Service Manual

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S6000 ON

100

To create an ingress ACL, use the ip access-group command in EXEC Privilege mode. The example shows applying the ACL,

rules to the newly created access group, and viewing the access list.

Example of Applying ACL Rules to Ingress Trac and Viewing ACL Conguration

To specify ingress, use the in keyword. Begin applying rules to the ACL with the ip access-list extended abcd command.

To view the access-list, use the show command.

Dell(conf)#interface tengigabitethernet 1/1/1

Dell(conf-if-te1/1/1)#ip access-group abcd in

Dell(conf-if-te1/1/1)#show config

tengogabitethernet 1/1/1

no ip address

ip access-group abcd in

no shutdown

Dell(conf-if-te1/1/1)#end

Dell#configure terminal

Dell(conf)#

ip access-list extended abcd

Dell(config-ext-nacl)#permit tcp any any

Dell(config-ext-nacl)#deny icmp any any

Dell(config-ext-nacl)#permit 1.1.1.2

Dell(config-ext-nacl)#end

Dell#show ip accounting access-list

Extended Ingress IP access list abcd on tengigabitethernet 1/1/1

seq 5 permit tcp any any

seq 10 deny icmp any any

seq 15 permit 1.1.1.2

Congure Egress ACLs

Egress ACLs are applied to line cards and aect the trac leaving the system. Conguring egress ACLs onto physical interfaces

protects the system infrastructure from attack — malicious and incidental — by explicitly allowing only authorized trac. These

system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target trac, it

is a simpler implementation.

To restrict egress trac, use an egress ACL. For example, when a denial of service (DOS) attack trac is isolated to a specic

interface, you can apply an egress ACL to block the ow from the exiting the box, thus protecting downstream devices.

To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example shows viewing the

conguration, applying rules to the newly created access group, and viewing the access list.

NOTE: VRF based ACL congurations are not supported on the egress trac.

Example of Applying ACL Rules to Egress Trac and Viewing ACL Conguration

To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list extended abcd

command. To view the access-list, use the show command.

Applying Egress Layer 3 ACLs (Control-Plane)

By default, packets originated from the system are not ltered by egress ACLs.

For example, if you initiate a ping session from the system and apply an egress ACL to block this type of trac on the interface, the

ACL does not aect that ping trac. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by

implementing control-plane ACLs for CPU-generated and CPU-forwarded trac. Using permit rules with the

count option, you can

track on a per-ow basis whether CPU-generated and CPU-forwarded packets were transmitted successfully.

1. Apply Egress ACLs to IPv4 system trac.

CONFIGURATION mode

100

Access Control Lists (ACLs)