Example - Avaya G250 Administration Manual

Example

The following example demonstrates the configuration of MSS notifications using ACL rules. In
this example, smurf packets (ICMP packets that are sent to a limited broadcast destination)
arriving at interface VLAN 203 are defined as a DoS attack to be reported in MSS notifications.
//create and enter the configuration mode of access control list 301:
G350-001(super)# ip access-control-list 301
//create and enter the configuration mode of ip rule 1:
G350-001(super-ACL 301/ip rule 1)# ip-rule 1
//set the rule criteria for the custom DoS classification:
//use dos-classification command to specify to report on receiving smurf
//packets (ICMP echo packets with limited broadcast destination address )
G350-001(super-ACL 301/ip rule 1)# dos-classification smurf
Done!
//apply predefined composite-operation deny-notify, which drops the packet and
//causes the gateway to send a trap when it drops the packet
G350-001(super-ACL 301)# composite-operation Deny-Notify
Done!
//specify that the ip rule applies to packets with this destination ip address.
G350-001(super-ACL 301/ip rule 1)# destination-ip 255.255.255.255 0.0.0.0
Done!
//Specify that the ip rule applies to ICMP packets
G350-001(super-ACL 301/ip rule 1)# ip-protocol icmp
Done!
G350-001(super-ACL 301/ip rule 1)# exit
G350-001(super-ACL 301)# show ip-rule
Index Protocol
DSCP
----- -------- --- ---------------- ----------- ------------ --------------
1 icmp
Any
Dos classification: smurf
Deflt Any
Any
G350-001(super-ACL 301)# exit
G350-001(super)# interface vlan 203
//activate Access Control list 301 for incoming packets on interface vlan 203:
G350-001(super-if:VLAN 203)# ip access-group 301 in
Done!
IP
Src Any
Dst 255.255.255.255
Src Any
Dst Any
Wildcard Port
Any Type
Host Any Code
Any
Any
Special security features
Operation
Fragment rule
Deny-Notify
No
Permit
No
Issue 5 June 2008 87