Setup Guide
Applying Egress ACLs
Egress ACLs are supported on interfaces and aect the trac leaving the system.
Conguring egress ACLs onto physical interfaces protects the system infrastructure from attack — malicious and incidental — by explicitly
allowing only authorized trac. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same
results. By localizing target trac, it is a simpler implementation.
To restrict egress trac, use an egress ACL. For example, when a direct operating system (DOS) attack trac is isolated to a specic
interface, you can apply an egress ACL to block the ow from the exiting the box, thus protecting downstream devices.
To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example shows viewing the conguration,
applying rules to the newly created access group, and viewing the access list.
Example of Applying ACL Rules to Egress Trac and Viewing ACL Conguration
To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list extended abcd command. To
view the access-list, use the show command.
Dell(conf)#interface gige 0/0
Dell(conf-if-gige0/0)#ip access-group abcd out
Dell(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd out
no shutdown
Dell(conf-if-gige0/0)#end
Dell#configure terminal
Dell(conf)#
ip access-list extended abcd
Dell(config-ext-nacl)#permit tcp any any
Dell(config-ext-nacl)#deny icmp any any
Dell(config-ext-nacl)#permit 1.1.1.2
Dell(config-ext-nacl)#end
Dell#
show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Applying Layer 3 Egress ACLs on Control-Plane Trac
By default, packets originated from the system are not ltered by egress ACLs.
For example, if you initiate a ping session from the system and apply an egress ACL to block this type of trac on the interface, the ACL
does not aect that ping trac. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing
control-plane ACLs for CPU-generated and CPU-forwarded trac. Using permit rules with the count option, you can track on a per-ow
basis whether CPU-generated and CPU-forwarded packets were transmitted successfully.
1 Apply Egress ACLs to IPv4 system trac.
CONFIGURATION mode
ip control-plane [egress filter]
2 Apply Egress ACLs to IPv6 system trac.
CONFIGURATION mode
ipv6 control-plane [egress filter]
3 Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU trac.
Access Control Lists (ACLs)
133