Home » Cisco Manuals » Bridges & Routers » Cisco IE-3000-8TC » Manual Viewer

Cisco IE-3000-8TC Command Reference - Page 153

ip access-group

Add to My Manuals
Save this manual to your list of manuals

Page 153 highlights

Chapter 2 IE 3000 Switch Cisco IOS Commands ip access-group ip access-group Use the ip access-group interface configuration command to control access to a Layer 2 interface. Use the no form of this command to remove all access groups or the specified access group from the interface. ip access-group {access-list-number | name} {in} no ip access-group [access-list-number | name] {in} Syntax Description access-list-number name in The number of the IP access control list (ACL). The range is 1 to 199 or 1300 to 2699. The name of an IP ACL, specified in the ip access-list global configuration command. Specify filtering on inbound packets. Defaults No access list is applied to the interface. Command Modes Interface configuration Command History Release 12.2(44)EX Modification This command was introduced. Usage Guidelines You can apply named or numbered standard or extended IP access lists to an interface. To define an access list by name, use the ip access-list global configuration command. To define a numbered access list, use the access list global configuration command. You can used numbered standard access lists ranging from 1 to 99 and 1300 to 1999 or extended access lists ranging from 100 to 199 and 2000 to 2699. You can use this command to apply an access list to a Layer 2 interface. However, note these limitations for port ACLs: • You can only apply ACLs in the inbound direction. • You can only apply one IP ACL and one MAC ACL per interface. • Port ACLs do not support logging; if the log keyword is specified in the IP ACL, it is ignored. • An IP ACL applied to an interface only filters IP packets. To filter non-IP packets, use the mac access-group interface configuration command with MAC extended ACLs. For standard inbound access lists, after the switch receives a packet, it checks the source address of the packet against the access list. IP extended access lists can optionally check other fields in the packet, such as the destination IP address, protocol type, or port numbers. If the access list permits the packet, the switch continues to process the packet. If the access list denies the packet, the switch discards the packet. If the specified access list does not exist, all packets are passed. OL-13019-01 Cisco IE 3000 Switch Command Reference 2-127

