Filter
Top Products
Configure Egress ACLs
Egress ACLs are applied to line cards and affect the traffic leaving the system. Configuring egress ACLs
onto physical interfaces protects the system infrastructure from attack — malicious and incidental — by
explicitly allowing only authorized traffic. These system-wide ACLs eliminate the need to apply ACLs onto
each interface and achieves the same results. By localizing target traffic, it is a simpler implementation.
To restrict egress traffic, use an egress ACL. For example, when a denial of service (DOS) attack traffic is
isolated to a specific interface, you can apply an egress ACL to block the flow from the exiting the box,
thus protecting downstream devices.
To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example
shows viewing the configuration, applying rules to the newly created access group, and viewing the
access list.
NOTE: VRF based ACL configurations are not supported on the egress traffic.
Example of Applying ACL Rules to Egress Traffic and Viewing ACL Configuration
To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list
extended abcd command. To view the access-list, use the show command.
Applying Egress Layer 3 ACLs (Control-Plane)
By default, packets originated from the system are not filtered by egress ACLs.
For example, if you initiate a ping session from the system and apply an egress ACL to block this type of
traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL
feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and
CPU-forwarded traffic. Using permit rules with the count option, you can track on a per-flow basis
whether CPU-generated and CPU-forwarded packets were transmitted successfully.
1. Apply Egress ACLs to IPv4 system traffic.
CONFIGURATION mode
ip control-plane [egress filter]
2. Apply Egress ACLs to IPv6 system traffic.
CONFIGURATION mode
ipv6 control-plane [egress filter]
3. Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic.
CONFIG-NACL mode
permit ip {source mask | any | host ip-address} {destination mask | any |
host ip-address} count
FTOS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management
protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU traffic. Packets
sent by the CPU with the source address as the VRRP virtual IP address have the interface MAC address
instead of VRRP virtual MAC address.
122
Access Control Lists (ACLs)