ip access-group

ip access-group

Applies an access-list filter to packets on the configured interface.

Syntax: [no] ip access-group access-list-name {control-in | control-out | in | out | mpls-in | qos-in | mpls-qos-in}

access-list-name

Name of an access-list.

control-in

Filters inbound packets destined for the server.

control-out

Filters outbound packets sourced by the server.

in

Filters inbound packets forwarded across the fabric.

out

Filters outbound packets forwarded across the fabric

mpls-in

Filters inbound IP encapsulated MPLS packets.

qos-in

Filters inbound QoS packets for remarking forwarded across the fabric.

mpls-qos-in

Filters inbound IP encapsulated MPLS QoS packets for remarking.

Description: There are many instances when you need to control the sending and receiving of route updates and/or specific types of packets. Access lists are filters that enable you to control which packets are permitted or denied.

Access lists select packets for filtering using a permit and deny criteria. Access-groups apply access lists to the interface in order to control the type of packet permitted or denied on that interface.

Use the ip access-group command in interface mode to apply the specified access-list to this interface. The control-in, control-out, in, out, or mpls-in keywords specify the type of traffic to filter. The qos-in and mpls-qos-in keywords specify the type of QoS traffic to filter.

Use the ip default-access-group command in configuration mode to apply the specified access list to traffic on any interface that is not explicitly configured using the ip access-group for the specified keyword control-in, control-out, in, out, mpls-in, qos-in, mpls-qos-in.

Use the control-in keyword to filter inbound packets destined for the server.

Use the control-out keyword to filter outbound packets sourced by the server. If no keyword is used, outbound packets are filtered.

Use the in keyword to filter inbound packets forwarded across the fabric. Filtering is configured and applied at the ingress interface.

Use the out keyword to filter outbound packets forwarded across the fabric. Filtering is configured and applied at the egress interface.

Use the mpls-in keyword to filter inbound IP encapsulated MPLS packets. Filtering is configured and applied at the tunnel ingress interface.

Use the qos-in keyword to filter inbound QoS packets for remarking by the internal QoS process before being forwarded across the fabric. Filtering is configured and applied at the ingress interface.

Use the mpls-qos-in keyword to filter inbound IP encapsulated MPLS QoS packets for remarking. Filtering is configured and applied at the tunnel ingress interface.

NOTE When configuring access lists, all access lists have an implicit deny-all as a last rule. If an uncreated or empty access list is applied to an interface, it will drop traffic until rules are applied to the list. To insure that the list operates as desired, first create the access list and add the appropriate rules before applying the access list to the interface.

NOTE Any changes to the specified access list are immediately applied to the access group. Build your access list first and then use the ip access-group command to apply the access list to the interface.

Factory Default: No default access group defined. The default direction for filtering packets is outbound.

Command Mode: Configuration.

Example 1: In the following example:

A mirror port is configured to set the destination of interface pos 1/13/1 for any sampled packets received on the pos 1/14/1 interface.

Two sampling frequencies are configured and tag named src-100-d (deny) and src-100-p (permit) and set to 1 in 100 packets.

An extended IP access list is configured named src-filter set to deny packets from network 12.160/16 with a sample rate of 1 in 100 packets, and to sample packets from network 191/8.

All other packets are permitted without sampling.

IP access list src-filter is associated with interface pos 1/14/1 for packets forwarded across the fabric.

An extended IP access list is configured named forme and is configured with ACLs that deny telnet traffic from network 10.10/16.

The forme IP access list is made the default inbound filter for messages intended for the server. In this case there is no implicit deny all filter at the end.

router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#interface pos 1/14/1

router(config-if)#mirror pos 1/13/1

router(config-if)#exit

router(config)#sample src-100-d 100

router(config)#sample src-100-p 100

router(config)#ip access-list extended src_filter

router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 sample src-100-d

router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 sample src-100-p

router(config-ext-nacl)#permit ip any any

router(config-ext-nacl)#exit

router(config)#interface pos 1/14/1

router(config-if)#ip access-group src_filter in

router(config-if)#exit

router(config)#ip access-group extended forme

router(config-ext-nacl)#deny tcp 10.10.0.0 0.0.255.255 any eq telnet

router(config-ext-nacl)#deny tcp any eq telnet 10.10.0.0 0.0.255.255

router(config-ext-nacl)#exit

router(config)#ip default-access-group forme control-in

router(config)#end

router#

Example 2: In the following example, an access list named SRV4access is created to prevent all telnet and FTP access to the server via the ethernet port, except from one specified source.

The access-list commands create a packet-based access list.