Section	Page
Cisco IE 3000 Switch Command Reference	1
Contents	3
Preface	17
Using the Command-Line Interface	21
CLI Command Modes	21
User EXEC Mode	23
Privileged EXEC Mode	23
Global Configuration Mode	23
Interface Configuration Mode	24
config-vlan Mode	24
VLAN Configuration Mode	25
Line Configuration Mode	25
IE 3000 Switch Cisco IOS Commands	27
aaa accounting dot1x	27
aaa authentication dot1x	29
aaa authorization network	31
alarm facility fcs-hysteresis	32
alarm facility power-supply	33
alarm facility temperature	34
alarm profile (global configuration)	36
alarm profile (interface configuration)	38
alarm relay-mode	39
archive download-sw	40
archive tar	43
archive upload-sw	46
auto qos voip	48
boot config-file	52
boot enable-break	53
boot helper	54
boot helper-config-file	55
boot manual	56
boot private-config-file	57
boot system	58
channel-group	59
channel-protocol	62
cip	63
class	64
class-map	66
clear dot1x	68
clear eap sessions	69
clear errdisable interface	70
clear ip dhcp snooping	71
clear lacp	73
clear mac address-table	74
clear mac address-table move update	75
clear pagp	76
clear port-security	77
clear spanning-tree counters	79
clear spanning-tree detected-protocols	80
clear vmps statistics	81
clear vtp counters	82
cluster commander-address	83
cluster discovery hop-count	85
cluster enable	86
cluster holdtime	88
cluster member	89
cluster outside-interface	91
cluster run	92
cluster standby-group	93
cluster timer	95
define interface-range	96
delete	98
deny (MAC access-list configuration)	99
dot1x	102
dot1x auth-fail max-attempts	104
dot1x auth-fail vlan	106
dot1x control-direction	108
dot1x critical (global configuration)	110
dot1x critical (interface configuration)	112
dot1x default	114
dot1x fallback	115
dot1x guest-vlan	116
dot1x host-mode	118
dot1x initialize	119
dot1x mac-auth-bypass	120
dot1x max-reauth-req	122
dot1x max-req	123
dot1x pae	124
dot1x port-control	125
dot1x re-authenticate	127
dot1x reauthentication	128
dot1x test eapol-capable	129
dot1x test timeout	130
dot1x timeout	131
duplex	133
errdisable detect cause	135
errdisable detect cause small-frame	137
errdisable recovery cause small-frame	139
errdisable recovery	140
exception crashinfo	142
fallback profile	143
fcs-threshold	145
flowcontrol	146
interface port-channel	148
interface range	150
interface vlan	152
ip access-group	153
ip address	155
ip admission	157
ip admission name proxy http	158
ip dhcp snooping	160
ip dhcp snooping binding	161
ip dhcp snooping database	163
ip dhcp snooping information option	165
ip dhcp snooping information option allow-untrusted	167
ip dhcp snooping limit rate	169
ip dhcp snooping trust	170
ip dhcp snooping verify	171
ip dhcp snooping vlan	172
ip igmp filter	173
ip igmp max-groups	175
ip igmp profile	177
ip igmp snooping	179
ip igmp snooping last-member-query-interval	181
ip igmp snooping querier	183
ip igmp snooping report-suppression	185
ip igmp snooping tcn	187
ip igmp snooping tcn flood	189
ip igmp snooping vlan immediate-leave	190
ip igmp snooping vlan mrouter	191
ip igmp snooping vlan static	193
ip ssh	195
lacp port-priority	197
lacp system-priority	199
location (global configuration)	201
location (interface configuration)	203
link state group	205
link state track	207
logging event	208
logging file	209
mac access-group	211
mac access-list extended	213
mac address-table aging-time	215
mac address-table move update	216
mac address-table notification	218
mac address-table static	220
mac address-table static drop	221
macro apply	223
macro description	226
macro global	227
macro global description	230
macro name	231
match (class-map configuration)	233
mdix auto	235
media-type	237
mls qos	239
mls qos aggregate-policer	241
mls qos cos	243
mls qos dscp-mutation	245
mls qos map	247
mls qos queue-set output buffers	251
mls qos queue-set output threshold	253
mls qos rewrite ip dscp	255
mls qos srr-queue input bandwidth	257
mls qos srr-queue input buffers	259
mls qos srr-queue input cos-map	261
mls qos srr-queue input dscp-map	263
mls qos srr-queue input priority-queue	265
mls qos srr-queue input threshold	267
mls qos srr-queue output cos-map	269
mls qos srr-queue output dscp-map	271
mls qos trust	273
monitor session	275
mvr (global configuration)	280
mvr (interface configuration)	283
pagp learn-method	286
pagp port-priority	288
permit (MAC access-list configuration)	290
police	293
police aggregate	295
policy-map	297
port-channel load-balance	299
power-supply dual	301
priority-queue	302
queue-set	304
radius-server dead-criteria	305
radius-server host	307
rcommand	309
remote-span	311
renew ip dhcp snooping database	313
rmon collection stats	315
sdm prefer	316
service password-recovery	318
service-policy	320
set	322
setup	324
setup express	327
show access-lists	329
show alarm description port	332
show alarm profile	333
show alarm settings	335
show archive status	337
show auto qos	338
show boot	342
show cable-diagnostics tdr	344
show cip	346
show class-map	347
show cluster	348
show cluster candidates	350
show cluster members	352
show controllers cpu-interface	354
show controllers ethernet-controller	356
show controllers tcam	363
show controllers utilization	365
show dot1x	367
show dtp	371
show eap	373
show env	376
show errdisable detect	377
show errdisable flap-values	379
show errdisable recovery	381
show etherchannel	383
show facility-alarm relay	386
show facility-alarm status	387
show fallback profile	388
show fcs-threshold	390
show flowcontrol	392
show interfaces	394
