OS10 Enterprise Edition User Guide Release 10.4.0E(R3)

PDF

Assign and apply ACL filters

To filter an Ethernet interface, a port-channel interface, or a VLAN, assign an IP ACL filter to a physical interface. The IP ACL applies to all traffic entering a physical or port-channel interface. The traffic either forwards or drops depending on the criteria and actions you configure in the ACL filter.

To change the ACL filter functionality, apply the same ACL filters to different interfaces. For example, take ACL “ABCD” and apply it using the in keyword and it becomes an ingress ACL. If you apply the same ACL filter using the out keyword, it becomes an egress ACL.

You can apply an IP ACL filter to a physical or port-channel interface. The number of ACL filters allowed is hardware-dependent.

  1. Enter the interface information in CONFIGURATION mode.
    interface ethernet 
                                           node/slot/port
                                        
  2. Configure an IP address for the interface, placing it in L3 mode in INTERFACE mode.
    ip address 
                                           ip-address
                                        
  3. Apply an IP ACL filter to traffic entering or exiting an interface in INTERFACE mode.
    ip access-group 
                                           access-list-name {in | out}
                                        

Configure IP ACL

OS10(config)# interface ethernet 1/1/28
                                 OS10(conf-if-eth1/1/28)# ip address 10.1.2.0/24
                                 OS10(conf-if-eth1/1/28)# ip access-group abcd in
                                 
                              

View ACL filters applied to interface

OS10# show ip access-lists in  
                                 Ingress IP access-list acl1 
                                 Active on interfaces : 
                                 ethernet1/1/28 
                                 seq 10 permit ip host 10.1.1.1 host 100.1.1.1 count (0 packets)  
                                 seq 20 deny ip host 20.1.1.1 host 200.1.1.1 count (0 packets)  
                                 seq 30 permit ip 10.1.2.0/24 100.1.2.0/24 count (0 packets)  
                                 seq 40 deny ip 20.1.2.0/24 200.1.2.0/24 count (0 packets)  
                                 seq 50 permit ip 10.0.3.0 255.0.255.0 any count (0 packets)  
                                 seq 60 deny ip 20.0.3.0 255.0.255.0 any count (0 packets)  
                                 seq 70 permit tcp any eq 1000 100.1.4.0/24 eq 1001 count (0 packets)  
                                 seq 80 deny tcp any eq 2100 200.1.4.0/24 eq 2200 count (0 packets)  
                                 seq 90 permit udp 10.1.5.0/28 eq 10000 any eq 10100 count (0 packets)  
                                 seq 100 deny tcp host 20.1.5.1 any rst psh count (0 packets)  
                                 seq 110 permit tcp any any fin syn rst psh ack urg count (0 packets)  
                                 seq 120 deny icmp 20.1.6.0/24 any fragment count (0 packets)  
                                 seq 130 permit 150 any any dscp 63 count (0 packets)
                              

To view the number of packets matching the ACL, use the count option when creating ACL entries.

  • Create an ACL that uses rules with the count option, see Assign sequence number to filter .
  • Apply the ACL as an inbound or outbound ACL on an interface in CONFIGURATION mode, and view the number of packets matching the ACL.
    show ip access-list {in | out}

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\