Access Control Lists (ACLs) | 121
Configuring ACLs to Loopback
ACLs can be supplied on Loopback interfaces supported on platform e
Configuring ACLs onto the CPU in a loopback interface protects the system infrastructure from attack—
malicious and incidental—by explicate allowing only authorized traffic.
The ACLs on loopback interfaces are applied only to the CPU on the RPM—this eliminates the need to
apply specific ACLs onto all ingress interfaces and achieves the same results. By localizing target traffic, it
is a simpler implementation.
The ACLs target and handle Layer 3 traffic destined to terminate on the system including routing
protocols, remote access, SNMP, ICMP, and etc. Effective filtering of Layer 3 traffic from Layer 3 routers
reduces the risk of attack.
Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the
fragments option and apply it to a loopback interface, the command is accepted, but the ACL entries are
not actually installed the offending rule in CAM.
See also Loopback Interfaces in the Interfaces chapter.
Applying an ACL on Loopback Interfaces
ACLs can be applied on Loopback interfaces supported on platform e
To apply an ACL (standard or extended) for loopback, use these commands in the following sequence:
FTOS Behavior: VRRP hellos and IGMP packets are not affected when egress ACL filtering for CPU traffic is
enabled. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface MAC
address instead of VRRP virtual MAC address.
Note: Loopback ACLs are supported only on ingress traffic.
Step Command Syntax Command Mode Purpose
1
interface loopback 0
CONFIGURATION Only loopback 0 is supported for the loopback
ACL.
2
ip access-list [standard |
extended] name
CONFIGURATION Apply rules to the new ACL.
3
ip access-group name in INTERFACE Apply an ACL to traffic entering loopback.
• in: configure the ACL to filter incoming
traffic
Note: ACLs for loopback can only be
applied to incoming traffic.
To Next Page
Loading...
