Reference Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S5000

131

132

133

134

135

136

137

138

139

140

CPU-forwarded traffic. Using permit rules with the count option, you can track on a per-flow basis

whether CPU-generated and CPU-forwarded packets were transmitted successfully.

1. Apply Egress ACLs to IPv4 system traffic.

CONFIGURATION mode

ip control-plane [egress filter]

2. Apply Egress ACLs to IPv6 system traffic.

CONFIGURATION mode

ipv6 control-plane [egress filter]

3. Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic.

CONFIG-NACL mode

permit ip {source mask | any | host ip-address} {destination mask | any |

host ip-address} count

Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group

management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU

traffic. Packets the CPU sends with the source address as the VRRP virtual IP address have the interface

MAC address instead of VRRP virtual MAC address.

Configure ACLs to Loopback

You can apply ACLs on a Loopback interface.

Configuring ACLs onto the CPU in a Loopback interface protects the system infrastructure from attack —

malicious and incidental — by explicate allowing only authorized traffic.

The ACLs on Loopback interfaces are applied only to the CPU on the stack–unit — this application

eliminates the need to apply specific ACLs onto all ingress interfaces and achieves the same results. By

localizing target traffic, it is a simpler implementation.

The ACLs target and handle Layer 3 traffic destined to terminate on the system including routing

protocols, remote access, simple network management protocol (SNMP), internet control message

protocol (ICMP), and so on, Effective filtering of Layer 3 traffic from Layer 3 routers reduces the risk of

attack.

NOTE: Loopback ACLs are supported only on ingress traffic.

Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with

the

fragments option and apply it to a Loopback interface, the command is accepted, but the ACL

entries are not installed the offending rule in CAM.

For more information, refer to the Loopback Interfaces section in the Interfaces chapter.

Applying an ACL on Loopback Interfaces

You can apply ACLs on a Loopback interface.

To apply an ACL (standard or extended) for Loopback, following these commands:

1. Only loopback 0 is supported for the Loopback ACL.

138

Access Control Lists (ACLs)