topic Re: Block large ICMP packets in Switches, Hubs, and Modems

Block large ICMP packets

Mathew Idiculla — Sun, 17 Jun 2007 04:00:13 GMT

I have a 9308m switch configured with VLANs.

I want to drop ICMP packets beyond certain size, such as 128 bytes. Is there any way I can do this.

Re: Block large ICMP packets

Matt Hobbs — Mon, 18 Jun 2007 01:14:11 GMT

Looks like you can do this:

The ip-pkt-len parameter enables you to filter ICMP packets based on the IP packet length. This parameter matches on the total length field in the IP header of ICMP packets. The IP packet length value can be from 1 -65535.

NOTE: This parameter is supported in software release 07.7.00 and later, and applies only if you specified icmp as the value.

Re: Block large ICMP packets

Mathew Idiculla — Mon, 18 Jun 2007 01:22:16 GMT

I have tried this solution but firstly it isn't working and secondly i think this parameter needs an exact value and we cannot specify a range or operators such as greater than.

Re: Block large ICMP packets

Matt Hobbs — Mon, 18 Jun 2007 01:31:40 GMT

What's the exact ACL syntax you've tried?

I agree it looks like you can't specify a range, the only way I can think of doing this is to specifically permit from 1 through to 128 on separate lines, and then a deny icmp at the end.

Re: Block large ICMP packets

OLARU Dan — Mon, 18 Jun 2007 01:53:19 GMT

You mght try something like in the ACL (note : this from Cisco IOS, but might find something equivalent for the 9308m):

permit icmp host x.x.x.x host y.y.y.y ? administratively-prohibited ? option ?

(the question mark should give you the options available for each stage of the sub-command)

Re: Block large ICMP packets

Mathew Idiculla — Mon, 18 Jun 2007 04:17:31 GMT

i have used the following lines in the extended ACL

deny icmp any any any-icmp-type ip-pkt-len 33
permit icmp any any
permit ip any any

i have then applied it to a virtual interface of a VLAN both in the IN and OUT direction.

I then initiate a ping from another VLAN specifying the data as 33 bytes. (ping -l 33 xxx.xxx.xxx.xxx)

Is there any way to know, what will be the packet length information that the switch will find for the above ping command in Windows environment.

Re: Block large ICMP packets

Mathew Idiculla — Mon, 25 Jun 2007 23:30:23 GMT

I have some insight to this issue so thought will share it here.

There is no way to block a range of ICMP packets based on size.

We can specify a specific ICMP packet size using the ip-pkt-len parameter in an extended ACL.

For a standard Ping packet in Windows with 32 bytes of data is seen in the HP switch as 60 bytes with IP and ICMP header added.

Thanks to all who responded.