80 ServerIron ADX Security Guide
53-1002440-03
ACLs and ICMP
2
<num>
Also, to create ACL policies that filter ICMP message types, you can either enter the description of
the message type or enter its type and code IDs. Furthermore ICMP message type filtering is now
available for rule-based ACLs on BigIron Layer 2 Switch and Layer 3 Switch images.
Numbered ACLs
For example, to deny the echo message type in a numbered ACL, enter commands such as the
following when configuring a numbered ACL.
ServerIronADX(config)# access-list 109 deny ICMP any any echo
or
ServerIronADX(config)# access-list 109 deny ICMP any any 8 0
Syntax: [no] access-list <num>
Syntax: deny | permit icmp <source-ip-address> | <source-ip-address/subnet-mask> | any | host
<source-host>
<destination-ip-address> | <destination-ip-address/subnet-mask> | any | host
<destination-host>
<icmp-type> | <icmp-type-number> <icmp-code-number>
The deny | permit parameter indicates whether packets that match the policy are dropped or
forwarded.
You can either enter the name of the message type for <icmp-type> or the type number and code
number of the message type. Refer to Table 5 on page 81 for valid values.
Named ACLs
For example, to deny the administratively-prohibited message type in a named ACL, enter
commands such as the following.
ServerIronADX(config)# ip access-list extended melon
ServerIronADX(config-ext-nacl)# deny ICMP any any administratively-prohibited
or
ServerIronADX(config)# ip access-list extended melon
ServerIronADX(config-ext-nacl)# deny ICMP any any 3 13
Syntax: [no] ip access-list extended <acl-num> | <acl-name>
Syntax: deny | permit icmp <source-ip-address> | <source-ip-address/subnet-mask> | any | host
<source-host>
<destination-ip-address> | destination-ip-address/subnet-mask> | any | host
<destination-host>
<icmp-type> | <icmp-type-number> <icmp-code-number>
The extended parameter indicates the ACL entry is an extended ACL.
The <acl-name> | <acl-num> parameter allows you to specify an ACL name or number. If using a
name, specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name
if you enclose the name in quotation marks (for example, “ACL for Net1”). The <acl-num>
parameter allows you to specify an ACL number if you prefer. If you specify a number, enter a
number from 100 – 199 for extended ACLs.