Reference Guide

ManualsBrandsDell ManualsserversDell Force10 E1200i

141

142

143

144

145

146

147

148

149

150

148 | IP Access Control Lists (ACL), Prefix Lists, and Route-maps

www.dell.com | support.dell.com

Egress Layer 3 ACL Lookup for Control-plane IP Traffic

By default, packets originated from the system are not filtered by egress ACLs. If you initiate a ping

session from the system, for example, and apply an egress ACL to block this type of traffic on the

interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature

enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and

CPU-forwarded traffic. Using

permit rules with the count option, you can track on a per-flow basis

whether CPU-generated and CPU-forwarded packets were transmitted successfully..

Configuring ACLs to Loopback

ACLs can be supplied on Loopback interfaces supported on platform e

Configuring ACLs onto the CPU in a loopback interface protects the system infrastructure from attack—

malicious and incidental—by explicate allowing only authorized traffic.

The ACLs on loopback interfaces are applied only to the CPU on the RPM—this eliminates the need to

apply specific ACLs onto all ingress interfaces and achieves the same results. By localizing target traffic, it

is a simpler implementation.

The ACLs target and handle Layer 3 traffic destined to terminate on the system including routing

protocols, remote access, SNMP, ICMP, and etc. Effective filtering of Layer 3 traffic from Layer 3 routers

reduces the risk of attack.

Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the

fragments option and apply it to a loopback interface, the command is accepted, but the ACL entries are

not actually installed the offending rule in CAM.

Refer also to Loopback Interfaces in the Interfaces chapter.

Task Command Syntax Command Mode

Apply Egress ACLs to IPv4 system traffic.

ip control-plane [egress filter] CONFIGURATION

Apply Egress ACLs to IPv6 system traffic.

ipv6 control-plane [egress filter] CONFIGURATION

Create a Layer 3 ACL using permit rules with the

count option to describe the desired CPU traffic

permit ip {source mask | any |

host ip-address} {destination mask

| any | host ip-address} count

CONFIG-NACL

FTOS Behavior: VRRP hellos and IGMP packets are not affected when egress ACL filtering for CPU

traffic is enabled. Packets sent by the CPU with the source address as the VRRP virtual IP address

have the interface MAC address instead of VRRP virtual MAC address.

Note: Loopback ACLs are supported only on ingress traffic.