Home » Cisco Manuals » Bridges & Routers » Cisco WS-C3560E-48PD-SF » Manual Viewer

Cisco WS-C3560E-48PD-SF Command Reference - Page 155

the generation of an Internet Control Message Protocol ICMP Host Unreachable message. ICMP Host

View all Cisco WS-C3560E-48PD-SF manuals

Add to My Manuals
Save this manual to your list of manuals

Page 155 highlights

Chapter 2 Catalyst 3560 Switch Cisco IOS Commands ip access-group Examples You can use router ACLs, input port ACLs, and VLAN maps on the same switch. However, a port ACL takes precedence over a router ACL or VLAN map: • When an input port ACL is applied to an interface and a VLAN map is applied to a VLAN that the interface is a member of, incoming packets received on ports with the ACL applied are filtered by the port ACL. Other packets are filtered by the VLAN map. • When an input router ACL and input port ACLs exist in an switch virtual interface (SVI), incoming packets received on ports to which a port ACL is applied are filtered by the port ACL. Incoming routed IP packets received on other ports are filtered by the router ACL. Other packets are not filtered. • When an output router ACL and input port ACLs exist in an SVI, incoming packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered. • When a VLAN map, input router ACLs, and input port ACLs exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming routed IP packets received on other ports are filtered by both the VLAN map and the router ACL. Other packets are filtered only by the VLAN map. • When a VLAN map, output router ACLs, and input port ACLs exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL. Outgoing routed IP packets are filtered by both the VLAN map and the router ACL. Other packets are filtered only by the VLAN map. You can apply IP ACLs to both outbound or inbound Layer 3 interfaces. A Layer 3 interface can have one IP ACL applied in each direction. You can configure only one VLAN map and one router ACL in each direction (input/output) on a VLAN interface. For standard inbound access lists, after the switch receives a packet, it checks the source address of the packet against the access list. IP extended access lists can optionally check other fields in the packet, such as the destination IP address, protocol type, or port numbers. If the access list permits the packet, the switch continues to process the packet. If the access list denies the packet, the switch discards the packet. If the access list has been applied to a Layer 3 interface, discarding a packet (by default) causes the generation of an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP Host Unreachable messages are not generated for packets discarded on a Layer 2 interface. For standard outbound access lists, after receiving a packet and sending it to a controlled interface, the switch checks the packet against the access list. If the access list permits the packet, the switch sends the packet. If the access list denies the packet, the switch discards the packet and, by default, generates an ICMP Host Unreachable message. If the specified access list does not exist, all packets are passed. This example shows how to apply IP access list 101 to inbound packets on a port: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip access-group 101 in You can verify your settings by entering the show ip interface, show access-lists, or show ip access-lists privileged EXEC command. 78-16405-05 Catalyst 3560 Switch Command Reference 2-123

