ip access-group
Use this command to attach an IP access list to an interface or terminal line to filter incoming or outgoing IP packets.
The time-range parameter is optional. If used, the access-group is tied to the timer specified.
After the access-group has been configured with the time-range, to detach the access-group from the time-range, use the no form of this command with a time-range parameter as shown in the syntax and examples below.
To delete the access-group, use the no form of this command without a time-range.
Note: An egress IP ACL is supported on physical and lag interfaces only. An egress IP ACL will match only routed traffic and not switched traffic. VLAN and inner-VLAN options in ACL rules will match incoming packet VLANs even when ACL attached at egress.
Command Syntax
ip access-group NAME (in|out) (time-range TR_NAME|)
no ip access-group NAME (in|out) (time-range TR_NAME|)
Parameters
NAME
Access list name.
in
Filter incoming packets
out
Filter outgoing packets.
TR_NAME
Command Mode
Line mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3. The time-range parameter was added in OcNOS-SP version 5.0.
Examples
#configure terminal
(config)#ip access-list mylist
(config-ip-acl)#permit ip any any
(config-ip-acl)#exit
(config)#hardware-profile filter ingress-ipv4-ext enable
(config)#interface xe3
(config-if)#ip access-group mylist in
(config-if)#exit
(config)#interface xe3
(config-if)#no ip access-group mylist in time-range TIMER1
(config-if)#exit
(config)#line vty
(config-all-line)#no ip access-group mylist in
Usage: VLANs and LAGs
When you attach an access list to a VLAN interface or LAG interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:
1. VLAN interface
2. LAG interface
3. Physical interface
For example, if you attach access lists to both a LAG interface and a physical interface that is a member of that LAG, matching traffic rules are applied to the LAG interface, but not to the physical interface.
Usage: TCAM Groups
An access-group in the egress direction uses the TCAM group used by the QoS output service policy. Therefore, actions are unpredictable when conflicting matches are configured on same interface. IP Infusion Inc. recommends to avoid such a configuration. Otherwise, you need to configure the priority (in QoS) or the sequence number (in ACL) carefully to handle such cases.
To attach an IP ACL in the ingress direction, ensure the
ingress-ipv4 TCAM group is enabled. See the
hardware-profile filter (XGS) commands for details.
Usage: Loopback and VTY Interfaces
You can create ACLs for loopback (inband) and VTY interfaces to protect management applications such as SSH, Telnet, NTP, SNMP, and SNMP traps. Filtering TCP, UDP, and ICMP are supported.
Note: Loopback and VTY ACLs are mutually exclusive. If you set up one, you cannot set up the other.
For an ACL for a loopback interface, you create the ACL, configure it with rules, and associate the ACL with a loopback interface:
...
(config)#interface lo
(config-if)#ip access-group loopback in
For an ACL for VTY, you create the ACL, configure it with rules, and associate the ACL to the terminal line in line mode:
...
(config)#line vty
(config-all-line)#ip access-group vty in
Loopback and VTY ACLs do not support the following:
• The default rule deny all. You must explicitly set up a deny all rule based on your requirements.
• VLAN-specific rules.
• Rules with TCP flags.
• Rules with dscp, fragments, log, precedence, and sample parameters.
Usage: Timed ACL on interfaces
• You create a timer range that is identified by a name and configured with a start time, end time, and frequency. Once you create the time range, you can tie the ACL configuration to the time-range object. This allows you to create an access group that is enabled when the timer has started and disabled when the timer ends. You can also disassociate an access group from the timer if needed.
Last modified date: 08/28/2023