)#ip access-group icmp-acl-01 in	Apply access group icmp-acl-01 for inbound traffic to the interface.
(config-if)#commit	Commit the candidate configuration to the running configuration
(config-if)#end	Exit interface and configure mode.

Validation

Use the commands below to verify the match count. When inbound IP packets reach interface xe10 with source address 1.1.1.X, destination address 2.2.2.X, DSCP value af11, and are fragmented, then the count for access rule 10 increases equal to the number of packets sent.

#show ip access-lists icmp-acl-01

IP access-list icmp-acl-01

10 deny icmp 1.1.1.2/24 2.2.2.2/24 dscp af11 [match=200]

20 permit icmp 1.1.1.1/24 2.2.2.2/24 precedence flash

default deny-all

When inbound IP packets reach interface xe10 with source address as 1.1.1.X, destination address 2.2.2.X, and precedence value flash, then the count for access rule 20 increases equal to the number of packets sent.

#show ip access-lists icmp-acl-01

IP access-list icmp-acl-01

10 deny icmp 1.1.1.2/24 2.2.2.2/24 dscp af11

20 permit icmp 1.1.1.1/24 2.2.2.2/24 precedence flash [match=200]

default deny-all

Note: Use the command clear ip access-list counters to clear statistics of all ACLs configured or clear ip access-list <access-list name> counters to clear statistics of a particular ACL.

Last modified date: 10/19/2023