Brocade Communications Systems 12.4.00a Manual De Usuario
ServerIron ADX Security Guide
79
53-1002440-03
ACLs and ICMP
2
Syntax: show access-list <acl-num> | <acl-name> | all
To clear the flow counters for ACL 100.
ServerIronADX# clear access-list 100
Syntax: clear access-list <acl-num> | <acl-name> | all
ACLs and ICMP
This section describes how ACLs can be used to filter traffic based on ICMP packets.
Using flow-based ACLs to filter ICMP packets based on the IP packet
length
length
To configure an extended ACL that filters based on the IP packet length of ICMP packets, enter
commands such as the following.
commands such as the following.
ServerIronADX(config)#access-list 105 deny icmp any any echo ip-pkt-len 92
ServerIronADX(config)#access-list 105 deny icmp any any echo ip-pkt-len 100
ServerIronADX(config)#access-list 105 permit ip any any
The commands in this example deny (drop) ICMP echo request packets that contain a total length
of 92 or 100 in the IP header field. You can specify an IP packet length of 1 – 65535. Refer to the
section
of 92 or 100 in the IP header field. You can specify an IP packet length of 1 – 65535. Refer to the
section
“ICMP filtering with flow-based ACLs”
on page 79 for additional information on using ICMP
to filter packets.
ICMP filtering with flow-based ACLs
Most Brocade software releases that support flow-based ACLs filter traffic based on the following
ICMP message types:
ICMP message types:
•
echo
•
echo-reply
•
information-request
•
mask-reply
•
mask-request
•
parameter-problem
•
redirect
•
source-quench
•
time-exceeded
•
timestamp-reply
•
timestamp-request
•
unreachable
ServerIronADX# show access-list 100
Extended IP access list 100 (Total flows: 432, Total packets: 42000)
permit tcp 1.1.1.0 0.0.0.255 any (Flows: 80, Packets: 12900)
deny udp 1.1.1.0 0.0.0.255 any (Flows: 121, Packets: 20100)
permit ip 2.2.2.0 0.0.0.255 any (Flows: 231, Packets: 9000)