Reference Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

381

382

383

384

385

386

387

388

389

390

Apply rules to ACL lter

OS10(config)# interface ethernet 1/1/29

OS10(conf-if-eth1/1/29)# ip access-group egress out

OS10(conf-if-eth1/1/29)# exit

OS10(config)# ip access-list egress

OS10(conf-ipv4-acl)# seq 10 deny ip any any count fragment

OS10(conf-ipv4-acl)# do commit

View IP ACL lter conguration

OS10# show ip access-lists out

Egress IP access-list abcd

Active on interfaces :

ethernet1/1/29

seq 10 deny ip any any fragment count (100 packets)

Clear access-list counters

Clear IPv4, IPv6, or MAC access-list counters for a specic access-list or all lists. The counter counts the number of packets that match

each permit or deny statement in an access-list. You can clear the counters to start at zero to get a more recent count of packets

matching an access-list. If you do not congure an access-list name, all IP access-list counters clear.

Use the show access-lists command to view access-list information.

• Clear IPv4 access-list counters in EXEC mode.

clear ip access-list counters access-list-name

• Clear IPv6 access-list counters in EXEC mode.

clear ipv6 access-list counters access-list-name

• Clear MAC access-list counters in EXEC mode.

clear mac access-list counters access-list-name

IP prex-lists

IP prex-lists control the routing policy. An IP prex-list is a series of sequential lters that contain a matching criterion (such as examine IP

route prex) and an action (permit or deny) to process routes. The lters are processed in sequence so that if a route prex does not

match the criterion in the rst lter, the second lter applies, and so on.

When the route prex matches a lter, the system drops or forwards the packet based on the lter’s designated action. If the route prex

does not match any of the lters in the prex-list, the route drops (implicit deny).

A route prex is an IP address pattern that matches on bits within the IP address. The format of a route prex is A.B.C.D/x, where

A.B.C.D is a dotted-decimal address and /x is the number of bits that match the dotted decimal address.

For example, in 112.24.0.0/16, the rst 16 bits of the address 112.24.0.0 match all addresses between 112.24.0.0 to

112.24.255.255. Use permit or deny lters for specic routes with the le (less or equal) and ge (greater or equal) parameters, where

x.x.x.x/x represents a route prex:

• To deny only /8 prexes, enter deny x.x.x.x/x ge 8 le 8

• To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8 le 12

• To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24

• To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20

The following rules apply to prex-lists:

• A prex-list without any permit or deny lters allows all routes

• An “implicit deny” is assumed — the route drops for all route prexes that do not match a permit or deny lter in a congured prex-list

382

Access Control Lists