Cisco IE-3000-8TC Command Reference - Page 153
ip access-group
![]() |
View all Cisco IE-3000-8TC manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 153 highlights
Chapter 2 IE 3000 Switch Cisco IOS Commands ip access-group ip access-group Use the ip access-group interface configuration command to control access to a Layer 2 interface. Use the no form of this command to remove all access groups or the specified access group from the interface. ip access-group {access-list-number | name} {in} no ip access-group [access-list-number | name] {in} Syntax Description access-list-number name in The number of the IP access control list (ACL). The range is 1 to 199 or 1300 to 2699. The name of an IP ACL, specified in the ip access-list global configuration command. Specify filtering on inbound packets. Defaults No access list is applied to the interface. Command Modes Interface configuration Command History Release 12.2(44)EX Modification This command was introduced. Usage Guidelines You can apply named or numbered standard or extended IP access lists to an interface. To define an access list by name, use the ip access-list global configuration command. To define a numbered access list, use the access list global configuration command. You can used numbered standard access lists ranging from 1 to 99 and 1300 to 1999 or extended access lists ranging from 100 to 199 and 2000 to 2699. You can use this command to apply an access list to a Layer 2 interface. However, note these limitations for port ACLs: • You can only apply ACLs in the inbound direction. • You can only apply one IP ACL and one MAC ACL per interface. • Port ACLs do not support logging; if the log keyword is specified in the IP ACL, it is ignored. • An IP ACL applied to an interface only filters IP packets. To filter non-IP packets, use the mac access-group interface configuration command with MAC extended ACLs. For standard inbound access lists, after the switch receives a packet, it checks the source address of the packet against the access list. IP extended access lists can optionally check other fields in the packet, such as the destination IP address, protocol type, or port numbers. If the access list permits the packet, the switch continues to process the packet. If the access list denies the packet, the switch discards the packet. If the specified access list does not exist, all packets are passed. OL-13019-01 Cisco IE 3000 Switch Command Reference 2-127
![](/manual_guide/products/cisco-ie30008tc-command-reference-94363f4/153.png)