Concept Guide
Applying Egress Layer 3 ACLs (Control-Plane)
By default, packets originated from the system are not ltered by egress ACLs.
For example, if you initiate a ping session from the system and apply an egress ACL to block this type of trac on the interface, the ACL
does not aect that ping trac. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing
control-plane ACLs for CPU-generated and CPU-forwarded trac. Using permit rules with the
count option, you can track on a per-ow
basis whether CPU-generated and CPU-forwarded packets were transmitted successfully.
NOTE: The ip control-plane [egress filter] and the ipv6 control-plane [egress filter] commands are
not supported.
1 Apply Egress ACLs to IPv4 system trac.
CONFIGURATION mode
ip control-plane [egress filter]
2 Apply Egress ACLs to IPv6 system trac.
CONFIGURATION mode
ipv6 control-plane [egress filter]
3 Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU trac.
CONFIG-NACL mode
permit ip {source mask | any | host ip-address} {destination mask | any | host ip-address}
count [monitor [session-id]]
Dell EMC Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management protocol (IGMP)
packets are not aected when you enable egress ACL ltering for CPU trac. Packets sent by the CPU with the source address as the
VRRP virtual IP address have the interface MAC address instead of VRRP virtual MAC address.
IP Prex Lists
IP prex lists control routing policy. An IP prex list is a series of sequential lters that contain a matching criterion (examine IP route prex)
and an action (permit or deny) to process routes. The lters are processed in sequence so that if a route prex does not match the criterion
in the rst lter, the second lter (if congured) is applied. When the route prex matches a lter, Dell EMC Networking OS drops or
forwards the packet based on the lter’s designated action. If the route prex does not match any of the lters in the prex list, the route is
dropped (that is, implicit deny).
A route prex is an IP address pattern that matches on bits within the IP address. The format of a route prex is A.B.C.D/X where A.B.C.D
is a dotted-decimal address and /X is the number of bits that should be matched of the dotted decimal address. For example, in
112.24.0.0/16, the rst 16 bits of the address 112.24.0.0 match all addresses between 112.24.0.0 to 112.24.255.255.
The following examples show permit or deny lters for specic routes using the le and ge parameters, where x.x.x.x/x represents a route
prex:
• To deny only /8 prexes, enter deny x.x.x.x/x ge 8 le 8.
• To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8.
• To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24.
• To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20.
The following rules apply to prex lists:
• A prex list without any permit or deny lters allows all routes.
• An “implicit deny” is assumed (that is, the route is dropped) for all route prexes that do not match a permit or deny lter in a
congured prex list.
130
Access Control Lists (ACLs)