Section	Page
Catalyst 3560 Switch Command Reference	1
Contents	3
Preface	19
Audience	19
Purpose	19
Conventions	20
Related Publications	20
Obtaining Documentation	21
Cisco.com	21
Product Documentation DVD	22
Ordering Documentation	22
Documentation Feedback	22
Cisco Product Security Overview	23
Reporting Security Problems in Cisco Products	23
Obtaining Technical Assistance	24
Cisco Technical Support & Documentation Website	24
Submitting a Service Request	24
Definitions of Service Request Severity	25
Obtaining Additional Publications and Information	25
Using the Command-Line Interface	27
CLI Command Modes	27
User EXEC Mode	29
Privileged EXEC Mode	29
Global Configuration Mode	29
Interface Configuration Mode	30
config-vlan Mode	30
VLAN Configuration Mode	31
Line Configuration Mode	31
Commands Changed in Cisco IOS 12.2(20)SE	32
Catalyst 3560 Switch Cisco IOS Commands	33
aaa accounting dot1x	33
aaa authentication dot1x	35
action	37
archive download-sw	39
archive tar	42
archive upload-sw	45
arp access-list	47
auto qos voip	49
boot boothlpr	54
boot config-file	55
boot enable-break	56
boot helper	57
boot helper-config-file	58
boot manual	59
boot private-config-file	60
boot system	61
channel-group	62
channel-protocol	65
class	66
class-map	68
clear ip arp inspection log	70
clear ip arp inspection statistics	71
clear ip dhcp snooping database	72
clear ipc	73
clear l2protocol-tunnel counters	74
clear lacp	75
clear mac address-table	76
clear mac address-table move update	78
clear pagp	79
clear port-security	80
clear spanning-tree counters	82
clear spanning-tree detected-protocols	83
clear vmps statistics	84
clear vtp counters	85
cluster commander-address	86
cluster discovery hop-count	88
cluster enable	89
cluster holdtime	91
cluster member	92
cluster outside-interface	94
cluster run	95
cluster standby-group	96
cluster timer	98
define interface-range	99
delete	101
deny (ARP access-list configuration)	102
deny (IPv6 access-list configuration)	104
deny (MAC access-list configuration)	109
dot1x	112
dot1x auth-fail max-attempts	114
dot1x auth-fail vlan	116
dot1x control-direction	118
dot1x critical	120
dot1x default	122
dot1x guest-vlan	123
dot1x host-mode	125
dot1x initialize	127
dot1x max-reauth-req	128
dot1x max-req	129
dot1x multiple-hosts	130
dot1x port-control	131
dot1x re-authenticate	133
dot1x re-authentication	134
dot1x reauthentication	135
dot1x timeout	136
duplex	138
errdisable detect cause	140
errdisable recovery	142
exception crashinfo	145
flowcontrol	146
interface port-channel	148
interface range	150
interface vlan	152
ip access-group	154
ip address	157
ip arp inspection filter vlan	159
ip arp inspection limit	161
ip arp inspection log-buffer	163
ip arp inspection trust	165
ip arp inspection validate	167
ip arp inspection vlan	169
ip arp inspection vlan logging	170
ip dhcp snooping	172
ip dhcp snooping binding	173
ip dhcp snooping database	175
ip dhcp snooping information option	177
ip dhcp snooping information option allow-untrusted	179
ip dhcp snooping limit rate	181
ip dhcp snooping trust	183
ip dhcp snooping verify	184
ip dhcp snooping vlan	185
ip igmp filter	186
ip igmp max-groups	187
ip igmp profile	189
ip igmp snooping	191
ip igmp snooping last-member-query-interval	193
ip igmp snooping querier	195
ip igmp snooping report-suppression	197
ip igmp snooping tcn	199
ip igmp snooping tcn flood	201
ip igmp snooping vlan immediate-leave	202
ip igmp snooping vlan mrouter	203
ip igmp snooping vlan static	205
ip source binding	207
ip ssh	209
ip verify source	211
ipv6 access-list	212
ipv6 mld snooping	215
ipv6 mld snooping last-listener-query-count	217
ipv6 mld snooping last-listener-query-interval	219
ipv6 mld snooping listener-message-suppression	221
ipv6 mld snooping robustness-variable	223
ipv6 mld snooping tcn	225
ipv6 mld snooping vlan	227
ipv6 traffic-filter	229
l2protocol-tunnel	231
l2protocol-tunnel cos	234
lacp port-priority	235
lacp system-priority	237
logging event power-inline-status	239
logging file	240
mac access-group	242
mac access-list extended	244
mac address-table aging-time	246
mac address-table move update	247
mac address-table notification	249
mac address-table static	251
mac address-table static drop	252
macro apply	254
macro description	257
macro global	258
macro global description	261
macro name	262
match (access-map configuration)	264
match (class-map configuration)	266
mdix auto	268
mls qos	270
mls qos aggregate-policer	272
mls qos cos	274
mls qos dscp-mutation	276
mls qos map	278
mls qos queue-set output buffers	282
mls qos queue-set output threshold	284
mls qos rewrite ip dscp	286
mls qos srr-queue input bandwidth	288
mls qos srr-queue input buffers	290
mls qos srr-queue input cos-map	292
mls qos srr-queue input dscp-map	294
mls qos srr-queue input priority-queue	296
mls qos srr-queue input threshold	298
mls qos srr-queue output cos-map	300
mls qos srr-queue output dscp-map	302
mls qos trust	304
mls qos vlan-based	306
monitor session	307
mvr (global configuration)	312
mvr (interface configuration)	315
pagp learn-method	318
pagp port-priority	320
permit (ARP access-list configuration)	322
permit (IPv6 access-list configuration)	324
permit (MAC access-list configuration)	330
police	333
police aggregate	335
policy-map	337
port-channel load-balance	340
power inline	342
power inline consumption	345
priority-queue	347
private-vlan	349
private-vlan mapping	352
queue-set	354
rcommand	355
remote-span	357
renew ip dhcp snooping database	359
rmon collection stats	361
sdm prefer	362
service password-recovery	365
service-policy	367
set	370
setup	372
setup express	375
show access-lists	377
show archive status	380
show arp access-list	381
show auto qos	382
show boot	386
show cable-diagnostics tdr	388
show class-map	391
show cluster	392
show cluster candidates	394
show cluster members	396
show controllers cpu-interface	398
show controllers ethernet-controller	400
show controllers power inline	407
show controllers tcam	409
show controllers utilization	411
show dot1q-tunnel	413
show dot1x	414
show dtp	418
show env	420
show errdisable detect	422
show errdisable flap-values	424
show errdisable recovery	426
show etherchannel	428
show flowcontrol	431
show interfaces	433
show interfaces counters	443
show inventory	445
show ip arp inspection	446
show ip dhcp snooping	449
show ip dhcp snooping binding	450
