if-match icmp-code

Function

The if-match icmp-code command configures a filtering rule based on the code of an ICMP packet.

The undo if-match icmp-code command deletes the filtering rule based on the code of an ICMP packet.

By default, no filtering rule based on the code of an ICMP packet is configured.

Format

if-match icmp-code { greater-than | less-than | equal } icmp-code

if-match icmp-code greater-than icmp-code less-than upper-icmp-code-value

undo if-match icmp-code

undo if-match icmp-code { greater-than | less-than | equal } icmp-code

undo if-match icmp-code greater-than icmp-code less-than upper-icmp-code-value

Parameters

Parameter Description Value
greater-than

Indicates that the code of an ICMP packet is greater than the specified one.

-
less-than

Indicates that the code of an ICMP packet is smaller than the specified one.

-
equal

Indicates that the code of an ICMP packet is equal to the specified one.

-
icmp-code

Specifies a code of an ICMP packet.

The value is an integer ranging from 0 to 255.
upper-icmp-code-value

Specifies the upper limit for the code in an ICMP packet.

The value is an integer ranging from 0 to 255.

Views

Flow-Route IPv6 VPN instance view, Flow-Route VPN instance view, Flow-Route-IPv6 view, Flow-Route view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
flow-route write

Usage Guidelines

Usage Scenario

To improve network performance or security, you can run the if-match icmp-type and if-match icmp-code commands to configure a filtering rule related to an ICMP packet for a BGP (IPv6) Flow Specification route or BGP (IPv6) VPN Flow Specification route to control traffic. There are two situations:

  • On a secure network, devices can receive ICMP packets. However, when network traffic load is heavy, host unreachable or port unreachable events frequently occur, and devices receive a large number of ICMP packets, increasing network burdens and degrading device performance.
  • On an insecure network, network attackers often use ICMP error packets to spy on the internal structure of the network.

Prerequisites

A static BGP (IPv6) Flow Specification route or BGP (IPv6) VPN Flow Specification route has been created using the flow-route command in the system view.

Precautions

A maximum of five filtering rules based on the code in ICMP packets can be configured for a BGP Flow Specification route.

Example

# Configure a filtering rule that is based on a code range of ICMP packets for the BGP Flow Specification route Rule1.
<HUAWEI> system-view
[~HUAWEI] flow-route Rule1 vpn-instance va
[*HUAWEI-flow-route-va] if-match icmp-code greater-than 3 less-than 5
# Configure a filtering rule that is based on the ICMP packet code of 3 for the static BGP IPv6 Flow Specification route Rule 1.
<HUAWEI> system-view
[~HUAWEI] flow-route Rule1 ipv6
[*HUAWEI-flow-route-ipv6] if-match icmp-code equal 3
# Configure a filtering rule that is based on the code of an ICMP packet of 3 for the static BGP Flow Specification route Rule 1.
<HUAWEI> system-view
[~HUAWEI] flow-route Rule1
[*HUAWEI-flow-route] if-match icmp-code equal 3
Parent Topic: BGP Flow Specification Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >