Concept Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4048T-ON

131

132

133

134

135

136

137

138

139

140

Applying Egress Layer 3 ACLs (Control-Plane)

By default, packets originated from the system are not ltered by egress ACLs.

For example, if you initiate a ping session from the system and apply an egress ACL to block this type of trac on the interface, the ACL

does not aect that ping trac. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing

control-plane ACLs for CPU-generated and CPU-forwarded trac. Using permit rules with the

count option, you can track on a per-ow

basis whether CPU-generated and CPU-forwarded packets were transmitted successfully.

NOTE: The ip control-plane [egress filter] and the ipv6 control-plane [egress filter] commands are

not supported.

1 Apply Egress ACLs to IPv4 system trac.

CONFIGURATION mode

ip control-plane [egress filter]

2 Apply Egress ACLs to IPv6 system trac.

CONFIGURATION mode

ipv6 control-plane [egress filter]

3 Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU trac.

CONFIG-NACL mode

permit ip {source mask | any | host ip-address} {destination mask | any | host ip-address}

count [monitor [session-id]]

Dell EMC Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management protocol (IGMP)

packets are not aected when you enable egress ACL ltering for CPU trac. Packets sent by the CPU with the source address as the

VRRP virtual IP address have the interface MAC address instead of VRRP virtual MAC address.

IP Prex Lists

IP prex lists control routing policy. An IP prex list is a series of sequential lters that contain a matching criterion (examine IP route prex)

and an action (permit or deny) to process routes. The lters are processed in sequence so that if a route prex does not match the criterion

in the rst lter, the second lter (if congured) is applied. When the route prex matches a lter, Dell EMC Networking OS drops or

forwards the packet based on the lter’s designated action. If the route prex does not match any of the lters in the prex list, the route is

dropped (that is, implicit deny).

A route prex is an IP address pattern that matches on bits within the IP address. The format of a route prex is A.B.C.D/X where A.B.C.D

is a dotted-decimal address and /X is the number of bits that should be matched of the dotted decimal address. For example, in

112.24.0.0/16, the rst 16 bits of the address 112.24.0.0 match all addresses between 112.24.0.0 to 112.24.255.255.

The following examples show permit or deny lters for specic routes using the le and ge parameters, where x.x.x.x/x represents a route

prex:

• To deny only /8 prexes, enter deny x.x.x.x/x ge 8 le 8.

• To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8.

• To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24.

• To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20.

The following rules apply to prex lists:

• A prex list without any permit or deny lters allows all routes.

• An “implicit deny” is assumed (that is, the route is dropped) for all route prexes that do not match a permit or deny lter in a

congured prex list.

Access Control Lists (ACLs)

131