show ip dhcp snooping database	452
show ip igmp profile	454
show ip igmp snooping	455
show ip igmp snooping groups	458
show ip igmp snooping mrouter	460
show ip igmp snooping querier	462
show ip source binding	464
show ip verify source	466
show ipc	468
show ipv6 access-list	472
show ipv6 mld snooping	474
show ipv6 mld snooping address	476
show ipv6 mld snooping mrouter	478
show ipv6 mld snooping querier	480
show l2protocol-tunnel	482
show lacp	485
show mac access-group	489
show mac address-table	491
show mac address-table address	493
show mac address-table aging-time	495
show mac address-table count	497
show mac address-table dynamic	499
show mac address-table interface	501
show mac address-table move update	503
show mac address-table notification	505
show mac address-table static	507
show mac address-table vlan	509
show mls qos	511
show mls qos aggregate-policer	512
show mls qos input-queue	513
show mls qos interface	515
show mls qos maps	519
show mls qos queue-set	522
show mls qos vlan	524
show monitor	525
show mvr	528
show mvr interface	530
show mvr members	532
show pagp	534
show parser macro	536
show policy-map	539
show port-security	541
show power inline	544
show sdm prefer	546
show setup express	550
show spanning-tree	551
show storm-control	557
show system mtu	559
show udld	560
show version	563
show vlan	565
show vlan access-map	570
show vlan filter	571
show vmps	572
show vtp	575
shutdown	581
shutdown vlan	582
snmp-server enable traps	583
snmp-server host	587
snmp trap mac-notification	591
spanning-tree backbonefast	593
spanning-tree bpdufilter	594
spanning-tree bpduguard	596
spanning-tree cost	598
spanning-tree etherchannel guard misconfig	600
spanning-tree extend system-id	602
spanning-tree guard	604
spanning-tree link-type	606
spanning-tree loopguard default	608
spanning-tree mode	610
spanning-tree mst configuration	612
spanning-tree mst cost	614
spanning-tree mst forward-time	616
spanning-tree mst hello-time	617
spanning-tree mst max-age	618
spanning-tree mst max-hops	619
spanning-tree mst port-priority	621
spanning-tree mst pre-standard	623
spanning-tree mst priority	624
spanning-tree mst root	625
spanning-tree port-priority	627
spanning-tree portfast (global configuration)	629
spanning-tree portfast (interface configuration)	631
spanning-tree transmit hold-count	633
spanning-tree uplinkfast	634
spanning-tree vlan	636
speed	639
srr-queue bandwidth limit	641
srr-queue bandwidth shape	643
srr-queue bandwidth share	645
storm-control	647
switchport	650
switchport access	652
switchport backup interface	654
switchport block	656
switchport host	657
switchport mode	658
switchport mode private-vlan	661
switchport nonegotiate	663
switchport port-security	665
switchport port-security aging	670
switchport priority extend	672
switchport private-vlan	674
switchport protected	676
switchport trunk	678
switchport voice vlan	681
system env temperature threshold yellow	683
system mtu	685
test cable-diagnostics tdr	687
traceroute mac	688
traceroute mac ip	691
trust	693
udld	695
udld port	697
udld reset	699
vlan (global configuration)	700
vlan (VLAN configuration)	706
vlan access-map	712
vlan database	714
vlan dot1q tag native	717
vlan filter	719
vmps reconfirm (privileged EXEC)	721
vmps reconfirm (global configuration)	722
vmps retry	723
vmps server	724
vtp (global configuration)	726
vtp (VLAN configuration)	730
Catalyst 3560 Switch Boot Loader Commands	735
boot	736
cat	738
copy	739
delete	740
dir	741
flash_init	743
format	744
fsck	745
help	746
load_helper	747
memory	748
mkdir	749
more	750
rename	751
reset	752
rmdir	753
set	754
type	757
unset	758
version	760
Catalyst 3560 Switch Debug Commands	761
debug auto qos	762
debug backup	764
debug cluster	765
debug dot1x	767
debug dtp	769
debug etherchannel	770
debug ilpower	772
debug ip dhcp snooping	773
debug ip verify source packet	774
debug interface	775
debug ip igmp filter	777
debug ip igmp max-groups	778
debug ip igmp snooping	779
debug lacp	780
debug mac-notification	781
debug matm	782
debug matm move update	783
debug monitor	784
debug mvrdbg	786
debug nvram	787
debug pagp	788
debug platform acl	789
debug platform backup interface	790
debug platform cpu-queues	791
debug platform device-manager	793
debug platform dot1x	794
debug platform etherchannel	795
debug platform fallback-bridging	796
debug platform forw-tcam	797
debug platform frontend-controller	798
debug platform ip arp inspection	800
debug platform ip dhcp	801
debug platform ip igmp snooping	802
debug platform ip multicast	804
debug platform ip unicast	806
debug platform led	808
debug platform matm	809
debug platform messaging application	811
debug platform phy	812
debug platform pm	814
debug platform port-asic	816
debug platform port-security	817
debug platform qos-acl-tcam	818
debug platform remote-commands	819
debug platform resource-manager	820
debug platform snmp	821
debug platform span	822
debug platform supervisor-asic	823
debug platform sw-bridge	824
debug platform tcam	825
debug platform udld	828
debug platform vlan	829
debug pm	830
debug port-security	832
debug qos-manager	833
debug spanning-tree	834
debug spanning-tree backbonefast	836
debug spanning-tree bpdu	837
debug spanning-tree bpdu-opt	838
debug spanning-tree mstp	839
debug spanning-tree switch	841
debug spanning-tree uplinkfast	843
debug sw-vlan	844
debug sw-vlan ifs	846
debug sw-vlan notification	848
debug sw-vlan vtp	850
debug udld	852
debug vqpc	854
Catalyst 3560 Switch Show Platform Commands	855
show platform acl	856
show platform backup interface	857
show platform configuration	858
show platform etherchannel	859
show platform forward	860
show platform frontend-controller	862
show platform ip igmp snooping	863
show platform ip multicast	865
show platform ip unicast	866
show platform ip unicast vrf compaction	868
show platform ip unicast vrf tcam-label	869
show platform ipv6 unicast	870
show platform layer4op	872
show platform mac-address-table	873
show platform messaging	874
show platform monitor	875
show platform mvr table	876
show platform pm	877
show platform port-asic	878
show platform port-security	883
show platform qos	884
show platform resource-manager	885
show platform snmp counters	887
show platform spanning-tree	888
show platform stp-instance	889
show platform tcam	890
show platform vlan	893

