C H A P T E R 17 Access Policies
315
• IP source and destination address and mask
• ICMP type code
• Physical source port (optional)
• Numbered precedence (optional)
When using an access control list with an IP deny any rule, all
ICMP traffic will not be blocked (for either Layer 2 or Layer 3). To
block all traffic within Layer 2 and Layer 3, two access lists must be
created, an IP deny any rule and an ICMP deny any rule.
Security and Access Policies
ICMP ACL Precedence You can assign precedence values to
access lists for ICMP traffic. The precedence number is optional;
access list entries that contain a precedence number are evaluated
from highest to lowest precedence. Precedence numbers range from
1 to 25,600, with the number 1 having the highest precedence.
Assigning precedence allows the switch to resolve conflicts
between ICMP rules.
ICMP Deny Rule If an ICMP deny rule is created with type
configured as zero, all ICMP traffic with any other type is blocked.
The ICMP type zero and code zero is treated as a wildcard and will
apply to all ICMP rules.
Verifying Access List Configurations
To verify access list settings you can view the access list
configuration to see real-time statistics where access list entries are
affected when processing traffic. To view the access list
configuration and statistics screen, use this command:
show access-list {name | port <port>}
To refresh the access list statistics display, use this command:
show access-list-monitor
Access List Commands
Table 17.1 describes the commands used to configure IP access
lists. For further command options, press the Tab key in the
command line interface.