KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

261

262

263

264

265

266

267

268

269

270

For more on using TCP control bits, see RFC 793.

Controlling ICMP traffic in extended ACLs

Where it is necessary to permit some types of ICMP traffic and deny other types, instead of simply

permitting or denying all types of ICMP traffic use this option. An ACE designed to permit or deny

ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual

type of ICMP packet while not addressing other ICMP traffic types in the same ACE. As an optional

alternative, the ACE can include the name of an ICMP packet type.

Syntax:

< deny | permit > icmp < SA > < DA > [icmp-type [

icmp-code]]

< deny | permit > tcp icmp < SA > < DA > [ icmp-type-name]

In an extended ACL using icmp as the packet protocol type (see above), you can

optionally specify an individual ICMP packet type or packet type/code pair to

further define the criteria for a match. This option, if used, is entered immediately

after the destination address (DA) entry. The following example shows two ACEs

entered in a Named ACL context:

Example

#permit icmp any any host-unknown

#permit icmp any any 3 7

Syntax option

[icmp-type [ icmp-code]]

This option identifies an individual ICMP packet type as criteria for permitting or

denying that type of ICMP traffic in an ACE.

• icmp–type - This value is in the range of 0 - 255 and corresponds to an

ICMP packet type.

• icmp–code - This value is in the range of 0 - 255 and corresponds to an

ICMP code for an ICMP packet type.

[icmp–type–name]

For more information on ICMP type names, visit the Internet Assigned Numbers

Authority (IANA) website at www.iana.com. click on "Protocol Number

Assignment Services", and then go to the selections under "Internet Control Message

Protocol (ICMP) Parameters".

Syntax option

[icmp-type [ icmp-code]]

These name options are an alternative to the methodology described above. For

more information, visit the IANA website cited above.

• administratively-prohibitednet-tos-unreachable

• alternate-addressnet-unreachable

• conversion-errornetwork-unknown

• dod-host-prohibitedno-room-for-option

• dod-net-prohibitedoption-missing

• echopacket-too-big

• echo-replyparameter-problem

Configuring 269