Technical data
92 ServerIron ADX NAT64 Configuration Guide
53-1002444-02
ACLs and ICMP
5
DRAFT: BROCADE CONFIDENTIAL
The commands in this example deny (drop) ICMP echo request packets that contain a total length
of 92 or 100 in the IP header field. You can specify an IP packet length of 1 through 65535. Refer
to the section “ICMP filtering with flow-based ACLs” on page 92 for additional information on using
ICMP to filter packets.
ICMP filtering with flow-based ACLs
Most Foundry software releases that support flow-based ACLs filter traffic based on the following
ICMP message types:
• echo
• echo-reply
• information-request
• mask-reply
• mask-request
• parameter-problem
• redirect
• source-quench
• time-exceeded
• timestamp-reply
• timestamp-request
• unreachable
• <num>
Also, to create ACL policies that filter ICMP message types, you can either enter the description of
the message type or enter its type and code IDs. Furthermore ICMP message type filtering is now
available for rule-based ACLs on BigIron Layer 2 Switch and Layer 3 Switch images.
Numbered ACLs
For example, to deny the echo message type in a numbered ACL, enter commands such as the
following when configuring a numbered ACL.
ServerIronADX(config)# access-list 109 deny ICMP any any echo
or
ServerIronADX(config)# access-list 109 deny ICMP any any 8 0
Syntax: [no] access-list <num>
Syntax: deny | permit icmp <source-ip-address> | <source-ip-address/subnet-mask> | any | host
<source-host>
<destination-ip-address> | <destination-ip-address/subnet-mask> | any | host
<destination-host>
<icmp-type> | <icmp-type-number> <icmp-code-number>
The deny | permit parameter indicates whether packets that match the policy are dropped or
forwarded.
You can either enter the name of the message type for <icmp-type> or the type number and code
number of the message type. Refer to Table 12 on page 93 for valid values.