Dell PowerSwitch S4112F-ON OS10 Enterprise Edition User Guide Release 10.4.0ER - Page 493
Ingress ACL filters, Egress ACL filters
View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 493 highlights
To view the number of packets matching the ACL, use the count option when creating ACL entries. • Create an ACL that uses rules with the count option, see Assign sequence number to filter. • Apply the ACL as an inbound or outbound ACL on an interface in CONFIGURATION mode, and view the number of packets matching the ACL. show ip access-list {in | out} Ingress ACL filters To create an ingress ACL filter, use the ip access-group command in EXEC mode. To configure ingress, use the in keyword. Apply rules to the ACL with the ip access-list acl-name command. To view the access-list, use the show access-lists command. 1 Apply an access-list on the interface with ingress direction in INTERFACE mode. ip access-group access-group-name in 2 Return to CONFIGURATION mode. exit 3 Create the access-list in CONFIGURATION mode. ip access-list access-list-name 4 Create the rules for the access-list in ACCESS-LIST mode. permit ip host ip-address host ip-address count Apply ACL rules to access-group and view access-list OS10(config)# interface ethernet 1/1/28 OS10(conf-if-eth1/1/28)# ip access-group abcd in OS10(conf-if-eth1/1/28)# exit OS10(config)# ip access-list acl1 OS10(conf-ipv4-acl)# permit ip host 10.1.1.1 host 100.1.1.1 count Egress ACL filters Egress ACL filters affect the traffic leaving the network. Configuring egress ACL filters onto physical interfaces protects the system infrastructure from a malicious and intentional attack by explicitly allowing only authorized traffic. These system-wide ACL filters eliminate the need to apply ACL filters onto each interface and achieves the same results. You can use an egress ACL filter to restrict egress traffic. For example, when a denial of service (DOS) attack traffic is isolated to a specific interface, apply an egress ACL filter to block the flow from exiting the network and thus protect downstream devices. 1 Apply an access-list on the interface with egress direction in INTERFACE mode. ip access-group access-group-name out 2 Return to CONFIGURATION mode. exit 3 Create the access-list in CONFIGURATION mode. ip access-list access-list-name 4 Create the rules for the access-list in ACCESS-LIST mode. seq 10 deny ip any any count fragment Apply rules to ACL filter OS10(config)# interface ethernet 1/1/29 OS10(conf-if-eth1/1/29)# ip access-group egress out OS10(conf-if-eth1/1/29)# exit OS10(config)# ip access-list egress OS10(conf-ipv4-acl)# seq 10 deny ip any any count fragment View IP ACL filter configuration OS10# show ip access-lists out Egress IP access-list abcd Access Control Lists 493