Dell Networking N4000 Series Configuration Manual page 635

interface range gi1/0/24-48
ip access-list deny-ftp in
exit
Allow FTP Traffic Only to an FTP Server
This ACL limits traffic from a router to a directly connected FTP server
(172.16.0.5) on gi1/0/11. Notice that this is an "out" ACL. Traffic to the
router from the FTP server is not affected by this rule. Traffic from the router
to the FTP server is limited to ICMP and packets destined to the FTP ports.
There is no need to add permit rules for all the protocols the router can send
to the host (e.g., ARP, ICMP, LLDP , etc.), as internally generated packets are
not limited by ACLs. Routing must be enabled to process ARPs or they must
be allowed by an explicit rule. We allow ICMP from remote hosts so that the
FTP server can receive ICMP feedback from clients utilizing the FTP service.
A better implementation would narrow the scope of the ICMP to eliminate
ICMP messages not required for the FTP service, e.g., echo, echo-reply,
redirect, timestamp, etc.
ip access-list allow-ftp-server
permit tcp any host 172.16.0.5 eq ftp-data flag established
permit tcp any host 172.16.0.5 eq ftp
permit icmp any any
exit
interface gi1/0/11
ip access-group allow-ftp-server out
exit
Block Incoming Pings
ip access-list no-ping
deny icmp any any icmp-message echo
permit every
exit
interface gi1/0/1
ip access-group no-ping in
exit
Block Incoming Pings and Responses
This example configures an ACL that blocks incoming pings and ping
responses. Since packets generated by the CPU are not affected by ACLs, to
block pinging from the switch we add a rule to block the ping responses.
635
Configuring Access Control Lists