Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4810P
131132133134135136137138139140
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Dell#configure terminal
Dell(conf)#interface te 1/2
Dell(conf-if-te-1/2)#ip vrf forwarding blue
Dell(conf-if-te-1/2)#show config
!
interface TenGigabitEthernet 1/2
ip vrf forwarding blue
no ip address
shutdown
Dell(conf-if-te-1/2)#
Dell(conf-if-te-1/2)#
Dell(conf-if-te-1/2)#end
Dell#
Applying Egress Layer 3 ACLs (Control-Plane)
By default, packets originated from the system are not ltered by egress ACLs.
For example, if you initiate a ping session from the system and apply an egress ACL to block this type of trac on the interface, the
ACL does not aect that ping trac. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by
implementing control-plane ACLs for CPU-generated and CPU-forwarded trac. Using permit rules with the count option, you can
track on a per-ow basis whether CPU-generated and CPU-forwarded packets were transmitted successfully.
NOTE: The ip control-plane [egress filter] and the ipv6 control-plane [egress filter]
commands are not supported.
1. Apply Egress ACLs to IPv4 system trac.
CONFIGURATION mode
ip control-plane [egress filter]
2. Apply Egress ACLs to IPv6 system trac.
CONFIGURATION mode
ipv6 control-plane [egress filter]
3. Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU trac.
CONFIG-NACL mode
permit ip {source mask | any | host ip-address} {destination mask | any | host ip-
address} count
FTOS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management protocol (IGMP) packets are not
aected when you enable egress ACL ltering for CPU trac. Packets sent by the CPU with the source address as the VRRP virtual
IP address have the interface MAC address instead of VRRP virtual MAC address.
IP Prex Lists
IP prex lists control routing policy. An IP prex list is a series of sequential lters that contain a matching criterion (examine IP route
prex) and an action (permit or deny) to process routes. The lters are processed in sequence so that if a route prex does not
match the criterion in the rst lter, the second lter (if congured) is applied. When the route prex matches a lter, Dell
Networking OS drops or forwards the packet based on the lter’s designated action. If the route prex does not match any of the
lters in the prex list, the route is dropped (that is, implicit deny).
A route prex is an IP address pattern that matches on bits within the IP address. The format of a route prex is A.B.C.D/X where
A.B.C.D is a dotted-decimal address and /X is the number of bits that should be matched of the dotted decimal address. For
example, in 112.24.0.0/16, the rst 16 bits of the address 112.24.0.0 match all addresses between 112.24.0.0 to 112.24.255.255.
132
Access Control Lists (ACLs)