Users Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

121

122

123

124

125

126

127

128

129

130

To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or use the show

running-config command in EXEC mode.

Example of Viewing ACLs Applied to an Interface

Dell(conf-if)#show conf

interface TengigabitEthernet 0/0

ip address 10.2.1.100 255.255.255.0

ip access-group nimule in

no shutdown

Dell(conf-if)#

To filter traffic on Telnet sessions, use only standard ACLs in the access-class command.

Applying Ingress ACLs on the Port Extender

Ingress ACLs are applied to port extender interfaces and to traffic entering the system.

These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing

target traffic, it is a simpler implementation.

To create an ingress ACL, use the ip access-group command in EXEC Privilege mode. The example shows applying the

ACL, rules to the newly created access group, and viewing the access list.

Example of Applying ACL Rules to Ingress Traffic and Viewing ACL Configuration

To specify ingress, use the in keyword. Begin applying rules to the ACL with the ip access-list extended abcd

command. To view the access-list, use the show command.

Dell(conf)#interface pegigE 1/0/0

Dell(conf-if-pegi-1/0/0)#ip access-group abcd in

Dell(conf-if-pegi-1/0/0)#show config

pegig 1/0/0

no ip address

ip access-group abcd in

no shutdown

Dell(conf-if-pegi-1/0/0)#end

Dell#configure terminal

Dell(conf)#

ip access-list extended abcd

Dell(config-ext-nacl)#permit tcp any any

Dell(config-ext-nacl)#deny icmp any any

Dell(config-ext-nacl)#permit 1.1.1.2

Dell(config-ext-nacl)#end

Dell#

show ip accounting access-list

Extended Ingress IP access list abcd on pegigE 1/0/0

seq 5 permit tcp any any

seq 10 deny icmp any any

seq 15 permit 1.1.1.2

Applying Egress ACLs

Egress ACLs are supported on interfaces and affect the traffic leaving the system.

Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack — malicious and incidental —

by explicitly allowing only authorized traffic. These system-wide ACLs eliminate the need to apply ACLs onto each interface

and achieves the same results. By localizing target traffic, it is a simpler implementation.

To restrict egress traffic, use an egress ACL. For example, when a direct operating system (DOS) attack traffic is isolated to a

specific interface, you can apply an egress ACL to block the flow from the exiting the box, thus protecting downstream devices.

Access Control Lists (ACLs) 122