OS10 Enterprise Edition User Guide Release 10.4.0E(R3)


Egress ACL filters

Egress ACL filters affect the traffic leaving the network. Configuring egress ACL filters onto physical interfaces protects the system infrastructure from a malicious and intentional attack by explicitly allowing only authorized traffic. These system-wide ACL filters eliminate the need to apply ACL filters onto each interface and achieves the same results.

You can use an egress ACL filter to restrict egress traffic. For example, when a denial of service (DOS) attack traffic is isolated to a specific interface, apply an egress ACL filter to block the flow from exiting the network and thus protect downstream devices.

  1. Apply an access-list on the interface with egress direction in INTERFACE mode.
    ip access-group 
                                           access-group-name out
  2. Return to CONFIGURATION mode.
  3. Create the access-list in CONFIGURATION mode.
    ip access-list 
  4. Create the rules for the access-list in ACCESS-LIST mode.
    seq 10 deny ip any any count fragment

Apply rules to ACL filter

OS10(config)# interface ethernet 1/1/29
                                 OS10(conf-if-eth1/1/29)# ip access-group egress out
                                 OS10(conf-if-eth1/1/29)# exit
                                 OS10(config)# ip access-list egress
                                 OS10(conf-ipv4-acl)# seq 10 deny ip any any count fragment

View IP ACL filter configuration

OS10# show ip access-lists out 
                                 Egress IP access-list abcd
                                 Active on interfaces :
                                 seq 10 deny ip any any fragment count (100 packets)

Rate this content

Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\