https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-a-ttl-lt-6-acl-entry/m-p/53744#M15188 <BR /> Trying to create an ACL entry that blocks IP TTL &lt; 6 - <BR /> The <B></B>16.1 user guide offers the match condition "TTL number { mask number}"<BR /> <BR /> I am new to doing acls on Extreme, and assume that the policy entry should look like this"<BR /> <BR /> entry { <BR /> <BR /> if { <BR /> <BR /> ttl [number] mask [number];<BR /> <BR /> } then {<BR /> <BR /> deny;<BR /> <BR /> }<BR /> <BR /> }<BR /> <BR /> However, I don't know what I should put for the number or mask to make the equation equal "less than 6"<BR /> <BR /> As you may have guessed, I am trying to implement Cisco's hardening checklist equivalent on a Summit x460 that we are using as a border router, and I am guessing that most of the items listed such as blocking TTL less than six, blocking fragments, etc, have to be done using ACL.<BR /> <BR /> Finally, whatever you provide as the answer for the match condition, can I use it in a dynamic acl entry as well?<BR /> <BR /> Thanks,<BR /> <BR /> Steve<BR /> <BR /> <U></U><I></I><BR /> <BR /> Fri, 17 Jul 2015 18:38:00 GMT Steve_Robinson 2015-07-17T18:38:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-a-ttl-lt-6-acl-entry/m-p/53744#M15188 <BR /> Trying to create an ACL entry that blocks IP TTL &lt; 6 - <BR /> The <B></B>16.1 user guide offers the match condition "TTL number { mask number}"<BR /> <BR /> I am new to doing acls on Extreme, and assume that the policy entry should look like this"<BR /> <BR /> entry { <BR /> <BR /> if { <BR /> <BR /> ttl [number] mask [number];<BR /> <BR /> } then {<BR /> <BR /> deny;<BR /> <BR /> }<BR /> <BR /> }<BR /> <BR /> However, I don't know what I should put for the number or mask to make the equation equal "less than 6"<BR /> <BR /> As you may have guessed, I am trying to implement Cisco's hardening checklist equivalent on a Summit x460 that we are using as a border router, and I am guessing that most of the items listed such as blocking TTL less than six, blocking fragments, etc, have to be done using ACL.<BR /> <BR /> Finally, whatever you provide as the answer for the match condition, can I use it in a dynamic acl entry as well?<BR /> <BR /> Thanks,<BR /> <BR /> Steve<BR /> <BR /> <U></U><I></I><BR /> <BR /> Fri, 17 Jul 2015 18:38:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-a-ttl-lt-6-acl-entry/m-p/53744#M15188 Steve_Robinson 2015-07-17T18:38:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-a-ttl-lt-6-acl-entry/m-p/53745#M15189 Steve,<BR /> <BR /> This is a new feature of EXOS v16.1.1 and I don't have a physical switch to try it, so I don't know if this will work...<BR /> <BR /> The documentation says:<BR /> "<I>Time To Live with mask.The mask is optional, and it can be decimal value or a hexadecimal value.Only those bits of the ttl whose corresponding bit in the mask is set to 1 will be used as match criteria.This can be used to match IPv4 Time-To-Live and IPv6 Hop Limit.</I>"<BR /> <BR /> So, if my undestanding of this is correct, if you were looking for 7 or less, it would be easy. Mask off the last three bits with 248 (1111 1000) and if the result is zero, you're in. It would look like<BR /> ttl 0 mask 248; # this should match 1 to 7<BR /> But "less than 6" means 5 (0101), 4 (0100), 3 (0011), 2 (0010) and 1 (0001) so you can't check that with a single mask. You have to use two, to check for 10x and 0xx.<BR /> entry test5-4_ttl_mask {<BR /> if match any {<BR /> ttl 4 mask 254; # this should match 4 and 5 <BR /> } then {<BR /> deny;<BR /> }<BR /> }<BR /> entry test3-2-1_ttl_mask {<BR /> if match any {<BR /> ttl 0 mask 252; # this should match 1 to 3 <BR /> } then {<BR /> deny;<BR /> }<BR /> }<BR /> Please, let me know if this works...<BR /> <BR /> Sat, 18 Jul 2015 01:33:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-a-ttl-lt-6-acl-entry/m-p/53745#M15189 dflouret 2015-07-18T01:33:00Z