Manualshelf

Reference Guide

ManualsBrandsDell ManualsComputer equipmentForce10 Z9000
101102103104105106107108109110
102 | Access Control Lists (ACLs)
www.dell.com | support.dell.com
Figure 6-11. Creating an Egress ACL
Egress Layer 3 ACL Lookup for Control-plane IP Traffic
By default, packets originated from the system are not filtered by egress ACLs. If you initiate a ping
session from the system, for example, and apply an egress ACL to block this type of traffic on the
interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature
enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and
CPU-forwarded traffic. Using
permit rules with the count option, you can track on a per-flow basis
whether CPU-generated and CPU-forwarded packets were transmitted successfully..
Task Command Syntax Command Mode
Apply Egress ACLs to IPv4 system
traffic.
ip control-plane [egress filter] CONFIGURATION
Apply Egress ACLs to IPv6 system
traffic.
ipv6 control-plane [egress filter] CONFIGURATION
Create a Layer 3 ACL using permit
rules with the count option to describe
the desired CPU traffic
permit ip {source mask | any |
host ip-address} {destination mask
| any | host ip-address} count
CONFIG-NACL
Note: The ip control-plane [egress filter] and the ipv6 control-plane [egress filter] commands are not
supported on S4810 systems.
FTOS Behavior: VRRP hellos and IGMP packets are not affected when egress ACL filtering for CPU
traffic is enabled. Packets sent by the CPU with the source address as the VRRP virtual IP address
have the interface MAC address instead of VRRP virtual MAC address.
FTOS(conf)#interface gige 0/0
FTOS(conf-if-gige0/0)#ip access-group abcd out
FTOS(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd out
no shutdown
FTOS(conf-if-gige0/0)#end
FTOS#configure terminal
FTOS(conf)#ip access-list extended abcd
FTOS(config-ext-nacl)#permit tcp any any
FTOS(config-ext-nacl)#deny icmp any any
FTOS(config-ext-nacl)#permit 1.1.1.2
FTOS(config-ext-nacl)#end
FTOS#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Use the “out” keyword
to specify egress.
Begin applying rules to
the ACL named
“abcd.”
View the access-list.