IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 151
Configuring ACLs to Loopback
ACLs can be supplied on Loopback interfaces supported on platform e
Configuring ACLs onto the CPU in a loopback interface protects the system infrastructure from attack—
malicious and incidental—by explicate allowing only authorized traffic.
The ACLs on loopback interfaces are applied only to the CPU on the RPM—this eliminates the need to
apply specific ACLs onto all ingress interfaces and achieves the same results. By localizing target traffic, it
is a simpler implementation.
The ACLs target and handle Layer 3 traffic destined to terminate on the system including routing
protocols, remote access, SNMP, ICMP, and etc. Effective filtering of Layer 3 traffic from Layer 3 routers
reduces the risk of attack.
Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the
fragments option and apply it to a loopback interface, the command is accepted, but the ACL entries are
not actually installed the offending rule in CAM.
See also Loopback Interfaces in the Interfaces chapter.
Applying an ACL on Loopback Interfaces
ACLs can be applied on Loopback interfaces supported on platform e
To apply an ACL (standard or extended) for loopback, use these commands in the following sequence:
FTOS Behavior: VRRP hellos and IGMP packets are not affected when egress ACL filtering for CPU
traffic is enabled. Packets sent by the CPU with the source address as the VRRP virtual IP address
have the interface MAC address instead of VRRP virtual MAC address.
Note: Loopback ACLs are supported only on ingress traffic.
Step Command Syntax Command Mode Purpose
1
interface loopback 0
CONFIGURATION Only loopback 0 is supported for the loopback
ACL.
To Next Page
Loading...
Need help?
General