First you have to create an access list:
router(config)#access-list 100 permit icmp any any unreachable
router(config)#access-list 100 permit icmp any any echo-reply
router(config)#access-list 100 permit icmp any any time-exceeded
router(config)#access-list 100 permit icmp any any source-quench
router(config)#access-list 100 deny icmp any any timestamp-request
router(config)#access-list 100 deny icmp any any timestamp-reply
router(config)#access-list 100 permit ip any any
Then add id to IN or OUT to the interface:
router(config)#interface GigabitEthernet0/2
router(config)#ip access-group 100 in
Modificare una access-list (Prima magari visualizzala e guarda i numeri di riga)
Visualizzare access-list: router#sh ip access-list 100
router(config)#ip access-list extended 100
router(config-ext-nacl)#67 deny tcp any any eq telnet
router(config-ext-nacl)#do sh ip access-list 100
NOTA: La sequenza è fondamentale per l'applicazione delle regole.
Esempio:
csco-gw02(config-ext-nacl)#do sh ip access-list 100
Extended IP access list 100
10 permit icmp any any unreachable (2 matches)
20 permit icmp any any echo-reply
30 permit icmp any any time-exceeded
40 permit icmp any any source-quench
50 deny icmp any any timestamp-request (1 match)
60 deny icmp any any timestamp-reply
70 permit ip any any (84562 matches)