Reference Guide
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 147
FTOS(config-ext-nacl)#end
FTOS#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
permit 1.1.1.2
Configuring Egress ACLs
Layer 2 and Layer 3 ACLs are supported on platform e
Egress ACLs are applied to line cards and affect the traffic leaving the system. Configuring egress ACLs
onto physical interfaces protects the system infrastructure from attack—malicious and incidental—by
explicitly allowing only authorized traffic.These system-wide ACLs eliminate the need to apply ACLs
onto each interface and achieves the same results. By localizing target traffic, it is a simpler
implementation.
An egress ACL is used when users would like to restrict egress traffic. For example, when a DOS attack
traffic is isolated to one particular interface, you can apply an egress ACL to block that particular flow
from exiting the box, thereby protecting downstream devices.
To create an egress ACLs, use the
ip access-group command in the EXEC Privilege mode. This example
also shows viewing the configuration, applying rules to the newly created access group, and viewing the
access list:
FTOS(conf)#interface gige 0/0
FTOS(conf-if-gige0/0)#ip access-group abcd out
FTOS(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd out
no shutdown
FTOS(conf-if-gige0/0)#end
FTOS#configure terminal
FTOS(conf)#ip access-list extended abcd
FTOS(config-ext-nacl)#permit tcp any any
FTOS(config-ext-nacl)#deny icmp any any
FTOS(config-ext-nacl)#permit 1.1.1.2
FTOS(config-ext-nacl)#end
FTOS#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
permit 1.1.1.2