Re: ME3800 - ACL to match ICMP

Nicholas Richardson · ‎11-24-2011

Hello,

We have some ME3800MX router/switches running ME380x-UNIVERSALK9-M), Version 12.2(52)EY2. The Cisco website says:

The switch does not support these Cisco IOS router ACL-related features:

•Non-IP protocol ACLs (see Table 26-1) or bridge-group ACLs

Any ideas how we would match ICMP traffic then?

thanks

Nicholas

Jon Marshall · ‎11-24-2011

Nicholas

When you permit IP that also includes ICMP. However if you want to actually match on specific ICMP types/codes then you can as well ie. from the same doc you linked to -

Some protocols also have specific parameters and keywords that apply to that protocol. These IP protocols are supported (protocol keywords are in parentheses in bold):

Authentication Header Protocol (ahp), Enhanced Interior Gateway Routing Protocol (eigrp), Encapsulation Security Payload (esp), generic routing encapsulation (gre), Internet Control Message Protocol (icmp), Internet Group Management Protocol (igmp), any Interior Protocol (ip), IP in IP tunneling (ipinip), KA9Q NOS-compatible IP over IP tunneling (nos), Open Shortest Path First routing (ospf), Payload Compression Protocol (pcp), Protocol Independent Multicast (pim), Transmission Control Protocol (tcp), or User Datagram Protocol (udp).

Note ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered.

So with an extended acl you can match any ICMP type/code except for an echo-reply as per above the note.

** Edit - i should have clarified. ICMP is a part of the IP protocol. When the doc says non-IP protocols are not supported it is referring to things like IPX, Appletalk etc.

Jon

Nicholas Richardson · ‎11-24-2011

Hello - basically I'm trying to apply a QoS class which matches an extended access-list to set mpls exp value - I have a bunch of management protocols I want to assure bandwidth to, its a bit of service provider scenario. So our access-list entry would look like:

access-list extended 100 permit icmp any any

But it doesnt work. Definitely access 100 permit ip any any will set the correct exp value, however it also marks everything so defeats the point..

ISIS is another problem for us - we cant apply a service policy with protocol 124 (i think it is) in access-list, it rejects as a layer4 protocol. I think the idea of applying QoS to management protocols must be common enough that I must be doing something obviously wrong!!

++edit - cant seem to filter the icmp, any idea the syntax...?

many thanks

Nicholas

Jon Marshall · ‎11-24-2011

Nicholas

The syntax would be -

access-list 101 permit icmp any any echo-request

for example.

Are these protocols that you are trying to mark being generated by the router itself as opposed to traffic passing through the router ?

Jon

Nicholas Richardson · ‎11-24-2011

Both - the router generates bgp/ISIS/icmp we want to ensure bandwidth outbound to and we have stuff passing through, however it is mostly mpls and can be ignored. And this works fine, (except ISIS) BGP gets its correct exp value. Its just the ICMP...nothing.

If I set the exp value in the policy-map default-class it marks it up, so its definitely an access-list thing. Will give the above a good shot later, im surely doing something obvously wrong!

Any ideas on how to apply the same qos to ISIS? It rejects with a layer4 error.

Many thanks

Nicholas