Egress Layer 3 Acl Lookup For Control-Plane Ip Traffic - Dell Force10 C150 Configuration Manual
Ftos configuration guide ftos 8.4.2.7 e-series terascale, c-series, s-series (s50/s25)
Hide thumbs
Also See for Force10 C150:
- Manual (57 pages) ,
- Manual (66 pages) ,
- Quick start manual (33 pages)
Table of Contents
Advertisement
An egress ACL is used when users would like to restrict egress traffic. For example, when a DOS attack
traffic is isolated to one particular interface, you can apply an egress ACL to block that particular flow
from exiting the box, thereby protecting downstream devices.
To create an egress ACLs, use the
This example also shows viewing the configuration, applying rules to the newly created access group, and
viewing the access list:
Figure 8-11. Creating an Egress ACL
FTOS(conf)#interface gige 0/0
FTOS(conf-if-gige0/0)#ip access-group abcd
FTOS(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd out
no shutdown
FTOS(conf-if-gige0/0)#end
FTOS#configure terminal
FTOS(conf)#ip access-list extended
FTOS(config-ext-nacl)#permit tcp any any
FTOS(config-ext-nacl)#deny icmp any any
FTOS(config-ext-nacl)#permit 1.1.1.2
FTOS(config-ext-nacl)#end
FTOS#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
permit 1.1.1.2
Egress Layer 3 ACL Lookup for Control-plane IP Traffic
By default, packets originated from the system are not filtered by egress ACLs. If you initiate a ping
session from the system, for example, and apply an egress ACL to block this type of traffic on the
interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature
enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and
CPU-forwarded traffic. Using
whether CPU-generated and CPU-forwarded packets were transmitted successfully..
Task
Apply Egress ACLs to IPv4 system
traffic.
Apply Egress ACLs to IPv6 system
traffic.
Create a Layer 3 ACL using
count
rules with the
the desired CPU traffic
150
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
ip access-group
permit
Command Syntax
ip control-plane [ egress filter ]
ipv6 control-plane [ egress filter ]
permit
permit ip
host ip-address} {destination mask
option to describe
any
|
command
out
abcd
View the access-list.
count
rules with the
option, you can track on a per-flow basis
any
{
|
source mask
host ip-address
count
|
}
(Figure 234)
in the EXEC Privilege mode.
Use the "out" keyword
to specify egress.
Begin applying rules to
the ACL named
"abcd."
Command Mode
CONFIGURATION
CONFIGURATION
|
CONFIG-NACL
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
