Users Guide
deny icmp
To drop all or specic internet control message protocol (ICMP) messages, congure a lter.
Syntax
deny icmp {source mask | any | host ip-address} {destination mask | any | host
ip-address} [type] [dscp] [count [byte] [order] [fragments] [monitor [session-
ID]] [no-drop]
To remove this lter, you have two choices:
• Use the no seq sequence-number command if you know the lter’s sequence number.
•
Use the no deny icmp {source mask | any | host ip-address} {destination mask |
any | host ip-address} command.
Parameters
source Enter the IP address of the network or host from which the packets were sent.
mask Enter a network mask in /prex format (/x) or A.B.C.D. The mask, when specied in
A.B.C.D format, may be either contiguous or non-contiguous.
any Enter the keyword any to specify that all routes are subject to the lter.
host ip-address Enter the keyword host then the IP address to specify a host IP address.
destination Enter the IP address of the network or host to which the packets are sent.
type Enter the ICMP packet type. The following types are available:
For IPv4:
echo count
echo-reply count
host-unreachable count
host-unknown count
network-unknown count
net-unreachable count
packet-too-big count
parameter-problem count
port-unreachable count
source-quench count
time-exceeded count
For IPv6:
echo count
echo-reply count
nd-ns count
nd-na count
packet-too-big count
parameter-problem count
time-exceeded count
port-unreachable count
The ICMP packets cannot be ltered using mirroring ACL.
dscp
Enter this keyword dscp to deny a packet based on the DSCP value. The range is from 0
to 63.
count (OPTIONAL) Enter the keyword count to count packets processed by the lter.
Access Control Lists (ACL) 201