Icmp filtering with flow-based acls, Numbered acls – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual
Page 57
Brocade Virtual ADX Security Guide
45
53-1003250-01
ACLs and ICMP
2
The commands in this example deny (drop) ICMP echo request packets that contain a total length
of 92 or 100 in the IP header field. You can specify an IP packet length of 1 – 65535. Refer to the
section
“ICMP filtering with flow-based ACLs”
on page 45 for additional information on using ICMP
to filter packets.
ICMP filtering with flow-based ACLs
Most Brocade Virtual ADX software releases that support flow-based ACLs filter traffic based on
the following ICMP message types:
•
echo
•
echo-reply
•
information-request
•
mask-reply
•
mask-request
•
parameter-problem
•
redirect
•
source-quench
•
time-exceeded
•
timestamp-reply
•
timestamp-request
•
unreachable
•
num
Also, to create ACL policies that filter ICMP message types, you can either enter the description of
the message type or enter its type and code IDs.
Numbered ACLs
For example, to deny the echo message type in a numbered ACL, enter commands such as the
following when configuring a numbered ACL.
Virtual ADX (config)#access-list 109 deny ICMP any any echo
or
Virtual ADX (config)#access-list 109 deny ICMP any any 8 0
Syntax: [no] access-list num
Syntax: deny | permit icmp source-ip-address | source-ip-address/subnet-mask | any | host
source-host destination-ip-address | destination-ip-address/subnet-mask | any | host
destination-host icmp-type | icmp-type-number icmp-code-number
The deny | permit parameter indicates whether packets that match the policy are dropped or
forwarded.
You can either enter the name of the message type for icmp-type or the type number and code
number of the message type. Refer to
on page 46 for valid values.