topic RE: ACL policy with ICMP types in ExtremeSwitching (EXOS/Switch Engine)

ACL policy with ICMP types

Frank — Tue, 16 Dec 2014 21:15:00 GMT

I want/need to create an ACL that only allows certain ICMP types and denies "the rest". Specifically "echo (8)", "echo-reply (0)", "time-exceeded (11)", "traceroute (30, I know. technically deprecated)", and "unreachable (3)" need to be accepted.

And "of course" there are a few other rules in that policy file as well, like accepting only HTTP/S traffic etc.

My question is, do I need to create five distinct entries in my policy file, each saying

if match all {
protocol icmp;
icmp-type 3;
} then {
permit;
}

or can I simply have one

if {
icmp-type 3;
icmp-type 0;
icmp-type 30;
...
} then {
permit;
}

I don't think we have (in 15.3/4/5/6.X) the option of "AND" and "OR", do we? So I guess I can not do

if {
protocol icmp; AND
( icmp-type 3; OR
icmp-type 0; OR
icmp-type 30; OR
...)
} then {
permit;
}

correct?

Thanks,

Frank

RE: ACL policy with ICMP types

Sumit_Tokle — Tue, 16 Dec 2014 21:44:00 GMT

if match any {
icmp-type 3;
icmp-type 0;
icmp-type 30;
...
} then {
permit;
}

By default, policy matches all the condition. You can use above type of policy.

RE: ACL policy with ICMP types

Paul_Russo — Tue, 16 Dec 2014 22:39:00 GMT

Hey Frank the other option you would have is to permit the ones you want and then deny all other ICMP packets. Not sure which is easier for you.

Thanks
P

RE: ACL policy with ICMP types

Frank — Tue, 16 Dec 2014 23:24:00 GMT

Yeah, that's what I'm doing - there's a "deny all" at the very end which I omitted.
I do wonder about the effectiveness of essentially checking every packet against 5 icmp-types, even tcp/udp packets, but I hope there's internal optimization going on that I don't see (or that it's not that expensive to do) 🙂

RE: ACL policy with ICMP types

Paul_Russo — Tue, 16 Dec 2014 23:27:00 GMT

Hey Frank Going through the AL policy file should not impact performance at all. We do the check I HW and we do it in parallel when the packet ingress especially the switch. That allows us to forward at L2/LA do ACLs and QoS at wire speed. Does that help? P

RE: ACL policy with ICMP types

Frank — Tue, 16 Dec 2014 23:28:00 GMT

Sure does - and thank you much!

RE: ACL policy with ICMP types

Frank — Tue, 16 Dec 2014 23:54:00 GMT

OUCH!!!
-> Line 73 : Protocol needs to be set to icmp or icmpv6 , before setting "icmp-type".

However, this seems to be sufficient to pass the check command:

entry Allow_ICMP {
if match any {
protocol icmp;
icmp-type 0;
icmp-type 3;
icmp-type 8;
icmp-type 11;
icmp-type 30;
} then {
permit;
}
}

If I hit another snag, I'll be back posting 🙂

RE: ACL policy with ICMP types

Frank — Wed, 17 Dec 2014 00:19:00 GMT

Whooops:
# refresh policy "test"

Error: Was not able to refresh policy test
Line 75 : Attribute icmp-type already exists as a match statement in Acl entry Allow_ICMP.
Configuration failed on backup MSM, command execution aborted!

I guess I have to type out five different entries. At least on 15.5.1.6 😞

Yup, that worked.

RE: ACL policy with ICMP types

Stephane_Grosj1 — Wed, 17 Dec 2014 04:37:00 GMT

Hi,

You cannot have several icmp-type in the same match condition. Any packet can only be of one type, not all. That's why you have the error message. You would have the same kind of error if you tried to have on the same condition match both an IPv4 and an IPv6 address. That's not possible.

Rgds,
Stephane