Infrastructure Access-List

Hello Jurrian

Yes indeed, there are many options to choose from when creating an ACL used to filter ICMP traffic. Most of these options correspond to the various ICMP Type and Code fields found within the ICMP header. These are two 8-bit fields that are used to specify the nature of the control message. Specifically, the kind of message is identified by the value of the Type field, and the Code field gives additional context information for the message.

For example, take a look at this partial list of options for an ICMP ACL:

R-1(config-ext-nacl)#permit icmp any any ?
  <0-255>                      ICMP message type
  administratively-prohibited  Administratively prohibited
  alternate-address            Alternate address
  conversion-error             Datagram conversion
  dod-host-prohibited          Host prohibited
  dod-net-prohibited           Net prohibited
  dscp                         Match packets with given dscp value
  echo                         Echo (ping)
  echo-reply                   Echo reply
  fragments                    Check non-initial fragments
  general-parameter-problem    Parameter problem
  host-isolated                Host isolated
  host-precedence-unreachable  Host unreachable for precedence
  host-redirect                Host redirect

The administratively-prohibited keyword corresponds with an ICMP control message with Type 3 Code 9. Similarly, the host-isolated keyword corresponds with Type 3, Code 8.

To see all of the types and codes available, take a look at this IANA ICMP parameters list:

https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

Keep in mind that some type and code combinations have been deprecated.

Remember that ICMP is much more than simply a ping or a traceroute. It is a control protocol that supports the IP suite. It is used to send error messages and operational information that enables and supplements IP connectivity. If you choose to filter some types of ICMP messages using ACLs, you must first fully understand their purpose before attempting to apply any such filtering.

I hope this has been helpful!

Laz