Example 2: filter icmp packets, Example 3: rate-limiting packets – Extreme Networks Summit 300-48 User Manual

Using Access Control Lists

Summit 300-48 Switch Software User Guide

119

Figure 11 shows the final outcome of this access list.

Figure 11: Permit-established access list filters out SYN packet to destination

Example 2: Filter ICMP Packets

This example creates an access list that filters out ping (ICMP echo) packets. ICMP echo packets are
defined as type 8 code 0.

The commands to create this access control list is as follows:

create access-mask icmp_mask ipprotocol icmp-type icmp-code

create access-list denyping icmp_mask ipprotocol icmp icmp-type 8 icmp-code 0 deny

The output for this access list is shown in Figure 12.

Figure 12: ICMP packets are filtered out

Example 3: Rate-limiting Packets

This example creates a rate limit to limit the incoming traffic from the 10.10.10.x subnet to 10 Mbps on
ingress port 2. Ingress traffic on port 2 below the rate limit is sent to QoS profile qp1 with its DiffServ
code point set to 7. Ingress traffic on port 2 in excess of the rate limit will be dropped.

The commands to create this rate limit is as follows:

create access-mask port2_mask source-ip/24 ports precedence 100

create rate-limit port2_limit port2_mask source-ip 10.10.10.0/24 ports 1:2 permit qp1

set code-point 7 limit 10 exceed-action drop

EW_037

10.10.10.100

10.10.20.100

SYN

SYN

LB48011

10.10.10.1

10.10.10.100

10.10.20.100

10.10.20.1

NET20 VLAN

NET10 VLAN

ICMP