Acls and icmp, Icmp filtering with flow-based acls – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

ServerIron ADX Security Guide

79

53-1002440-03

ACLs and ICMP

2

Syntax: show access-list <acl-num> | <acl-name> | all

To clear the flow counters for ACL 100.

ServerIronADX# clear access-list 100

Syntax: clear access-list <acl-num> | <acl-name> | all

ACLs and ICMP

This section describes how ACLs can be used to filter traffic based on ICMP packets.

Using flow-based ACLs to filter ICMP packets based on the IP packet
length

To configure an extended ACL that filters based on the IP packet length of ICMP packets, enter
commands such as the following.

ServerIronADX(config)#access-list 105 deny icmp any any echo ip-pkt-len 92

ServerIronADX(config)#access-list 105 deny icmp any any echo ip-pkt-len 100

ServerIronADX(config)#access-list 105 permit ip any any

The commands in this example deny (drop) ICMP echo request packets that contain a total length
of 92 or 100 in the IP header field. You can specify an IP packet length of 1 – 65535. Refer to the
section

“ICMP filtering with flow-based ACLs”

on page 79 for additional information on using ICMP

to filter packets.

ICMP filtering with flow-based ACLs

Most Brocade software releases that support flow-based ACLs filter traffic based on the following
ICMP message types:

•

echo

•

echo-reply

•

information-request

•

mask-reply

•

mask-request

•

parameter-problem

•

redirect

•

source-quench

•

time-exceeded

•

timestamp-reply

•

timestamp-request

•

unreachable

ServerIronADX# show access-list 100

Extended IP access list 100 (Total flows: 432, Total packets: 42000)

permit tcp 1.1.1.0 0.0.0.255 any (Flows: 80, Packets: 12900)

deny udp 1.1.1.0 0.0.0.255 any (Flows: 121, Packets: 20100)

permit ip 2.2.2.0 0.0.0.255 any (Flows: 231, Packets: 9000)