Comware

 View Only

  • 1.  Permit ICMP in ACL

    Posted Oct 18, 2004 10:59 PM
    Hi all,
    My acl looks something like this

    permit tcp 10.0.0.0 0.255.255.255 any eq 49
    permit udp 10.0.0.0 0.255.255.255 any eq 69
    permit udp 10.0.0.0 0.255.255.255 any eq 514
    permit udp 10.0.0.0 0.255.255.255 any eq 161

    Now, how do I permit ICMP traffic?

    Im using a 5308xl with the latest firmware...

    Best regards,
    Marcus


  • 2.  RE: Permit ICMP in ACL

    Posted Oct 19, 2004 04:31 AM
    Hi Marcus,

    The use of ACLs is somewhat restricted. You can only distinct traffic based on src/dst, udp/tcp numbers and the whole IP stack.

    That means you have to allow everything (ip) between the implied devices.

    Rgds,
    Rasmus


  • 3.  RE: Permit ICMP in ACL

    Posted Oct 19, 2004 09:53 PM
    In general it should go something like this:
    permit tcp 10.0.0.0 0.255.255.255 eq icmp, but in hp acl does not support denying icmp traffic and you cant assing it to any ports cos icmp doesnt use any port.

    Maybe future releases of hp firmware solve this issue.

    Normaly icmp traffic is filtered by routers.


  • 4.  RE: Permit ICMP in ACL

    Posted Oct 19, 2004 11:08 PM
    Hi Jarno,

    The reason ICMP does not have a port number is because it is not a part of the TCP protocol, but a seperate protocol in the IP stack.
    Therefore, this feature (if ever available from HP) would rather be something like:

    permit ip blah blah blah ICMP
    or simply
    permit icmp ....

    Rgds,
    Rasmus


  • 5.  RE: Permit ICMP in ACL

    Posted Oct 19, 2004 11:16 PM
    Hey IT.

    Yes i know that, but when i look how acl's are build in hp there is no option for denying or permitting icmp. However i have done this only for cisco routers so if somebody knows how to permit that traffic plz share the info :)


  • 6.  RE: Permit ICMP in ACL

    Posted Oct 19, 2004 11:49 PM
    Thanks for your replys,

    I also think that the syntax should be something like:

    permit icmp x.x.x.x x.x.x.x

    Does anyone know if HP is planning to introduce this in a future firmware release?

    /Marcus


  • 7.  RE: Permit ICMP in ACL

    Posted Oct 19, 2004 11:53 PM
    Hi Marcus,

    I wouldn't count on it, but as a workaround take a look at the "IP ICMP ..." configure-mode command in the CLI. There's a couple of things to configure there, but I haven't really looked into it myself. Who knows, maybe you'll find something for your needs...?


  • 8.  RE: Permit ICMP in ACL

    Posted Oct 21, 2004 02:06 AM
    The "ip icmp" commands are just for global icmp parameters.

    Does anyone know if HP is planning acl's with icmp support in future software releases?

    /Marcus


  • 9.  RE: Permit ICMP in ACL

    Posted Oct 21, 2004 02:31 AM
    I hope they will, but allso i think that HP has draw a line here between switch and router. So you need to install one border router in you network to get this feature.


Related Content