Configure A Standard Ip Acl - Dell C9000 Series Networking Configuration Manual

Hide thumbs Also See for C9000 Series:

Configuration manual (9 pages)

Reference manual (2286 pages)

Table of Contents

Example of Permitting All Packets from a Specified Host

In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted. All

others are denied.

Dell(conf)#ip access-list extended ABC

Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24

Dell(conf-ext-nacl)#deny ip any any fragment

Dell(conf-ext-nacl)

Example of Permitting Only First Fragments and Non-Fragmented Packets from a Specified Host

In the following example, the TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with

TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are

permitted. All other IP packets that are non-first fragments are denied.

Dell(conf)#ip access-list extended ABC

Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24

Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment

Dell(conf-ext-nacl)#deny ip any any fragment

Dell(conf-ext-nacl)

Example of Logging Denied Packets

To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP

fragments, use a configuration similar to the following.

Dell(conf)#ip access-list extended ABC

Dell(conf-ext-nacl)#permit tcp any any fragment

Dell(conf-ext-nacl)#permit udp any any fragment

Dell(conf-ext-nacl)#deny ip any any log

Dell(conf-ext-nacl)

When configuring ACLs with the fragments keyword, be aware of the following.

When an ACL filters packets, it looks at the fragment offset (FO) to determine whether it is a fragment.

FO = 0 means it is either the first fragment or the packet is a non-fragment.

FO > 0 means it is dealing with the fragments of the original packet.

Configure a Standard IP ACL

To configure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode.

For a complete list of all the commands related to IP ACLs, refer to the Dell Networking OS Command Line

Interface Reference Guide. To set up extended ACLs, refer to

A standard IP ACL uses the source IP address as its match criterion.

Enter IP ACCESS LIST mode by naming a standard IP access list.

CONFIGURATION mode

ip access-list standard access-listname

Configure a drop or forward filter.

CONFIG-STD-NACL mode

seq sequence-number {deny | permit} {source [mask] | any | host ip-address}

[count [byte]] [order] [fragments]

Configure an Extended IP

Access Control Lists (ACLs)

Configure A Standard Ip Acl - Dell C9000 Series Networking Configuration Manual

Configure a Standard IP ACL

Troubleshooting

Related Manuals for Dell C9000 Series

Related Content for Dell C9000 Series

Table of Contents