ip access-group
Use this command to attach an IP access list to an interface or terminal line to filter incoming or outgoing IP packets.
The time-range parameter is optional. If used, the access-group is tied to the timer specified.
After the access-group has been configured with the time-range, to detach the access-group from the time-range, use the no form of this command with a time-range parameter as shown in the syntax and examples below.
To delete the access-group, use the no form of this command without a time-range.
| • | An egress IP ACL is supported on physical and lag interfaces only. An egress IP ACL will match only routed traffic and not switched traffic. VLAN and inner-VLAN options in ACL rules will match incoming packet VLANs even when ACL attached at egress. |
| • | Egress TCAMs do not auto-expand beyond 256 entries if any entry includes a policer action. Therefore, the total number of configurable entries in the egress direction is limited to 256. |
Command Syntax
ip access-group NAME (in|out) (time-range TR_NAME|)
no ip access-group NAME (in|out) (time-range TR_NAME|)Parameter
NAME
Access list name.
in
Filter incoming packets
out
Filter outgoing packets.
TR_NAME
Time range name set with the time-range command.
Command Mode
Line mode and Interface mode
ACL is not supported on numbered line VTY mode but is supported in all-line VTY mode.
Applicability
This command was introduced before . time-range parameter was added in OcNOS version 5.0.
Examples
#configure terminal
(config)#ip access-list mylist
(config-ip-acl)#permit ip any any
(config-ip-acl)#exit
(config)#hardware-profile filter ingress-ipv4-ext enable
(config)#interface xe3
(config-if)#ip access-group mylist in
(config-if)#exit
(config)#interface xe3
(config-if)#no ip access-group mylist in time-range TIMER1
(config-if)#exit
(config)#line vty
(config-all-line)#no ip access-group mylist inUsage: VLANs and LAGs
When you attach an access list to a VLAN interface or LAG
Link Aggregation Group interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:
- VLAN interface
- LAG interface
- Physical interface
For example, if you attach access lists to both a LAG interface and a physical interface that is a member of that LAG, matching traffic rules are applied to the LAG interface, but not to the physical interface.
Usage: TCAM Groups
An access-group in the egress direction uses the TCAM group used by the QoS output service policy. Therefore, actions are unpredictable when conflicting matches are configured on same interface. IP Infusion Inc. recommends to avoid such a configuration. Otherwise, you need to configure the priority (in QoS) or the sequence number (in ACL) carefully to handle such cases.
To attach an IP ACL in the ingress direction the ingress-ipv4 or ingress-ipv4-ext TCAM group needs to be enabled and to attach an IP ACL in the egress direction the egress-ipv4 TCAM group needs to be enabled. See thehardware-profile filter (XGS)commands for details.
Usage: Loopback and VTY Interfaces
You can create ACLs for VTY interfaces to filter packets from management applications such as SSH, Telnet, NTP, SNMP, and SNMP traps. TCP, UDP User Datagram Protocol, and ICMP Internet Control Message Protocol (ICMP) is a fundamental protocol used in networking to relay error messages and operational information. are supported.
Loopback and VTY ACLs are mutually exclusive. If you set up one, you cannot set up the other.
For an ACL for a loopback interface, you create the ACL, configure it with rules, and associate the ACL with a loopback interface:
...
(config)#interface lo
(config-if)#ip access-group loopback inFor an ACL for VTY, you create the ACL, configure it with rules, and associate the ACL to the terminal line in line mode.
Loopback and VTY ACLs do not support the following:
| • | The default rule deny all. You must explicitly set up a deny all rule based on your requirements. |
| • | VLAN-specific rules. |
| • | Rules with TCP flags. |
| • | Rules with dscp, fragments, log, precedence, and sample parameters. |
Usage: Timed ACL on interfaces
You create a timer range that is identified by a name and configured with a start time, end time, and frequency. Once you create the time range, you can tie the ACL configuration to the time-range object. This allows you to create an access group that is enabled when the timer has started and disabled when the timer ends. You can also disassociate an access group from the timer if needed.