DELL S50V User Manual
150
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
www.dell.com | support.dell.com
An egress ACL is used when users would like to restrict egress traffic. For example, when a DOS attack
traffic is isolated to one particular interface, you can apply an egress ACL to block that particular flow
from exiting the box, thereby protecting downstream devices.
traffic is isolated to one particular interface, you can apply an egress ACL to block that particular flow
from exiting the box, thereby protecting downstream devices.
To create an egress ACLs, use the
ip access-group
command
(Figure 234)
in the EXEC Privilege mode.
This example also shows viewing the configuration, applying rules to the newly created access group, and
viewing the access list:
viewing the access list:
Figure 8-11. Creating an Egress ACL
Egress Layer 3 ACL Lookup for Control-plane IP Traffic
By default, packets originated from the system are not filtered by egress ACLs. If you initiate a ping
session from the system, for example, and apply an egress ACL to block this type of traffic on the
interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature
enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and
CPU-forwarded traffic. Using
session from the system, for example, and apply an egress ACL to block this type of traffic on the
interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature
enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and
CPU-forwarded traffic. Using
permit
rules with the
count
option, you can track on a per-flow basis
whether CPU-generated and CPU-forwarded packets were transmitted successfully..
Task
Command Syntax
Command Mode
Apply Egress ACLs to IPv4 system
traffic.
traffic.
ip control-plane
[
egress filter
]
CONFIGURATION
Apply Egress ACLs to IPv6 system
traffic.
traffic.
ipv6 control-plane
[
egress filter
]
CONFIGURATION
Create a Layer 3 ACL using
permit
rules with the
count
option to describe
the desired CPU traffic
permit ip
{
source mask
|
any
|
host
ip-address} {destination mask
|
any
|
host
ip-address
}
count
CONFIG-NACL
FTOS(conf)#interface gige 0/0
FTOS(conf-if-gige0/0)#ip access-group abcd
out
FTOS(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd out
no shutdown
FTOS(conf-if-gige0/0)#end
FTOS#configure terminal
FTOS(conf)#ip access-list extended
abcd
FTOS(config-ext-nacl)#permit tcp any any
FTOS(config-ext-nacl)#deny icmp any any
FTOS(config-ext-nacl)#permit 1.1.1.2
FTOS(config-ext-nacl)#end
FTOS#
show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
permit 1.1.1.2
Use the “out” keyword
to specify egress.
to specify egress.
Begin applying rules to
the ACL named
“abcd.”
the ACL named
“abcd.”
View the access-list.