HPE Community
Switches, Hubs, and Modems
1751919 Members
5192 Online
108783 Solutions
New Discussion юеВ

Block large ICMP packets

 
Mathew Idiculla
New Member

тАО06-16-2007 09:00 PM

тАО06-16-2007 09:00 PM

Block large ICMP packets

I have a 9308m switch configured with VLANs.

I want to drop ICMP packets beyond certain size, such as 128 bytes. Is there any way I can do this.

0 Kudos
6 REPLIES 6
Matt Hobbs
Honored Contributor

тАО06-17-2007 06:14 PM

тАО06-17-2007 06:14 PM

Re: Block large ICMP packets

Looks like you can do this:

The ip-pkt-len parameter enables you to filter ICMP packets based on the IP packet length. This parameter matches on the total length field in the IP header of ICMP packets. The IP packet length value can be from 1 -65535.

NOTE: This parameter is supported in software release 07.7.00 and later, and applies only if you specified icmp as the value.
0 Kudos
Mathew Idiculla
New Member

тАО06-17-2007 06:22 PM

тАО06-17-2007 06:22 PM

Re: Block large ICMP packets

I have tried this solution but firstly it isn't working and secondly i think this parameter needs an exact value and we cannot specify a range or operators such as greater than.

0 Kudos
Matt Hobbs
Honored Contributor

тАО06-17-2007 06:31 PM

тАО06-17-2007 06:31 PM

Re: Block large ICMP packets

What's the exact ACL syntax you've tried?

I agree it looks like you can't specify a range, the only way I can think of doing this is to specifically permit from 1 through to 128 on separate lines, and then a deny icmp at the end.
0 Kudos
OLARU Dan
Trusted Contributor

тАО06-17-2007 06:53 PM

тАО06-17-2007 06:53 PM

Re: Block large ICMP packets

You mght try something like in the ACL (note : this from Cisco IOS, but might find something equivalent for the 9308m):

permit icmp host x.x.x.x host y.y.y.y ? administratively-prohibited ? option ?

(the question mark should give you the options available for each stage of the sub-command)
0 Kudos
Mathew Idiculla
New Member

тАО06-17-2007 09:17 PM

тАО06-17-2007 09:17 PM

Re: Block large ICMP packets

i have used the following lines in the extended ACL

deny icmp any any any-icmp-type ip-pkt-len 33
permit icmp any any
permit ip any any

i have then applied it to a virtual interface of a VLAN both in the IN and OUT direction.

I then initiate a ping from another VLAN specifying the data as 33 bytes. (ping -l 33 xxx.xxx.xxx.xxx)

Is there any way to know, what will be the packet length information that the switch will find for the above ping command in Windows environment.



0 Kudos
Mathew Idiculla
New Member

тАО06-25-2007 04:30 PM

тАО06-25-2007 04:30 PM

Re: Block large ICMP packets

I have some insight to this issue so thought will share it here.

There is no way to block a range of ICMP packets based on size.

We can specify a specific ICMP packet size using the ip-pkt-len parameter in an extended ACL.

For a standard Ping packet in Windows with 32 bytes of data is seen in the HP switch as 60 bytes with IP and ICMP header added.

Thanks to all who responded.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.