The ip access-group command applies the access list to inbound packets on the interface.

router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#access-list SRV4access permit tcp host 145.10.10.0 any eq telnet

router(config)#access-list SRV4access permit tcp host 145.10.10.0 any eq ftp

router(config)#access-list SRV4access permit tcp host 145.10.10.0 any eq ftp-data

router(config)#access-list SRV4access deny tcp any any eq telnet

router(config)#access-list SRV4access deny tcp any any eq ftp

router(config)#access-list SRV4access deny tcp any any eq ftp-data

router(config)#interface ethernet 0

router(config-if)#ip access-group SRV4access control-in

router(config-if)#exit

Example 3: In the following example:

The first two access-list commands create a packet-based access list named noSNMP that deny all SNMP packets, but permit all other types of IP packets.

The third access-list command creates a packet-based access list named SNMP that permits all SNMP packets.

The interface command specifies an interface to be modified and changes the command mode to interface configuration.

The ip default-access-group commands apply the access list noSNMP to any interface not explicitly configured using the ip access-group command using the control-in and control-out keywords.

Interface pos 1/1/1 uses the ip access-group command to override the control-in based default for that interface and instead allows all SNMP inbound traffic on that interface:

router(config)#access-list noSNMP deny udp any any eq snmp

router(config)#access-list noSNMP permit ip any any

router(config)#access-list SNMP permit udp any any eq snmp

router(config)#ip default-access-group noSNMP control-in

router(config)#ip default-access-group noSNMP control-out

router(config-if)#exit

router(config)#interface pos 1/1/1

router(config-if)#ip access-group SNMP control-in

router(config-if)#exit

Example 4: In the following example:

An extended IP QoS access list is configured named src-filter set to deny packets from network 12.160/16.

All forwarded packets for IP 191.0.0.0 are remarked for internal QoS purposes with a PSC of 1, a drop preference of green, and a fabric priority of best-effort.

All other packets are permitted.

IP access list src-filter is associated with interface pos 1/14/1 for packets forwarded across the fabric.

router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#ip access-list qos src_filter

router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255

router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 any classify psc 1 droppref green fabricpriority best-effort

router(config-ext-nacl)#permit ip any any

router(config-ext-nacl)#exit

router(config)#interface pos 1/14/1

router(config-if)#ip access-group src_filter qos-in

router(config-if)#exit

router(config)#end

router#

Related Commands: interface
access-list
deny
ip access-group
ip access-list
permit
show access-lists
show ip access-lists

access-list-name	Name of an access-list.
control-in	Filters inbound packets destined for the server.
control-out	Filters outbound packets sourced by the server.
in	Filters inbound packets forwarded across the fabric.
out	Filters outbound packets forwarded across the fabric
mpls-in	Filters inbound IP encapsulated MPLS packets.
qos-in	Filters inbound QoS packets for remarking forwarded across the fabric.
mpls-qos-in	Filters inbound IP encapsulated MPLS QoS packets for remarking.

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#interface pos 1/14/1 router(config-if)#mirror pos 1/13/1 router(config-if)#exit router(config)#sample src-100-d 100 router(config)#sample src-100-p 100 router(config)#ip access-list extended src_filter router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 sample src-100-d router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 sample src-100-p router(config-ext-nacl)#permit ip any any router(config-ext-nacl)#exit router(config)#interface pos 1/14/1 router(config-if)#ip access-group src_filter in
router(config-if)#exit router(config)#ip access-group extended forme router(config-ext-nacl)#deny tcp 10.10.0.0 0.0.255.255 any eq telnet router(config-ext-nacl)#deny tcp any eq telnet 10.10.0.0 0.0.255.255 router(config-ext-nacl)#exit router(config)#ip default-access-group forme control-in router(config)#end router#

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#access-list SRV4access permit tcp host 145.10.10.0 any eq telnet router(config)#access-list SRV4access permit tcp host 145.10.10.0 any eq ftp router(config)#access-list SRV4access permit tcp host 145.10.10.0 any eq ftp-data router(config)#access-list SRV4access deny tcp any any eq telnet router(config)#access-list SRV4access deny tcp any any eq ftp router(config)#access-list SRV4access deny tcp any any eq ftp-data router(config)#interface ethernet 0 router(config-if)#ip access-group SRV4access control-in router(config-if)#exit

router(config)#access-list noSNMP deny udp any any eq snmp router(config)#access-list noSNMP permit ip any any router(config)#access-list SNMP permit udp any any eq snmp router(config)#ip default-access-group noSNMP control-in router(config)#ip default-access-group noSNMP control-out router(config-if)#exit router(config)#interface pos 1/1/1 router(config-if)#ip access-group SNMP control-in router(config-if)#exit

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip access-list qos src_filter router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 any classify psc 1 droppref green fabricpriority best-effort router(config-ext-nacl)#permit ip any any router(config-ext-nacl)#exit router(config)#interface pos 1/14/1 router(config-if)#ip access-group src_filter qos-in router(config-if)#exit router(config)#end router#

   Source File Name: Routing_Pol.fm
    HTML File Name: Routing_Pol6.html
    Last Updated: 05/10/04 at 16:38:37

ip access-group

Please email suggestions and comments to: doc@avici.com