Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Page 112
92
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Extended numbered ACL configuration
The destination-ip | hostname parameter specifies the destination IP host for the policy. If you want
the policy to match on all destination addresses, enter any.
The icmp-type | icmp-num parameter specifies the ICMP protocol type:
•
This parameter applies only if you specified icmp as the ip-protocol value.
•
If you use this parameter, the ACL entry is sent to the CPU for processing.
•
If you do not specify a message type, the ACL applies to all types of ICMP messages.
The icmp-num parameter can be a value from 0–255.
The icmp-type parameter can have one of the following values, depending on the software version
the device is running:
•
any-icmp-type
•
echo
•
echo-reply
•
information-request
•
log
•
mask-reply
•
mask-request
•
parameter-problem
•
redirect
•
source-quench
•
time-exceeded
•
timestamp-reply
•
timestamp-request
•
traffic policy
•
unreachable
•
num
NOTE
The QoS options listed below are only available if a specific ICMP type is specified for the icmp-type
parameter and cannot be used with the any-icmp-type option above.
The tcp/udp comparison operator parameter specifies a comparison operator for the TCP or UDP
port number. This parameter applies only when you specify tcp or udp as the IP protocol. For
example, if you are configuring an entry for HTTP, specify tcp eq http. You can enter one of the
following operators:
•
eq – The policy applies to the TCP or UDP port name or number you enter after eq.
•
established – This operator applies only to TCP packets. If you use this operator, the policy
applies to TCP packets that have the ACK (Acknowledgment) or RST (Reset) bits set on (set to
“1”) in the Control Bits field of the TCP packet header. Thus, the policy applies only to
established TCP sessions, not to new sessions. Refer to Section 3.1, “Header Format”, in RFC
793 for information about this field.
NOTE
This operator applies only to destination TCP ports, not source TCP ports.