Brocade BigIron RX Series Configuration Guide User Manual

Page 685

Advertising
background image

BigIron RX Series Configuration Guide

607

53-1002484-04

Configuring numbered and named ACLs

22

Filtering traffic with ICMP packets

Use the following parameters if you want to filter traffic that contains ICMP packets. These
parameters apply only if you specified icmp as the <ip-protocol> value.

<

operator>

Specifies a comparison operator for the TCP or UDP port number. You can enter
one of the following operators:

eq – The policy applies to the TCP or UDP port name or number you enter after
eq.

gt – The policy applies to TCP or UDP port numbers greater than the port
number or the numeric equivalent of the port name you enter after gt.

lt – The policy applies to TCP or UDP port numbers that are less than the port
number or the numeric equivalent of the port name you enter after lt.

neq – The policy applies to all TCP or UDP port numbers except the port
number or port name you enter after neq.

range – The policy applies to all TCP or UDP port numbers that are between
the first TCP or UDP port name or number and the second one you enter
following the range parameter. The range includes the port names or numbers
you enter. For example, to apply the policy to all ports between and including
23 (Telnet) and 53 (DNS), enter the following: range 23 53. The first port
number in the range must be lower than the last number in the range.

established – This operator applies only to TCP packets. If you use this
operator, the policy applies to TCP packets that have the ACK
(Acknowledgment) or RST (Reset) bits set on (set to “1”) in the Control Bits
field of the TCP packet header. Thus, the policy applies only to established TCP
sessions, not to new sessions. Refer to Section 3.1, “Header Format”, in RFC
793 for information about this field.

NOTE: This operator applies only to destination TCP ports, not source TCP ports.

<

source-tcp/udp-port>

Enter the source TCP or UDP port number.

<

destination-tcp/udp-port>

Enter the destination TCP or UDP port number.

match-all

<

tcp-flags>

match-any

<

tcp-flags>

If you specified TCP for

<

ip-protocol>, you can specify which flags inside the TCP

header need to be matched. Specify any of the following flags for

<

tcp-flags>:

+ | – urg = Urgent

+ | – ack= Acknowledge

+ | – psh + Push

+ | – rst = Reset

+ | – syn = Synchronize

+ | – fin = Finish

Use a + or – to indicate if the matching condition requires the bit to be set to 1 (+) or
0 (–), separating each entry with a space.
Enter match-all if you want all the flags you specified to be matched from an
"established TCP session; use match-any of any of the flags will be matched.

Advertising
Popular Brands
Popular manuals