show interfaces counters	403
show inventory	405
show ip dhcp snooping	406
show ip dhcp snooping binding	407
show ip dhcp snooping database	409
show ip dhcp snooping statistics	411
show ip igmp profile	414
show ip igmp snooping	415
show ip igmp snooping groups	418
show ip igmp snooping mrouter	420
show ip igmp snooping querier	422
show lacp	424
show location	428
show link state group	431
show mac access-group	433
show mac address-table	435
show mac address-table address	437
show mac address-table aging-time	439
show mac address-table count	441
show mac address-table dynamic	443
show mac address-table interface	445
show mac address-table move update	447
show mac address-table notification	449
show mac address-table static	451
show mac address-table vlan	453
show mls qos	455
show mls qos aggregate-policer	456
show mls qos input-queue	457
show mls qos interface	459
show mls qos maps	463
show mls qos queue-set	466
show mls qos vlan	468
show monitor	469
show mvr	471
show mvr interface	473
show mvr members	475
show pagp	477
show parser macro	479
show policy-map	482
show port-security	484
show sdm prefer	487
show setup express	489
show spanning-tree	490
show storm-control	496
show system mtu	498
show udld	499
show version	502
show vlan	504
show vmps	508
show vtp	510
shutdown	515
shutdown vlan	516
small-frame violation rate	517
snmp-server enable traps	519
snmp-server host	522
snmp trap mac-notification	526
spanning-tree backbonefast	528
spanning-tree bpdufilter	529
spanning-tree bpduguard	531
spanning-tree cost	533
spanning-tree etherchannel guard misconfig	535
spanning-tree extend system-id	537
spanning-tree guard	538
spanning-tree link-type	540
spanning-tree loopguard default	542
spanning-tree mode	544
spanning-tree mst configuration	546
spanning-tree mst cost	548
spanning-tree mst forward-time	550
spanning-tree mst hello-time	551
spanning-tree mst max-age	552
spanning-tree mst max-hops	553
spanning-tree mst port-priority	554
spanning-tree mst pre-standard	556
spanning-tree mst priority	557
spanning-tree mst root	558
spanning-tree port-priority	560
spanning-tree portfast (global configuration)	562
spanning-tree portfast (interface configuration)	564
spanning-tree transmit hold-count	566
spanning-tree uplinkfast	567
spanning-tree vlan	569
speed	572
srr-queue bandwidth limit	574
srr-queue bandwidth shape	576
srr-queue bandwidth share	578
storm-control	580
switchport access	583
switchport backup interface	585
switchport block	589
switchport host	590
switchport mode	591
switchport nonegotiate	593
switchport port-security	595
switchport port-security aging	600
switchport priority extend	602
switchport protected	604
switchport trunk	605
switchport voice vlan	608
system mtu	610
test cable-diagnostics tdr	612
test relay	613
traceroute mac	614
traceroute mac ip	617
trust	619
udld	621
udld port	623
udld reset	625
vlan (global configuration)	626
vlan (VLAN configuration)	631
vlan database	637
vmps reconfirm (privileged EXEC)	640
vmps reconfirm (global configuration)	641
vmps retry	642
vmps server	643
vtp (global configuration)	645
vtp (VLAN configuration)	649
IE 3000 Switch Bootloader Commands	653
boot	654
cat	656
copy	657
delete	658
dir	659
flash_init	661
format	662
fsck	663
help	664
memory	665
mkdir	666
more	667
rename	668
reset	669
rmdir	670
set	671
type	674
unset	675
version	677
IE 3000 Switch Debug Commands	679
debug auto qos	680
debug backup	682
debug cip	683
debug cluster	684
debug dot1x	686
debug dtp	687
debug eap	688
debug etherchannel	689
debug interface	690
debug ip dhcp snooping	691
debug ip igmp filter	692
debug ip igmp max-groups	693
debug ip igmp snooping	694
debug lacp	695
debug mac-notification	696
debug matm	697
debug matm move update	698
debug monitor	699
debug mvrdbg	700
debug nvram	701
debug pagp	702
debug platform acl	703
debug platform backup interface	704
debug platform cpu-queues	705
debug platform dot1x	707
debug platform etherchannel	708
debug platform forw-tcam	709
debug platform ip dhcp	710
debug platform ip igmp snooping	711
debug platform led	713
debug platform matm	714
debug platform messaging application	715
debug platform phy	716
debug platform pm	718
debug platform port-asic	720
debug platform port-security	721
debug platform qos-acl-tcam	722
debug platform resource-manager	723
debug platform snmp	724
debug platform span	725
debug platform supervisor-asic	726
debug platform sw-bridge	727
debug platform tcam	728
debug platform udld	730
debug platform vlan	731
debug pm	732
debug port-security	734
debug qos-manager	735
debug spanning-tree	736
debug spanning-tree backbonefast	738
debug spanning-tree bpdu	739
debug spanning-tree bpdu-opt	740
debug spanning-tree mstp	741
debug spanning-tree switch	743
debug spanning-tree uplinkfast	745
debug sw-vlan	746
debug sw-vlan ifs	748
debug sw-vlan notification	749
debug sw-vlan vtp	750
debug udld	752
debug vqpc	754
IE 3000 Switch Show Platform Commands	755
show platform acl	756
show platform backup interface	757
show platform etherchannel	758
show platform forward	759
show platform ip igmp snooping	761
show platform layer4op	763
show platform mac-address-table	764
show platform messaging	765
show platform monitor	766
show platform mvr table	767
show platform pm	768
show platform port-asic	769
show platform port-security	774
show platform qos	775
show platform resource-manager	776
show platform snmp counters	778
show platform spanning-tree	779
show platform stp-instance	780
show platform tcam	781
show platform vlan	783

