LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What does a Cisco IOS access-list look like for filtering ICMP traffic, and what does each line do?

Cisco IOS access-lists are the canonical example of packet-filter syntax — sequential lines of permit or deny, evaluated top-down. The example filters ICMP, allowing only specific message types.

The example ACL:

Router#sh run | i access-list 150
access-list 150 remark ICMP ACL
access-list 150 remark Block fragmented ICMP packets
access-list 150 deny   icmp any any fragments
access-list 150 remark Permit troubleshooting ICMP types
access-list 150 permit icmp any any echo
access-list 150 permit icmp any any echo-reply
access-list 150 permit icmp any any time-exceeded
access-list 150 permit icmp any any packet-too-big
access-list 150 remark Deny any other ICMP messages
access-list 150 deny   icmp any any
access-list 150 remark Allow Other Traffic
access-list 150 permit ip any any

Reading the rules (top-down):

Line Effect
deny icmp any any fragments Drop fragmented ICMP (used in attacks like Ping of Death)
permit icmp any any echo Allow ping requests
permit icmp any any echo-reply Allow ping replies
permit icmp any any time-exceeded Allow traceroute to work
permit icmp any any packet-too-big Allow PMTU discovery to work
deny icmp any any Block all other ICMP types (e.g., redirect, source quench)
permit ip any any Allow all non-ICMP IP traffic

Why this pattern is the canonical example:

It demonstrates three universal firewall principles:

  1. Deny dangerous specific cases first (fragments)
  2. Permit specific allowed cases (the 4 ICMP types)
  3. Catch-all deny for everything in this category
  4. Pass-through for traffic not in this category

Why ICMP filtering needs care:

Total ICMP blocking breaks PMTU discovery (packets get fragmented but no packet-too-big reaches the sender → silent connection failure). The specific ICMP permits are the minimum viable ICMP for a working internet connection.

The Cisco syntax to know:

access-list <number> {permit|deny} <protocol> <src> <dst> [match-criteria]

ACL numbers determine type:

  • 1–99: standard (source IP only)
  • 100–199: extended (source + dest + protocol + ports)
  • 200+: named ACLs

Tip: This is the exact ACL pattern you'll see in CCNA Security and is asked on most network certification exams. The "block fragmented ICMP" rule especially — it's a small detail but cited often.

Go deeper:

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026