Command Line Reference Guide

ManualsBrandsDell ManualsSoftwareForce10

161

162

163

164

165

166

167

168

169

170

the ingress and egress direction. Flow-based monitoring conserves bandwidth by

monitoring only specified traffic instead all traffic on the interface. This feature is

particularly useful when looking for malicious traffic. It is available for Layer 2 and

Layer 3 ingress and egress traffic. You may specify traffic using standard or

extended access-lists. This mechanism copies all incoming or outgoing packets on

one port and forwards (mirrors) them to another port. The source port is the

monitored port (MD) and the destination port is the monitoring port (MG).

Commands

ip access-list extended — creates an extended ACL.

permit tcp — assigns a permit filter for TCP packets.

permit udp — assigns a permit filter for UDP packets.

permit icmp

Configure a filter to allow all or specific ICMP messages.

Syntax

permit icmp {source mask | any | host ip-address} {destination

mask | any | host ip-address} [dscp] [message-type] [count

[byte]] [order] [fragments][log [interval minutes] [threshold-

in-msgs [count]] [monitor]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s

sequence number.

• Use the no permit icmp {source mask | any | host ip-address}

{

destination mask | any | host ip-address} command.

Parameters

source Enter the IP address of the network or host from which the

packets were sent.

mask Enter a network mask in /prefix format (/x) or A.B.C.D. The

mask, when specified in A.B.C.D format, may be either

contiguous or noncontiguous.

any Enter the keyword any to match and drop specific Ethernet

traffic on the interface.

host ip-address Enter the keyword host and then enter the IP address to

specify a host IP address.

destination Enter the IP address of the network or host to which the

packets are sent.

dscp Enter the keyword dscp to deny a packet based on the

DSCP value. The range is 0 to 63.

message-type (OPTIONAL) Enter an ICMP message type, either with the

type (and code, if necessary) numbers or with the name of

168

Access Control Lists (ACL)