Nortel Networks 2300 Manual

next previous

Configuring and Managing Security ACLs 357

Nortel WLAN Security Switch 2300 Series Configuration Guide

Setting an ICMP ACL

With the following command, you can use security ACLs to set Internet Control Message Protocol (ICMP)

parameters for the ping command:

set security acl ip acl-name {permit [cos cos] | deny} icmp {source-ip-addr mask

destination-ip-addr mask} [type icmp-type] [code icmp-code] [precedence

precedence] [tos tos] [before editbuffer-index | modify editbuffer-index] [hits]

An ICMP ACL can filter packets by source and destination IP address, TOS level, precedence, ICMP type,

and ICMP code. For example, the following command permits all ICMP packets coming from 192.168.1.3

and going to 192.168.1.4 that also meet the following conditions:

• ICMP type is 11 (Time Exceeded).

• ICMP code is 0 (Time to Live Exceeded).

• Type-of-service level is 12 (minimum delay plus maximum throughput).

• Precedence is 7 (network control).

23x0# set security acl ip acl-3 permit icmp 192.168.1.3 0.0.0.0 192.168.1.4 0.0.0.0 type

11 code 0 precedence 7 tos 12 before 1 hits

The before 1 portion of the ACE places it before any others in the ACL, so it has precedence over any later

ACEs for any parameter settings that are met.

For more information about changing the order of ACEs or otherwise modifying security ACLs, see “Modi-

fying a Security ACL” on page 369. For information about TOS and precedence levels, see the Nortel Mobility

System Software Command Reference. For CoS details, see “Class of Service” on page 355.

ICMP includes many messages that are identified by a type field. Some also have a code within that type.

Table 24 lists some common ICMP types and codes. For more information, see

http://www.iana.org/assignments/icmp-parameters.

Table 24: Common ICMP Message Types and Codes

ICMP Message Type (Number) ICMP Message Code (Number)

Echo Reply (0) None

Destination Unreachable (3) • Network Unreachable (0)

• Host Unreachable (1)

• Protocol Unreachable (2)

• Port Unreachable (3)

• Fragmentation Needed (4)

• Source Route Failed (5)

Source Quench (4) None

Redirect (5) • Network Redirect (0)

• Host Redirect (1)

• Type of Service (TOS) and Network Redirect (2)

• TOS and Host Redirect (3)