Access Control Lists (ACLs) | 105
Figure 6-10. Creating an Ingress ACL
Configuring Egress ACLs
Egress ACLs are supported on platforms: e z
Egress ACLs are applied to line cards and affect the traffic leaving the system. Configuring egress ACLs
onto physical interfaces protects the system infrastructure from attack—malicious and incidental—by
explicitly allowing only authorized traffic.These system-wide ACLs eliminate the need to apply ACLs
onto each interface and achieves the same results. By localizing target traffic, it is a simpler
implementation.
An egress ACL is used when users would like to restrict egress traffic. For example, when a DOS attack
traffic is isolated to one particular interface, you can apply an egress ACL to block that particular flow
from exiting the box, thereby protecting downstream devices.
To create an egress ACLs, use the
ip access-group command (Figure 6-11) in the EXEC Privilege mode.
This example also shows viewing the configuration, applying rules to the newly created access group, and
viewing the access list:
FTOS(conf)#interface gige 0/0
FTOS(conf-if-gige0/0)#ip access-group abcd in
FTOS(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd in
no shutdown
FTOS(conf-if-gige0/0)#end
FTOS#configure terminal
FTOS(conf)#ip access-list extended abcd
FTOS(config-ext-nacl)#permit tcp any any
FTOS(config-ext-nacl)#deny icmp any any
FTOS(config-ext-nacl)#permit 1.1.1.2
FTOS(config-ext-nacl)#end
FTOS#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Use the “in” keyword
to specify ingress.
Begin applying rules to
the ACL named
“abcd.”
View the access-list.
To Next Page
Loading...
