Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual
Page 907
Brocade Mobility RFS Controller CLI Reference Guide
895
53-1003098-01
12
deny icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-NAME>|any|host
<DEST-HOST-IP>]
(<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description
<LINE>)}
any
Specifies the source as any source IP address. Packets, matching the service protocols and ports specified in
the network-service alias, received from any source are dropped.
from-vlan <VLAN-ID>
Specifies a single VLAN or a range of VLANs as the match criteria. Packets, matching the service protocols
and ports specified in the network-service alias, received from the specified VLAN(s) are dropped.
•
<VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs
separated by a hyphen (for example, 12-20).
Use this option with WLANs and port ACLs.
host
<SOURCE-HOST-IP>
Identifies a specific host (as the source to match) by its IP address. Packets, matching the service protocols
and ports specified in the network-service alias, received from the specified host are dropped.
•
<SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.
<DEST-IP/MASK>
Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols
and ports specified in the network-service alias, addressed to the specified network are dropped.
any
Specifies the destination as any destination IP address. Packets, matching the service protocols and ports
specified in the network-service alias, addressed to any destination are dropped.
host <DEST-HOST-IP>
Identifies a specific host (as the destination to match) by its IP address. Packets, matching the service
protocols and ports specified in the network-service alias, addressed to the specified host are dropped.
•
<DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.
<NETWORK-GROUP-ALIA
S-NAME>
Applies a network-group alias to identify the destination IP addresses. Packets, matching the service
protocols and ports specified in the network-service alias, destined for the addresses identified by the
network-group alias are dropped.
•
<NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and
configured).
log
Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. if any
specified type of packet is received from a specified IP address and/or is destined for a specified IP address),
an event is logged.
mark [8021p <0-7>|
dscp <0-63>]
Specifies packets to mark
•
8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority
•
dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header
rule-precedence
<1-5000>
rule-description <LINE>
The following keywords are recursive and common to all of the above parameters:
•
rule-precedence – Assigns a precedence for this deny rule
•
<1-5000> – Specify a value from 1 - 5000.
Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence
10.
•
rule-description – Optional. Configures a description for this deny rule. Provide a description that
uniquely identifies the purpose of this rule (should not exceed 128 characters in length).
icmp
Applies this deny rule to Internet Control Message Protocol (ICMP) packets only
<SOURCE-IP/MASK>
Specifies the source IP address and mask (A.B.C.D/M) to match. ICMP packets received from the specified
sources are dropped.
<NETWORK-GROUP-ALIA
S-NAME>
Applies a network-group alias to identify the source IP addresses. ICMP packets received from the addresses
identified by the network-group alias are dropped.
•
<NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and
configured).
any
Specifies the source as any IP address. ICMP packets received from any source are dropped.