Match case Limit results 1 per page

2-123

Catalyst 3560 Switch Command Reference

78-16405-05

Chapter 2

Catalyst 3560 Switch Cisco IOS Commands

ip access-group

You can use router ACLs, input port ACLs, and VLAN maps on the same switch. However, a port ACL

takes precedence over a router ACL or VLAN map:

•

When an input port ACL is applied to an interface and a VLAN map is applied to a VLAN that the

interface is a member of, incoming packets received on ports with the ACL applied are filtered by

the port ACL. Other packets are filtered by the VLAN map.

•

When an input router ACL and input port ACLs exist in an switch virtual interface (SVI), incoming

packets received on ports to which a port ACL is applied are filtered by the port ACL. Incoming

routed IP packets received on other ports are filtered by the router ACL. Other packets are not

filtered.

•

When an output router ACL and input port ACLs exist in an SVI, incoming packets received on the

ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are

filtered by the router ACL. Other packets are not filtered.

•

When a VLAN map, input router ACLs, and input port ACLs exist in an SVI, incoming packets

received on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming

routed IP packets received on other ports are filtered by both the VLAN map and the router ACL.

Other packets are filtered only by the VLAN map.

•

When a VLAN map, output router ACLs, and input port ACLs exist in an SVI, incoming packets

received on the ports to which a port ACL is applied are only filtered by the port ACL. Outgoing

routed IP packets are filtered by both the VLAN map and the router ACL. Other packets are filtered

only by the VLAN map.

You can apply IP ACLs to both outbound or inbound Layer 3 interfaces.

A Layer 3 interface can have one IP ACL applied in each direction.

You can configure only one VLAN map and one router ACL in each direction (input/output) on a VLAN

interface.

For standard inbound access lists, after the switch receives a packet, it checks the source address of the

packet against the access list. IP extended access lists can optionally check other fields in the packet,

such as the destination IP address, protocol type, or port numbers. If the access list permits the packet,

the switch continues to process the packet. If the access list denies the packet, the switch discards the

packet. If the access list has been applied to a Layer 3 interface, discarding a packet (by default) causes

the generation of an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP Host

Unreachable messages are not generated for packets discarded on a Layer 2 interface.

For standard outbound access lists, after receiving a packet and sending it to a controlled interface, the

switch checks the packet against the access list. If the access list permits the packet, the switch sends the

packet. If the access list denies the packet, the switch discards the packet and, by default, generates an

ICMP Host Unreachable message.

If the specified access list does not exist, all packets are passed.

Examples

This example shows how to apply IP access list 101 to inbound packets on a port:

Switch(config)#

interface gigabitethernet0/1

Switch(config-if)#

ip access-group 101 in

You can verify your settings by entering the

show ip interface, show access-lists,

show ip

access-lists

privileged EXEC command.