I have to disagree with you on this:) I don't think that ICMP type and code are the same.
For instance Type 3 code 0 means Net Unreachable so if you match only by code you will drop/pass more than icmp echo/reply. Take a look here: http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml#icmp-parameters-types On Wed, Jun 20, 2012 at 3:27 PM, Fawad Khan <[email protected]> wrote: > Icmp Code/ type 0 mean echo request and icmp code/type 8 means echo reply. > Type/code 3 means Icmp unreachable. > > Code and type means the same thing, memorizing or knowing where to find > the Icmp code types or any port number is very important. I sent a link > couple of months back which is inside Asa config guide which serial all the > port numbers, protocols numbers. > > On Wednesday, June 20, 2012, Imre Oszkar wrote: > >> Hi Mike, >> >> Why did you choose to look for code 0? Code 0 means different thing for >> each ICMP type. >> I think for echo messages you should look for icmp type 8 . >> Now the interesting part is that if you try to match icmp type 8 instead >> of code 8 your solution won't work. >> >> >> Oszkar >> >> >>> >>> Annnnnnnd Bingo, >>> >>> I was right, since it is encapsulated and not Encrypted, we can match >>> whatever it is inside on the GRE packet... we are matching, not crafting.... >>> >>> Here is the example of dropping ICMP echo messages encapsulated on GRE... >>> >>> Class Map type access-control match-all ICMP (id 2) >>> Match field ICMP code eq 0 mask 0x1 >>> >>> Class Map type stack match-all STACK-GRE (id 1) >>> Match field IP protocol eq 0x2F next ICMP >>> >>> >>> Policy Map type access-control STACK-GRE >>> Class STACK-GRE >>> service-policy ICMP-DROP-GRE >>> >>> Policy Map type access-control ICMP-DROP-GRE >>> Class ICMP >>> drop >>> >>> >>> >>> >>> Router1#sh policy-map type access-control interface fa 0/1 >>> FastEthernet0/1 >>> >>> Service-policy access-control input: STACK-GRE >>> >>> Class-map: STACK-GRE (match-all) >>> 5 packets, 690 bytes >>> 5 minute offered rate 0 bps >>> Match: field IP protocol eq 0x2F next ICMP >>> >>> Service-policy access-control : ICMP-DROP-GRE >>> >>> Class-map: ICMP (match-all) >>> 5 packets, 690 bytes >>> 5 minute offered rate 0 bps >>> Match: field ICMP code eq 0 mask 0x1 >>> drop >>> >>> Class-map: class-default (match-any) >>> 0 packets, 0 bytes >>> 5 minute offered rate 0 bps, drop rate 0 bps >>> Match: any >>> >>> Class-map: class-default (match-any) >>> 2 packets, 1236 bytes >>> 5 minute offered rate 0 bps, drop rate 0 bps >>> Match: any >>> >>> >>> > > -- > FNK >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
