110 | Access Control Lists (ACLs)
www.dell.com | support.dell.com
FTOS(conf-ext-nacl)
Configure a standard IP ACL
To configure an ACL, use commands in the IP ACCESS LIST mode and the INTERFACE mode. The
following list includes the configuration tasks for IP ACLs:
For a complete listing of all commands related to IP ACLs, refer to the FTOS Command Line Interface
Reference document.
Refer to Configure an extended IP ACL to set up extended ACLs.
A standard IP ACL uses the source IP address as its match criterion.
To configure a standard IP ACL, use these commands in the following sequence:
Note the following when configuring ACLs with the fragments keyword.
When an ACL filters packets it looks at the Fragment Offset (FO) to determine whether or not it is a fragment.
• FO = 0 means it is either the first fragment or the packet is a non-fragment.
• FO > 0 means it is dealing with the fragments of the original packet.
Permit ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information matches the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
• If a packet's FO > 0, the packet is permitted.
• If a packet's FO = 0 , the next ACL entry is processed.
Deny ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information does match the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
• If a packet's FO > 0, the packet is denied.
• If a packet's FO = 0, the next ACL line is processed.
Step Command Syntax Command Mode Purpose
1
ip access-list standard access-listname
CONFIGURATION Enter IP ACCESS LIST mode by
naming a standard IP access list.
2
seq sequence-number {deny | permit}
{source [mask] | any | host ip-address}
[count [byte] | log ] [order] [monitor]
[
fragments]
CONFIG-STD-NACL Configure a drop or forward filter. The
parameters are:
• log and monitor options are
supported on E-Series only.
To Next Page
Loading...
