Users Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

131

132

133

134

135

136

137

138

139

140

Example of Applying ACL Rules to Egress Traffic and Viewing ACL Configuration

To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list

extended abcd command. To view the access-list, use the show command.

Dell(conf)#interface gige 0/0

Dell(conf-if-gige0/0)#

ip access-group abcd out

Dell(conf-if-gige0/0)#show config

gigethernet 0/0

no ip address

ip access-group abcd out

no shutdown

Dell(conf-if-gige0/0)#end

Dell#configure terminal

Dell(conf)#

ip access-list extended abcd

Dell(config-ext-nacl)#permit tcp any any

Dell(config-ext-nacl)#deny icmp any any

Dell(config-ext-nacl)#permit 1.1.1.2

Dell(config-ext-nacl)#end

Dell#

show ip accounting access-list

Extended Ingress IP access list abcd on gigethernet 0/0

seq 5 permit tcp any any

seq 10 deny icmp any any

seq 15 permit 1.1.1.2

Applying Layer 3 Egress ACLs on Control-Plane Traffic

By default, packets originated from the system are not filtered by egress ACLs.

For example, if you initiate a ping session from the system and apply an egress ACL to block this type of

traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL

feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and

CPU-forwarded traffic. Using permit rules with the count option, you can track on a per-flow basis

whether CPU-generated and CPU-forwarded packets were transmitted successfully.

1. Apply Egress ACLs to IPv4 system traffic.

CONFIGURATION mode

ip control-plane [egress filter]

2. Apply Egress ACLs to IPv6 system traffic.

CONFIGURATION mode

ipv6 control-plane [egress filter]

3. Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic.

CONFIG-NACL mode

permit ip {source mask | any | host ip-address} {destination mask | any |

host ip-address} count

Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group

management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU

traffic. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface

MAC address instead of VRRP virtual MAC address.

136

Access Control Lists (ACLs)