How to configure IP ACL in DELL Networking N-Series Switches

Table of Contents

1. Overview

2. Configuring Access Control Lists

3. Verifying Access Control List Configuration

Overview

• ACL is set of rules applied to allow or block certain traffic for security reasons. ACL's are of following types: IPv4 ACL, IPv6 ACL and MAC ACL.
• This article exemplifies IPv4 ACL. ACL rules are grouped to form access group and are applied to the interfaces. ACL rules can be applied to ingress or egress traffic.
• Sequence number can be assigned to every rule in the ACL at the time of configuration and are executed from the lowest to the highest sequence number.
• If you have multiple access groups configured on an interface then assign sequence number so that the access groups are executed in order from the lowest to the highest. 

 

As a result of creating ACLs with incorrect rule(s) it will lead to management traffic blockage.  The user will loose access to the switch. Always have an alternate access method to the switch with direct physical access using the serial console port.

 

ACL can be applied to data ports (physical interface, port-channel and VLAN interface) and cannot be applied to out-of-band (OOB) port.

Maximum number of ACL's that can be configured on any DELL N-Series switches is 100 and maximum number if rules that can be configured per ACL is 1023

 

Configuring Access Control Lists

ACL configuration consists of following steps:


1.  Create access-group specifying ACL rules in the order to be executed using sequence number. Rules are executed from lowest to highest sequence number
2.  Assign the access-group to the interface that is supposed to filter ingress or egress traffic

 

Example:

An example is considered to better demonstrate the function of ACL's. Let us consider that incoming traffic at port gi1/0/10 subject to ACL that blocks udp traffic from network 10.10.10.0 255.255.255.0 destined to 10.10.20.0 255.255.255.0 subnet, blocks icmp packets from subnet 192.168.1.0 255.255.255.0 destined to any network, deny tcp traffic specific to telnet protocol from a particular host 172.16.1.10 subnet destined to any network and log the rule hits over console.


1.  Create access group

 

If no sequence number is entered, Dell Networking OS (DNOS) automatically assigns sequence number, based on the order of the rule entered. First rule entered is assigned with lowest sequence number

2.  Apply access-group to the interface
 

Verifying Access Control List Configuration

ACL verification commands listed below:

Dell#show ip access-lists

Current number of ACLs: 1  Maximum number of ACLs: 100

ACL Name                        Rules Interface(s)              Direction Count

---------------------------------- -------- ------------------------- ----------------- ------                                                                                                                                                      

ACL-TEST                            3        Gi1/0/10                  Inbound    12
 

Dell#show ip access-lists ACL-TEST

IP ACL Name: ACL-TEST

Dell#show running-config | begin access

ip access-list ACL-TEST

To implement MAC ACL, please follow the link: https://kb.dell.com/infocenter/index?page=content&id=HOW12466