HPE Community
Switches, Hubs, and Modems
1752794 Members
7390 Online
108789 Solutions
New Discussion юеВ

Permit ICMP in ACL

 
Marcus_20
Frequent Advisor

тАО10-18-2004 07:59 PM

тАО10-18-2004 07:59 PM

Permit ICMP in ACL

Hi all,
My acl looks something like this

permit tcp 10.0.0.0 0.255.255.255 any eq 49
permit udp 10.0.0.0 0.255.255.255 any eq 69
permit udp 10.0.0.0 0.255.255.255 any eq 514
permit udp 10.0.0.0 0.255.255.255 any eq 161

Now, how do I permit ICMP traffic?

Im using a 5308xl with the latest firmware...

Best regards,
Marcus
0 Kudos
8 REPLIES 8
IT_7
Advisor

тАО10-19-2004 01:31 AM

тАО10-19-2004 01:31 AM

Re: Permit ICMP in ACL

Hi Marcus,

The use of ACLs is somewhat restricted. You can only distinct traffic based on src/dst, udp/tcp numbers and the whole IP stack.

That means you have to allow everything (ip) between the implied devices.

Rgds,
Rasmus
0 Kudos
Jarno Lepist├╢
Advisor

тАО10-19-2004 06:52 PM

тАО10-19-2004 06:52 PM

Re: Permit ICMP in ACL

In general it should go something like this:
permit tcp 10.0.0.0 0.255.255.255 eq icmp, but in hp acl does not support denying icmp traffic and you cant assing it to any ports cos icmp doesnt use any port.

Maybe future releases of hp firmware solve this issue.

Normaly icmp traffic is filtered by routers.
0 Kudos
IT_7
Advisor

тАО10-19-2004 08:07 PM

тАО10-19-2004 08:07 PM

Re: Permit ICMP in ACL

Hi Jarno,

The reason ICMP does not have a port number is because it is not a part of the TCP protocol, but a seperate protocol in the IP stack.
Therefore, this feature (if ever available from HP) would rather be something like:

permit ip blah blah blah ICMP
or simply
permit icmp ....

Rgds,
Rasmus
0 Kudos
Jarno Lepist├╢
Advisor

тАО10-19-2004 08:16 PM

тАО10-19-2004 08:16 PM

Re: Permit ICMP in ACL

Hey IT.

Yes i know that, but when i look how acl's are build in hp there is no option for denying or permitting icmp. However i have done this only for cisco routers so if somebody knows how to permit that traffic plz share the info :)
0 Kudos
Marcus_20
Frequent Advisor

тАО10-19-2004 08:48 PM

тАО10-19-2004 08:48 PM

Re: Permit ICMP in ACL

Thanks for your replys,

I also think that the syntax should be something like:

permit icmp x.x.x.x x.x.x.x

Does anyone know if HP is planning to introduce this in a future firmware release?

/Marcus
0 Kudos
IT_7
Advisor

тАО10-19-2004 08:52 PM

тАО10-19-2004 08:52 PM

Re: Permit ICMP in ACL

Hi Marcus,

I wouldn't count on it, but as a workaround take a look at the "IP ICMP ..." configure-mode command in the CLI. There's a couple of things to configure there, but I haven't really looked into it myself. Who knows, maybe you'll find something for your needs...?
0 Kudos
Marcus_20
Frequent Advisor

тАО10-20-2004 11:05 PM

тАО10-20-2004 11:05 PM

Re: Permit ICMP in ACL

The "ip icmp" commands are just for global icmp parameters.

Does anyone know if HP is planning acl's with icmp support in future software releases?

/Marcus
0 Kudos
Jarno Lepist├╢
Advisor

тАО10-20-2004 11:31 PM

тАО10-20-2004 11:31 PM

Re: Permit ICMP in ACL

I hope they will, but allso i think that HP has draw a line here between switch and router. So you need to install one border router in you network to get this feature.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.