Match case Limit results 1 per page

2-127

Cisco IE 3000 Switch Command Reference

OL-13019-01

Chapter 2

IE 3000 Switch Cisco IOS Commands

ip access-group

Use the

ip access-group

interface configuration command to control access to a Layer 2 interface. Use

the

form of this command to remove all access groups or the specified access group from the

interface.

ip access-group

{

access-list-number

name

} {

}

no ip access-group

[

access-list-number

name

] {

}

Syntax Description

Defaults

No access list is applied to the interface.

Command Modes

Interface configuration

Command History

Usage Guidelines

You can apply named or numbered standard or extended IP access lists to an interface. To define an

access list by name, use the

ip access-list

global configuration command. To define a numbered

access list, use the

access list

global configuration command. You can used numbered standard access

lists ranging from 1 to 99 and 1300 to 1999 or extended access lists ranging from 100 to 199 and

2000 to 2699.

You can use this command to apply an access list to a Layer 2 interface. However, note these limitations

for port ACLs:

•

You can only apply ACLs in the inbound direction.

•

You can only apply one IP ACL and one MAC ACL per interface.

•

Port ACLs do not support logging; if the

log

keyword is specified in the IP ACL, it is ignored.

•

An IP ACL applied to an interface only filters IP packets. To filter non-IP packets, use the

mac

access-group

interface configuration command with MAC extended ACLs.

For standard inbound access lists, after the switch receives a packet, it checks the source address of the

packet against the access list. IP extended access lists can optionally check other fields in the packet,

such as the destination IP address, protocol type, or port numbers. If the access list permits the packet,

the switch continues to process the packet. If the access list denies the packet, the switch discards the

packet.

If the specified access list does not exist, all packets are passed.

access-list-number

The number of the IP access control list (ACL). The range is 1 to 199 or

1300 to 2699.

name

The name of an IP ACL, specified in the

ip access-list

global configuration

command.

Specify filtering on inbound packets.

Release

Modification

12.2(44)EX

This command was introduced.