KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

271

272

273

274

275

276

277

278

279

280

This source-port and destination-port TCP/UDP criteria is identical to the criteria

described for TCP/UDP use in named, extended ACLs. See “Including options for

TCP and UDP traffic in extended ACLs” (page 267).

Controlling ICMP traffic flow

This command is useful where it is necessary to permit some types of ICMP traffic and deny other

types, instead of simply permitting or denying all types of ICMP traffic. That is, an ACE designed

to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or

deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same

ACE. As an optional alternative, the ACE can include the name of an ICMP packet type.

Syntax:

access–list < 100 - 199 > < deny | permit >

icmp < SA > < DA >

[ [ icmp-type [ icmp-code]] | [icmp-type-name] ]

The ICMP "type" and "code" criteria are identical to the criteria described for ICMP

in named, extended ACLs.

Controlling IGMP traffic flow

This command is useful where it is necessary to permit some types of IGMP traffic and deny other

types, instead of simply permitting or denying all types of IGMP traffic. That is, an ACE designed

to permit or deny IGMP traffic can optionally include an IGMP packet type to permit or deny an

individual type of IGMP packet while not addressing other IGMP traffic types in the same ACE.

As an optional alternative, the ACE can include the name of an ICMP packet type.

Syntax:

access-list < 100 - 199 >

< deny | permit > igmp < src-ip > <dest-ip> [ igmp-type]

The IGMP "type" criteria is identical to the criteria described for IGMP in named,

extended ACLs. See “Controlling IGMP traffic in extended ACLs” (page 270).

Configuring logging timer

By default, the wait period for logging "deny" matches (described above in "ACL Logging

Operation") is approximately five minutes (300 seconds). You can manually set the wait period

timer to an interval between 30 and 300 seconds, using the access-list command from the config

context. This setting is stored in the switch configuration.

Syntax:

access-list logtimer <default <30-300>>

From config context:

This command sets the wait period timer for logging "deny" messages to the SYSLOG

server or other destination device. The first time a packet matches an ACE with

deny and log configured, the message is sent immediately to the destination and

the switch starts a wait period of approximately five minutes (default value). The

exact duration of the period depends on how the packets are internally routed. At

the end of the wait period, the switch sends a single-line summary of any additional

"deny" matches for that ACE, and any other "deny" ACEs for which the switch

detected a match. If no further log messages are generated in the wait period, the

Configuring 275