Reference Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S5000

131

132

133

134

135

136

137

138

139

140

Dell(config-ext-nacl)#deny icmp any any

Dell(config-ext-nacl)#permit 1.1.1.2

Dell(config-ext-nacl)#end

Dell#show ip accounting access-list

Extended Ingress IP access list abcd on tengigEthernet 0/0

seq 5 permit tcp any any

seq 10 deny icmp any any

seq 15 permit 1.1.1.2

Applying Egress Layer 3 ACLs (Control-Plane)

By default, egress ACLs do not filter packets originated from the system.

For example, if you initiate a ping session from the system and apply an egress ACL to block this type of

traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL

feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and

CPU-forwarded traffic. Using permit rules with the

count option, you can track on a per-flow basis

whether CPU-generated and CPU-forwarded packets were transmitted successfully.

1. Apply Egress ACLs to IPv4 system traffic.

CONFIGURATION mode

ip control-plane [egress filter]

2. Apply Egress ACLs to IPv6 system traffic.

CONFIGURATION mode

ipv6 control-plane [egress filter]

3. Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic.

CONFIG-NACL mode

permit ip {source mask | any | host ip-address} {destination mask | any |

host ip-address} count

Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group

management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU

traffic. Packets the CPU sends with the source address as the VRRP virtual IP address have the interface

MAC address instead of VRRP virtual MAC address.

Configure ACLs to Loopback

You can apply ACLs on a Loopback interface.

Configuring ACLs onto the CPU in a Loopback interface protects the system infrastructure from attack —

malicious and incidental — by explicate allowing only authorized traffic.

The ACLs on Loopback interfaces are applied only to the CPU on the stack–unit — this application

eliminates the need to apply specific ACLs onto all ingress interfaces and achieves the same results. By

localizing target traffic, it is a simpler implementation.

The ACLs target and handle Layer 3 traffic destined to terminate on the system including routing

protocols, remote access, simple network management protocol (SNMP), internet control message

protocol (ICMP), and so on, Effective filtering of Layer 3 traffic from Layer 3 routers reduces the risk of

attack.

Access Control Lists (ACLs)

137