DELL N3000 User Manual

Configuring Access Control Lists

interface range gi1/0/24-48

ip access-list deny-ftp in

exit

This ACL limits traffic from a router to a directly connected FTP server 

(172.16.0.5) on gi1/0/11. Notice that this is an “out” ACL. Traffic to the 

router from the FTP server is not affected by this rule. Traffic from the router 

to the FTP server is limited to ICMP and packets destined to the FTP ports. 

There is no need to add permit rules for all the protocols the router can send 

to the host (e.g., ARP, ICMP, LLDP, etc.), as internally generated packets are 

not limited by ACLs. Routing must be enabled to process ARPs or they must 

be allowed by an explicit rule. We allow ICMP from remote hosts so that the 

FTP server can receive ICMP feedback from clients utilizing the FTP service. 

A better implementation would narrow the scope of the ICMP to eliminate 

ICMP messages not required for the FTP service, e.g., echo, echo-reply, 

redirect, timestamp, etc.

ip access-list allow-ftp-server

permit tcp any host 172.16.0.5 eq ftp-data flag established

permit tcp any host 172.16.0.5 eq ftp

permit icmp any any

exit

interface gi1/0/11

ip access-group allow-ftp-server out

exit

ip access-list no-ping

deny icmp any any icmp-message echo

permit every 

exit

interface gi1/0/1

ip access-group no-ping in

exit

This example configures an ACL that blocks incoming pings and ping 

responses. Since packets generated by the CPU are not affected by ACLs, to 

block pinging from the switch we add a rule to block the ping responses.