Administrator Guide
Dell#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Applying Layer 3 Egress ACLs on Control-Plane Traffic
By default, packets originated from the system are not filtered by egress ACLs.
For example, if you initiate a ping session from the system and apply an egress ACL to block this type of traffic on the interface, the ACL
does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing
control-plane ACLs for CPU-generated and CPU-forwarded traffic. Using permit rules with the count option, you can track on a per-flow
basis whether CPU-generated and CPU-forwarded packets were transmitted successfully.
1. Apply Egress ACLs to IPv4 system traffic.
CONFIGURATION mode
ip control-plane [egress filter]
2. Apply Egress ACLs to IPv6 system traffic.
CONFIGURATION mode
ipv6 control-plane [egress filter]
3. Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic.
CONFIG-NACL mode
permit ip {source mask | any | host ip-address} {destination mask | any | host ip-address}
count
Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management protocol (IGMP)
packets are not affected when you enable egress ACL filtering for CPU traffic. Packets sent by the CPU with the source address as the
VRRP virtual IP address have the interface MAC address instead of VRRP virtual MAC address.
Counting ACL Hits
You can view the number of packets matching the ACL by using the count option when creating ACL entries.
1. Create an ACL that uses rules with the count option. Refer to Configure a Standard IP ACL Filter.
2. Apply the ACL as an inbound or outbound ACL on an interface. Refer to Applying an IP ACL.
3. show ip accounting access-list
EXEC Privilege mode
View the number of packets matching the ACL.
IP Prefix Lists
IP prefix lists are supported to control routing policy.
An IP prefix list is a series of sequential filters that contain a matching criterion (examine IP route prefix) and an action (permit or deny) to
process routes. The filters are processed in sequence so that if a route prefix does not match the criterion in the first filter, the second
filter (if configured) is applied. When the route prefix matches a filter, the system drops or forwards the packet based on the filter’s
designated action. If the route prefix does not match any of the filters in the prefix list, the route is dropped (that is, implicit deny).
A route prefix is an IP address pattern that matches on bits within the IP address. The format of a route prefix is A.B.C.D/X where
A.B.C.D is a dotted-decimal address and /X is the number of bits that should be matched of the dotted decimal address. For example, in
112.24.0.0/16, the first 16 bits of the address 112.24.0.0 match all addresses between 112.24.0.0 to 112.24.255.255.
The following examples show permit or deny filters for specific routes using the le and ge parameters, where x.x.x.x/x represents a route
prefix:
• To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8.
• To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8.
• To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24.
• To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20.
Access Control Lists (ACLs)
117