ServerIron ADX NAT64 Configuration Guide
ServerIron ADX NAT64 Configuration Guide
12.4.00
53-1002444-02
documentation@brocade.com


Access Control Lists : ACLs and ICMP

ACLs and ICMP
This section describes how ACLs can be used to filter traffic based on ICMP packets.
Using flow-based ACLs to filter ICMP packets
To configure an extended ACL that filters based on the IP packet length of ICMP packets, enter commands such as the following.
ServerIronADX(config)#access-list 105 deny icmp any any echo ip-pkt-len 92
ServerIronADX(config)#access-list 105 deny icmp any any echo ip-pkt-len 100
ServerIronADX(config)#access-list 105 permit ip any any
 
The commands in this example deny (drop) ICMP echo request packets that contain a total length of 92 or 100 in the IP header field. You can specify an IP packet length of 1 through 65535. Refer to the section “ICMP filtering with flow-based ACLs” for additional information on using ICMP to filter packets.
ICMP filtering with flow-based ACLs
Most Foundry software releases that support flow-based ACLs filter traffic based on the following ICMP message types:
Also, to create ACL policies that filter ICMP message types, you can either enter the description of the message type or enter its type and code IDs. Furthermore ICMP message type filtering is now available for rule-based ACLs on BigIron Layer 2 Switch and Layer 3 Switch images.
Numbered ACLs
For example, to deny the echo message type in a numbered ACL, enter commands such as the following when configuring a numbered ACL.
ServerIronADX(config)# access-list 109 deny ICMP any any echo
 
or
ServerIronADX(config)# access-list 109 deny ICMP any any 8 0
 
Syntax:
[no] access-list <num>
Syntax:
deny | permit icmp <source-ip-address> | <source-ip-address/subnet-mask> | any | host <source-host>
<destination-ip-address> | <destination-ip-address/subnet-mask> | any | host <destination-host>
<icmp-type> | <icmp-type-number> <icmp-code-number>
The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded.
You can either enter the name of the message type for <icmp-type> or the type number and code number of the message type. Refer to Table 12 for valid values.
Named ACLs
For example, to deny the administratively-prohibited message type in a named ACL, enter commands such as the following.
ServerIronADX(config)# ip access-list extended melon
ServerIronADX(config-ext-nacl)# deny ICMP any any
 
or
ServerIronADX(config)# ip access-list extended melon
ServerIronADX(config-ext-nacl)# deny ICMP any any 3 13
 
Syntax:
[no] ip access-list extended <acl-num> | <acl-name>
Syntax:
deny | permit icmp <source-ip-address> | <source-ip-address/subnet-mask> | any | host <source-host>
<destination-ip-address> | destination-ip-address/subnet-mask> | any | host <destination-host>
<icmp-type> | <icmp-type-number> <icmp-code-number>
The extended parameter indicates the ACL entry is an extended ACL.
The <acl-name> | <acl-num> parameter allows you to specify an ACL name or number. If using a name, specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”). The <acl-num> parameter allows you to specify an ACL number if you prefer. If you specify a number, enter a number from 100 through 199 for extended ACLs.
The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded.
You can either use the <icmp-type> and enter the name of the message type or use the <icmp-type-number> <icmp-ode-number> parameter and enter the type number and code number of the message. Refer to Table 12 for valid values.
NOTE: “X” in the Type-Number or Code-Number column in Table 12 means the device filters any traffic of that ICMP message type.
 

Access Control Lists : ACLs and ICMP