Users Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

121

122

123

124

125

126

127

128

129

130

Applying Egress ACLs

Egress ACLs are supported on interfaces and affect the traffic leaving the system.

Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack — malicious and incidental — by

explicitly allowing only authorized traffic. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the

same results. By localizing target traffic, it is a simpler implementation.

To restrict egress traffic, use an egress ACL. For example, when a direct operating system (DOS) attack traffic is isolated to a specific

interface, you can apply an egress ACL to block the flow from the exiting the box, thus protecting downstream devices.

To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example shows viewing the configuration,

applying rules to the newly created access group, and viewing the access list.

Example of Applying ACL Rules to Egress Traffic and Viewing ACL Configuration

To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list extended abcd command. To

view the access-list, use the show command.

Dell(conf)#interface gige 0/0

Dell(conf-if-gige0/0)#ip access-group abcd out

Dell(conf-if-gige0/0)#show config

gigethernet 0/0

no ip address

ip access-group abcd out

no shutdown

Dell(conf-if-gige0/0)#end

Dell#configure terminal

Dell(conf)#

ip access-list extended abcd

Dell(config-ext-nacl)#permit tcp any any

Dell(config-ext-nacl)#deny icmp any any

Dell(config-ext-nacl)#permit 1.1.1.2

Dell(config-ext-nacl)#end

Dell#

show ip accounting access-list

Extended Ingress IP access list abcd on gigethernet 0/0

seq 5 permit tcp any any

seq 10 deny icmp any any

seq 15 permit 1.1.1.2

Applying Layer 3 Egress ACLs on Control-Plane Traffic

By default, packets originated from the system are not filtered by egress ACLs.

For example, if you initiate a ping session from the system and apply an egress ACL to block this type of traffic on the interface, the ACL

does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing

control-plane ACLs for CPU-generated and CPU-forwarded traffic. Using permit rules with the count option, you can track on a per-flow

basis whether CPU-generated and CPU-forwarded packets were transmitted successfully.

1 Apply Egress ACLs to IPv4 system traffic.

CONFIGURATION mode

ip control-plane [egress filter]

2 Apply Egress ACLs to IPv6 system traffic.

CONFIGURATION mode

ipv6 control-plane [egress filter]

3 Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic.

Access Control Lists (ACLs)

127