Configuration manual
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 151
Configuring Ingress ACLs
Ingress ACLs are applied to interfaces and to traffic entering the system.These system-wide ACLs
eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target
traffic, it is a simpler implementation.
To create an ingress ACLs, use the
ip access-group command (Figure 233) in the EXEC Privilege mode.
This example also shows applying the ACL, applying rules to the newly created access group, and viewing
the access list:
Figure 8-10. Creating an Ingress ACL
Configuring Egress ACLs
Layer 2 and Layer 3 ACLs are supported on platform e
Egress ACLs are applied to line cards and affect the traffic leaving the system. Configuring egress ACLs
onto physical interfaces protects the system infrastructure from attack—malicious and incidental—by
explicitly allowing only authorized traffic.These system-wide ACLs eliminate the need to apply ACLs
onto each interface and achieves the same results. By localizing target traffic, it is a simpler
implementation.
3 View the number of packets matching the ACL using the show ip accounting access-list from EXEC
Privilege mode.
Step Task
Force10(conf)#interface gige 0/0
Force10(conf-if-gige0/0)#ip access-group abcd in
Force10(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd in
no shutdown
Force10(conf-if-gige0/0)#end
Force10#configure terminal
Force10(conf)#ip access-list extended abcd
Force10(config-ext-nacl)#permit tcp any any
Force10(config-ext-nacl)#deny icmp any any
Force10(config-ext-nacl)#permit 1.1.1.2
Force10(config-ext-nacl)#end
Force10#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
permit 1.1.1.2
Use the “in” keyword
to specify ingress.
Begin applying rules to
the ACL named
“abcd.”
View the access-list.