570 BigIron RX Series Configuration Guide
53-1002253-01
ICMP filtering for extended ACLs
21
Named ACLs
For example, to deny the administratively-prohibited message type in a named ACL, enter
commands such as the following.
BigIron RX(config)# ip access-list extended entry
BigIron RX(config-ext-nacl)# deny ICMP any any administratively-prohibited
or
BigIron RX(config)# ip access-list extended entry
BigIron RX(config-ext-nacl)#deny ICMP any any 3 13
Syntax: [no]ip access-list extended <acl-name>
deny | permit host icmp any any [log] <icmp-type> | <type-number> <code-number>
The extended parameter indicates the ACL entry is an extended ACL.
The <acl-name> | <acl-num> parameter allows you to specify an ACL name or number. If using a
name, specify a string of up to 255 alphanumeric characters. You can use blanks in the ACL name
if you enclose the name in quotation marks (for example, “ACL for Net1”). The <acl-num>
parameter allows you to specify an ACL number if you prefer. If you specify a number, enter a
number from 100 – 199 for extended ACLs.
The deny | permit parameter indicates whether packets that match the policy are dropped or
forwarded.
You can either use the <icmp-type> and enter the name of the message type or use the
<type-number> <code-number> parameter to enter the type number and code number of the
message. Refer to Table 103 on page 570 for valid values.
TABLE 103 ICMP message types and codes
ICMP message type Type Code
administratively-prohibited 3 13
any-icmp-type x x
destination-host-prohibited 3 10
destination-host-unknown 3 7
NOTE: destination-net-prohibited 3 9
destination-network-unknown 3 6
echo 8 0
echo-reply 0 0
general-parameter-problem
NOTE: This message type indicates that required
option is missing.
12 1
host-precedence-violation 3 14
host-redirect 5 1
host-tos-redirect 5 3
host-tos-unreachable 3 12
host-unreachable 3 1
information-request 15 0
To Next Page
Loading...
