150 | IP Access Control Lists (ACL), Prefix Lists, and Route-mapsw w w . d e l l . c o m | s u p p o r t . d e l l . c o m An egress ACL is used when users would like to restrict egress traffic. For example, when a DOS attacktraffic is isolated to one particular interface, you can apply an egress ACL to block that particular flowfrom exiting the box, thereby protecting downstream devices.To create an egress ACLs, use the ip access-group command (Figure 234) in the EXEC Privilege mode.This example also shows viewing the configuration, applying rules to the newly created access group, andviewing the access list:Figure 8-11. Creating an Egress ACLEgress Layer 3 ACL Lookup for Control-plane IP TrafficBy default, packets originated from the system are not filtered by egress ACLs. If you initiate a pingsession from the system, for example, and apply an egress ACL to block this type of traffic on theinterface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL featureenhances IP reachability debugging by implementing control-plane ACLs for CPU-generated andCPU-forwarded traffic. Using permit rules with the count option, you can track on a per-flow basiswhether CPU-generated and CPU-forwarded packets were transmitted successfully..Task Command Syntax Command ModeApply Egress ACLs to IPv4 systemtraffic. ip control-plane [egress filter] CONFIGURATIONApply Egress ACLs to IPv6 systemtraffic. ipv6 control-plane [egress filter] CONFIGURATIONCreate a Layer 3 ACL using permitrules with the count option to describethe desired CPU trafficpermit ip {source mask | any |host ip-address} {destination mask| any | host ip-address} countCONFIG-NACLFTOS(conf)#interface gige 0/0FTOS(conf-if-gige0/0)#ip access-group abcd outFTOS(conf-if-gige0/0)#show config!gigethernet 0/0no ip addressip access-group abcd outno shutdownFTOS(conf-if-gige0/0)#endFTOS#configure terminalFTOS(conf)#ip access-list extended abcdFTOS(config-ext-nacl)#permit tcp any anyFTOS(config-ext-nacl)#deny icmp any anyFTOS(config-ext-nacl)#permit 1.1.1.2FTOS(config-ext-nacl)#endFTOS#show ip accounting access-list!Extended Ingress IP access list abcd on gigethernet 0/0seq 5 permit tcp any anyseq 10 deny icmp any anypermit 1.1.1.2Use the “out” keywordto specify egress.Begin applying rules tothe ACL named“abcd.”View the access-list.