Extreme Networks

Frank · ‎12-16-2014

I want/need to create an ACL that only allows certain ICMP types and denies "the rest". Specifically "echo (8)", "echo-reply (0)", "time-exceeded (11)", "traceroute (30, I know. technically deprecated)", and "unreachable (3)" need to be accepted.

And "of course" there are a few other rules in that policy file as well, like accepting only HTTP/S traffic etc.

My question is, do I need to create five distinct entries in my policy file, each saying

if match all {
protocol icmp;
icmp-type 3;
} then {
permit;
}

or can I simply have one

if {
icmp-type 3;
icmp-type 0;
icmp-type 30;
...
} then {
permit;
}

I don't think we have (in 15.3/4/5/6.X) the option of "AND" and "OR", do we? So I guess I can not do

if {
protocol icmp; AND
( icmp-type 3; OR
icmp-type 0; OR
icmp-type 30; OR
...)
} then {
permit;
}

correct?

Thanks,

Frank

Paul_Russo · ‎12-16-2014

Hey Frank Going through the AL policy file should not impact performance at all. We do the check I HW and we do it in parallel when the packet ingress especially the switch. That allows us to forward at L2/LA do ACLs and QoS at wire speed. Does that help? P

Frank · ‎12-16-2014

Yeah, that's what I'm doing - there's a "deny all" at the very end which I omitted.
I do wonder about the effectiveness of essentially checking every packet against 5 icmp-types, even tcp/udp packets, but I hope there's internal optimization going on that I don't see (or that it's not that expensive to do) 🙂

Paul_Russo · ‎12-16-2014

Hey Frank the other option you would have is to permit the ones you want and then deny all other ICMP packets. Not sure which is easier for you.

Thanks
P

Sumit_Tokle · ‎12-16-2014

if match any {
icmp-type 3;
icmp-type 0;
icmp-type 30;
...
} then {
permit;
}

By default, policy matches all the condition. You can use above type of policy.

Extreme Networks

ACL policy with ICMP types

ACL policy with ICMP types