ip default-access-group

---

Applies a default access list filter to packets on any interface not explicitly configured.

Syntax: [no] ip default-access-group access-list-name {control-in | control-out | in | out | mpls-in}

access-list-name	Name of an access-list.
control-in	Filters inbound packets destined for the server.
control-out	Filters outbound packets sourced by the server.
in	Filters inbound packets forwarded across the fabric.
out	Filters outbound packets forwarded across the fabric
mpls-in	Filters inbound IP encapsulated MPLS packets.

Description: There are many instances when you need to control the sending and receiving of route updates and/or specific types of packets. Access lists are filters that enable you to control which packets are permitted or denied.

Access lists select packets for filtering based on a eight tuple criteria. Access-groups apply access lists to the interface in order to control the type of packet permitted or denied on that interface.

Use the ip default-access-group command in configuration mode to apply the specified access list to traffic on any interface that is not explicitly configured using the ip access-group for the specified keyword control-in, control-out, in, out, or mpls-in.

Use the control-in keyword to filter inbound packets destined for the server.

Use the control-out keyword to filter outbound packets sourced by the server. If no keyword is used, outbound packets are filtered.

Use the in keyword to filter inbound packets forwarded across the fabric. Filtering is configured and applied at the ingress interface.

Use the out keyword to filter outbound packets forwarded across the fabric. Filtering is configured and applied at the egress interface.

Use the mpls-in keyword to filter inbound IP encapsulated MPLS packets. Filtering is configured and applied at the tunnel ingress interface.

NOTE When configuring access lists, all access lists have an implicit deny-all as a last rule. With the exception of egress filtering, if an uncreated or empty access list is applied to an interface, it will drop traffic until rules are applied to the list. To insure that the list operates as desired, first create the access list and add the appropriate rules before applying the access list to the interface. In the case of egress filtering (out), IPriori behaves as though no filter was applied, if the access-list is uncreated or empty; it forwards all traffic.

Any changes to the specified access list are immediately applied to the access group. Build your access list first and then use the ip access-group command to apply the access list to the interface.

Factory Default: No default access group defined. The default direction for filtering packets is outbound.

Command Mode: Configuration.

Example 1: In the following example:

• A mirror port is configured to set the destination of interface pos 1/13/1 for any sampled packets received on the pos 1/14/1 interface.
  
  
• Two sampling frequencies are configured and tag named src-100-d (deny) and src-100-p (permit) and set to 1 in 100 packets.
  
  
• An extended IP access list is configured named src-filter set to deny packets from network 12.160/16 with a sample rate of 1 in 100 packets, and to sample packets from network 191/8.
  
  
• All other packets are permitted without sampling.
  
  
• IP access list src-filter is associated with interface pos 1/14/1 for packets forwarded across the fabric.
  
  
• An extended IP access list is configured named forme and is configured with ACLs that deny telnet traffic from network 10.10/16.
  
  
• The forme IP access list is made the default inbound filter for messages intended for the server. In this case there is no implicit deny all filter at the end.
  
  

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#interface pos 1/14/1 router(config-if)#mirror pos 1/13/1 router(config-if)#exit router(config)#sample src-100-d 100 router(config)#sample src-100-p 100 router(config)#ip access-list extended src_filter router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 sample src-100-d router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 sample src-100-p router(config-ext-nacl)#permit ip any any router(config-ext-nacl)#exit router(config)#interface pos 1/14/1 router(config-if)#ip access-group src_filter in router(config-if)#exit router(config)#ip access-group extended forme router(config-ext-nacl)#deny tcp 10.10.0.0 0.0.255.255 any eq telnet router(config-ext-nacl)#deny tcp any eq telnet 10.10.0.0 0.0.255.255 router(config-ext-nacl)#exit router(config)#ip default-access-group forme control-in router(config)#end router#

Example 2: In the following example, an access list named SRV4access is created to prevent all telnet and FTP access to the server via the ethernet port, except from one specified source.

• The access-list commands create a packet-based access list.
  
  
• The ip access-group command applies the access list to inbound packets on the interface.
  
  

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#access-list SRV4access permit tcp host 145.10.10.0 any eq telnet router(config)#access-list SRV4access permit tcp host 145.10.10.0 any eq ftp router(config)#access-list SRV4access permit tcp host 145.10.10.0 any eq ftp-data router(config)#access-list SRV4access deny tcp any any eq telnet router(config)#access-list SRV4access deny tcp any any eq ftp router(config)#access-list SRV4access deny tcp any any eq ftp-data router(config)#interface ethernet 0 router(config-if)#ip access-group SRV4access control-in router(config-if)#exit

Example 3: In the following example:

• The first two access-list commands create a packet-based access list named noSNMP that deny all SNMP packets, but permit all other types of IP packets.
  
  
• The third access-list command creates a packet-based access list named SNMP that permits all SNMP packets.
  
  
• The interface command specifies an interface to be modified and changes the command mode to interface configuration.
  
  
• The ip default-access-group commands apply the access list noSNMP to any interface not explicitly configured using the ip access-group command using the control-in and control-out keywords.
  
  
• Interface pos 1/1/1 uses the ip access-group command to override the control-in based default for that interface and instead allows all SNMP inbound traffic on that interface:
  
  

router(config)#access-list noSNMP deny udp any any eq snmp router(config)#access-list noSNMP permit ip any any router(config)#access-list SNMP permit udp any any eq snmp router(config)#ip default-access-group noSNMP control-in router(config)#ip default-access-group noSNMP control-out router(config-if)#exit router(config)#interface pos 1/1/1 router(config-if)#ip access-group SNMP control-in router(config-if)#exit

Related Commands: interface
access-list
deny
ip access-group
ip access-list
permit
show access-lists
show ip access-lists

Copyright © 2004 Avici Systems Inc.
Avici® and TSR® is a registered trademark of Avici Systems Inc.
IPriori™, Composite Links™, SSR™, QSR, and NSR® are trademarks of Avici Systems Inc.

   Source File Name: Routing_Pol.fm
    HTML File Name: Routing_Pol11.html
    Last Updated: 05/10/04 at 16:38:37

Please email suggestions and comments to: doc@avici.com