seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Configure Egress ACLs
Egress ACLs are supported on interfaces and affect the traffic leaving the system.
Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack —
malicious and incidental — by explicitly allowing only authorized traffic. These system-wide ACLs
eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target
traffic, it is a simpler implementation.
To restrict egress traffic, use an egress ACL. For example, when a direct operating system (DOS) attack
traffic is isolated to a specific interface, you can apply an egress ACL to block the flow from the exiting
the box, thus protecting downstream devices.
To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example
shows viewing the configuration, applying rules to the newly created access group, and viewing the
access list.
Example of Applying ACL Rules to Egress Traffic and Viewing ACL Configuration
To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list
extended abcd command. To view the access-list, use the show command.
Dell(conf)#interface gige 0/0
Dell(conf-if-gige0/0)#ip access-group abcd out
Dell(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd out
no shutdown
Dell(conf-if-gige0/0)#end
Dell#configure terminal
Dell(conf)#
ip access-list extended abcd
Dell(config-ext-nacl)#permit tcp any any
Dell(config-ext-nacl)#deny icmp any any
Dell(config-ext-nacl)#permit 1.1.1.2
Dell(config-ext-nacl)#end
Dell#
show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Applying Egress Layer 3 ACLs (Control-Plane)
By default, packets originated from the system are not filtered by egress ACLs.
For example, if you initiate a ping session from the system and apply an egress ACL to block this type of
traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL
feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and
CPU-forwarded traffic. Using permit rules with the
count option, you can track on a per-flow basis
whether CPU-generated and CPU-forwarded packets were transmitted successfully.
1. Apply Egress ACLs to IPv4 system traffic.
Access Control Lists (ACLs)
107