Dell PowerSwitch S4112F-ON OS10 Enterprise Edition User Guide Release 10.4.1.0 - Page 599
Clear access-list counters, IP prefix-lists, prefix-lists
View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 599 highlights
You can use an egress ACL filter to restrict egress traffic. For example, when a denial of service (DOS) attack traffic is isolated to a specific interface, apply an egress ACL filter to block the flow from exiting the network and thus protect downstream devices. 1 Apply an access-list on the interface with egress direction in INTERFACE mode. ip access-group access-group-name out 2 Return to CONFIGURATION mode. exit 3 Create the access-list in CONFIGURATION mode. ip access-list access-list-name 4 Create the rules for the access-list in ACCESS-LIST mode. seq 10 deny ip any any count fragment Apply rules to ACL filter OS10(config)# interface ethernet 1/1/29 OS10(conf-if-eth1/1/29)# ip access-group egress out OS10(conf-if-eth1/1/29)# exit OS10(config)# ip access-list egress OS10(conf-ipv4-acl)# seq 10 deny ip any any count fragment View IP ACL filter configuration OS10# show ip access-lists out Egress IP access-list abcd Active on interfaces : ethernet1/1/29 seq 10 deny ip any any fragment count (100 packets) Clear access-list counters Clear IPv4, IPv6, or MAC access-list counters for a specific access-list or all lists. The counter counts the number of packets that match each permit or deny statement in an access-list. To get a more recent count of packets matching an access-list, clear the counters to start at zero. If you do not configure an access-list name, all IP access-list counters clear. To view access-list information, use the show access-lists command. • Clear IPv4 access-list counters in EXEC mode. clear ip access-list counters access-list-name • Clear IPv6 access-list counters in EXEC mode. clear ipv6 access-list counters access-list-name • Clear MAC access-list counters in EXEC mode. clear mac access-list counters access-list-name IP prefix-lists IP prefix-lists control the routing policy. An IP prefix-list is a series of sequential filters that contain a matching criterion and an permit or deny action to process routes. The filters process in sequence so that if a route prefix does not match the criterion in the first filter, the second filter applies, and so on. A route prefix is an IP address pattern that matches on bits within the IP address. The format of a route prefix is A.B.C.D/x, where A.B.C.D is a dotted-decimal address and /x is the number of bits that match the dotted decimal address. When the route prefix matches a filter, the system drops or forwards the packet based on the filter's designated action. If the route prefix does not match any of the filters in the prefix-list, the route drops (implicit deny). Access Control Lists 599