|
|
| ServerIron ADX NAT64 Configuration Guide |
| 12.4.00 |
| 53-1002444-02 |
| documentation@brocade.com |
To configure an extended ACL that filters based on the IP packet length of ICMP packets, enter commands such as the following.ServerIronADX(config)#access-list 105 deny icmp any any echo ip-pkt-len 92
ServerIronADX(config)#access-list 105 deny icmp any any echo ip-pkt-len 100
ServerIronADX(config)#access-list 105 permit ip any anyThe commands in this example deny (drop) ICMP echo request packets that contain a total length of 92 or 100 in the IP header field. You can specify an IP packet length of 1 through 65535. Refer to the section “ICMP filtering with flow-based ACLs” for additional information on using ICMP to filter packets.Most Foundry software releases that support flow-based ACLs filter traffic based on the following ICMP message types:
<destination-ip-address> | <destination-ip-address/subnet-mask> | any | host <destination-host>
<icmp-type> | <icmp-type-number> <icmp-code-number>The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded.You can either enter the name of the message type for <icmp-type> or the type number and code number of the message type. Refer to Table 12 for valid values.For example, to deny the administratively-prohibited message type in a named ACL, enter commands such as the following.ServerIronADX(config)# ip access-list extended melon
ServerIronADX(config-ext-nacl)# deny ICMP any anyServerIronADX(config)# ip access-list extended melon
ServerIronADX(config-ext-nacl)# deny ICMP any any 3 13
<destination-ip-address> | destination-ip-address/subnet-mask> | any | host <destination-host>
<icmp-type> | <icmp-type-number> <icmp-code-number>The extended parameter indicates the ACL entry is an extended ACL.The <acl-name> | <acl-num> parameter allows you to specify an ACL name or number. If using a name, specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”). The <acl-num> parameter allows you to specify an ACL number if you prefer. If you specify a number, enter a number from 100 through 199 for extended ACLs.The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded.You can either use the <icmp-type> and enter the name of the message type or use the <icmp-type-number> <icmp-ode-number> parameter and enter the type number and code number of the message. Refer to Table 12 for valid values.NOTE: “X” in the Type-Number or Code-Number column in Table 12 means the device filters any traffic of that ICMP message type.