Clearing flow-based acl statistics, Dropping all fragments that exactly match an acl, Acls and icmp – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

44

Brocade Virtual ADX Security Guide

53-1003250-01

Dropping all fragments that exactly match an ACL

2

ETH PORT

ICMP inbound packets received 400

ICMP inbound packets permitted 200

ICMP inbound packets denied 200

Syntax: show ip acl-traffic

The command lists a separate set of statistics for each of the following IP protocols:

•

ICMP

•

IGMP

•

IGRP

•

IP

•

OSPF

•

TCP

•

UDP

•

Protocol number, if an ACL is configured for a protocol not listed above

For TCP and UDP, a separate set of statistics is listed for each application port.

Clearing flow-based ACL statistics

To clear the ACL statistics, enter the following command at the Privileged EXEC level of the CLI.

Virtual ADX (config)#clear ip acl-traffic

Syntax: clear ip acl-traffic

Dropping all fragments that exactly match an ACL

For fragmented packets that are sent to the CPU for processing, the Brocade Virtual ADX device
compares the fragment’s source and destination IP addresses against the interface’s ACL entries.
By default, if the fragment’s source and destination IP addresses exactly match an ACL entry that
also has Layer 4 information (source and destination TCP or UDP application ports), the Brocade
Virtual ADX device permits or denies the fragment according to the ACL.

ACLs and ICMP

This section describes how ACLs can be used to filter traffic based on ICMP packets.

Using flow-based ACLs to filter ICMP packets based on the IP packet
length

To configure an extended ACL that filters based on the IP packet length of ICMP packets, enter
commands such as the following.

Virtual ADX (config)#access-list 105 deny icmp any any echo ip-pkt-len 92

Virtual ADX (config)#access-list 105 deny icmp any any echo ip-pkt-len 100

Virtual ADX (config)#access-list 105 permit ip any any