Concept Guide

ManualsBrandsDell ManualsAccess PlatformsFN IO Module

121

122

123

124

125

126

127

128

129

130

To restrict egress trac, use an egress ACL. For example, when a direct operating system (DOS) attack trac is isolated to a specic

interface, you can apply an egress ACL to block the ow from the exiting the box, thus protecting downstream devices.

To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example shows viewing the conguration,

applying rules to the newly created access group, and viewing the access list.

Example of Applying ACL Rules to Egress Trac and Viewing ACL Conguration

To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list extended abcd command. To

view the access-list, use the

show command.

Dell(conf)#interface tengig 0/0

Dell(conf-if-tengig0/0)#ip access-group abcd out

Dell(conf-if-tengig0/0)#show config

tengigethernet 0/0

no ip address

ip access-group abcd out

no shutdown

Dell(conf-if-tengig0/0)#end

Dell#configure terminal

Dell(conf)#ip access-list extended

abcd

Dell(conf-ext-nacl)#permit tcp any any

Dell(conf-ext-nacl)#deny icmp any any

Dell(conf-ext-nacl)#permit 1.1.1.2

Dell(conf-ext-nacl)#end

Dell#show ip accounting access-list

Extended Ingress IP access list abcd on tengigethernet 0/0

seq 5 permit tcp any any

seq 10 deny icmp any any

seq 15 permit 1.1.1.2

Applying Egress Layer 3 ACLs (Control-Plane)

By default, packets originated from the system are not ltered by egress ACLs.

For example, if you initiate a ping session from the system and apply an egress ACL to block this type of trac on the interface, the ACL

does not aect that ping trac. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing

control-plane ACLs for CPU-generated and CPU-forwarded trac. Using permit rules with the count option, you can track on a per-ow

basis whether CPU-generated and CPU-forwarded packets were transmitted successfully.

1 Apply Egress ACLs to IPv4 system trac.

CONFIGURATION mode

ip control-plane [egress filter]

2 Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU trac.

CONFIG-NACL mode

permit ip {source mask | any | host ip-address} {destination mask | any | host ip-address}

count

Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management protocol (IGMP) packets

are not aected when you enable egress ACL ltering for CPU trac. Packets sent by the CPU with the source address as the VRRP

virtual IP address have the interface MAC address instead of VRRP virtual MAC address.

IP Prex Lists

IP prex lists control routing policy.

An IP prex list is a series of sequential lters that contain a matching criterion (examine IP route prex) and an action (permit or deny) to

process routes. The lters are processed in sequence so that if a route prex does not match the criterion in the rst lter, the second lter

122

Access Control Lists (ACLs)