Reference Guide
128 | Access Control Lists (ACLs)
www.dell.com | support.dell.com
Figure 7-15. Creating an Ingress ACL
Configuring Egress ACLs
Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack—
malicious and incidental—by explicitly allowing only authorized traffic.These system-wide ACLs
eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target
traffic, it is a simpler implementation.
Use an egress ACL when you would like to restrict egress traffic. For example, when a DOS attack traffic
is isolated to one particular interface, you can apply an egress ACL to block that particular flow from
exiting the box, thereby protecting downstream devices.
To create an egress ACLs, use the
ip access-group command in the EXEC Privilege mode (Figure 7-16).
This example also shows viewing the configuration, applying rules to the newly created access group, and
viewing the access list:
FTOS(conf)#interface tengig 0/0
FTOS(conf-if-te-0/0)#ip access-group abcd in
FTOS(conf-if-te-0/0)#show config
!
TengigabitEthernet 0/0
no ip address
ip access-group abcd in
no shutdown
FTOS(conf-if-gige0/0)#end
FTOS#configure terminal
FTOS(conf)#ip access-list extended abcd
FTOS(config-ext-nacl)#permit tcp any any
FTOS(config-ext-nacl)#deny icmp any any
FTOS(config-ext-nacl)#permit 1.1.1.2
FTOS(config-ext-nacl)#end
FTOS#show ip accounting access-list
!
Extended Ingress IP access list abcd on tengig 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Use the “in” keyword
to specify ingress.
Begin applying rules to
the ACL named
“abcd.”
View the access-list.