Reference Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4112F-ON/S4112T-ON

591

592

593

594

595

596

597

598

599

600

You can use an egress ACL lter to restrict egress trac. For example, when a denial of service (DOS) attack trac is isolated to a specic

interface, apply an egress ACL lter to block the ow from exiting the network and thus protect downstream devices.

1 Apply an access-list on the interface with egress direction in INTERFACE mode.

ip access-group access-group-name out

2 Return to CONFIGURATION mode.

exit

3 Create the access-list in CONFIGURATION mode.

ip access-list access-list-name

4 Create the rules for the access-list in ACCESS-LIST mode.

seq 10 deny ip any any count fragment

Apply rules to ACL lter

OS10(config)# interface ethernet 1/1/29

OS10(conf-if-eth1/1/29)# ip access-group egress out

OS10(conf-if-eth1/1/29)# exit

OS10(config)# ip access-list egress

OS10(conf-ipv4-acl)# seq 10 deny ip any any count fragment

View IP ACL lter conguration

OS10# show ip access-lists out

Egress IP access-list abcd

Active on interfaces :

ethernet1/1/29

seq 10 deny ip any any fragment count (100 packets)

Clear access-list counters

Clear IPv4, IPv6, or MAC access-list counters for a specic access-list or all lists. The counter counts the number of packets that match

each permit or deny statement in an access-list. To get a more recent count of packets matching an access-list, clear the counters to start

at zero. If you do not congure an access-list name, all IP access-list counters clear.

To view access-list information, use the show access-lists command.

• Clear IPv4 access-list counters in EXEC mode.

clear ip access-list counters access-list-name

• Clear IPv6 access-list counters in EXEC mode.

clear ipv6 access-list counters access-list-name

• Clear MAC access-list counters in EXEC mode.

clear mac access-list counters access-list-name

IP prex-lists

IP prex-lists control the routing policy. An IP prex-list is a series of sequential lters that contain a matching criterion and an permit or

deny action to process routes. The lters process in sequence so that if a route prex does not match the criterion in the rst lter, the

second lter applies, and so on.

A route prex is an IP address pattern that matches on bits within the IP address. The format of a route prex is A.B.C.D/x, where

A.B.C.D is a dotted-decimal address and /x is the number of bits that match the dotted decimal address.

When the route prex matches a lter, the system drops or forwards the packet based on the lter’s designated action. If the route prex

does not match any of the lters in the prex-list, the route drops (implicit deny).

Access Control Lists

599