Service Manual

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S5000

151

152

153

154

155

156

157

158

159

160

Dell(config-ext-nacl)#deny icmp any any

Dell(config-ext-nacl)#permit 1.1.1.2

Dell(config-ext-nacl)#end

Dell#show ip accounting access-list

Extended Ingress IP access list abcd on tengigEthernet 0/0

seq 5 permit tcp any any

seq 10 deny icmp any any

seq 15 permit 1.1.1.2

Applying Egress Layer 3 ACLs (Control-Plane)

By default, egress ACLs do not filter packets originated from the system.

For example, if you initiate a ping session from the system and apply an egress ACL to block this type of traffic

on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature

enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and CPU-

forwarded traffic. Using permit rules with the

count option, you can track on a per-flow basis whether CPU-

generated and CPU-forwarded packets were transmitted successfully.

1 Apply Egress ACLs to IPv4 system traffic.

CONFIGURATION mode

ip control-plane [egress filter]

2 Apply Egress ACLs to IPv6 system traffic.

CONFIGURATION mode

ipv6 control-plane [egress filter]

3 Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic.

CONFIG-NACL mode

permit ip {source mask | any | host ip-address} {destination mask | any | host

ip-address} count

Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group

management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU traffic.

Packets the CPU sends with the source address as the VRRP virtual IP address have the interface MAC address

instead of VRRP virtual MAC address.

Configure ACLs to Loopback

You can apply ACLs on a Loopback interface.

Configuring ACLs onto the CPU in a Loopback interface protects the system infrastructure from attack —

malicious and incidental — by explicate allowing only authorized traffic.

The ACLs on Loopback interfaces are applied only to the CPU on the stack–unit — this application eliminates

the need to apply specific ACLs onto all ingress interfaces and achieves the same results. By localizing target

traffic, it is a simpler implementation.

Access Control Lists (ACLs) 160