ip access-group

OcNOS-SP : System Management Guide : System Management Command Reference : Access Control List Commands : ip access-group

ip access-group

Use this command to attach an IP access list to an interface or terminal line to filter incoming or outgoing IP packets.

The time-range parameter is optional. If used, the access-group is tied to the timer specified.

After the access-group has been configured with the time-range, to detach the access-group from the time-range, use the no form of this command with a time-range parameter as shown in the syntax and examples below.

To delete the access-group, use the no form of this command without a time-range.

Note: An egress IP ACL is supported on physical and lag interfaces only. An egress IP ACL will match only routed traffic and not switched traffic. VLAN and inner-VLAN options in ACL rules will match incoming packet VLANs even when ACL attached at egress.

Command Syntax

ip access-group NAME (in|out) (time-range TR_NAME|)

no ip access-group NAME (in|out) (time-range TR_NAME|)

Parameters

NAME

Access list name.

Filter incoming packets

out

Filter outgoing packets.

TR_NAME

Time range name set with the time-range command.

Command Mode

Line mode

Interface mode

Applicability

This command was introduced before OcNOS version 3.0. The time-range parameter was added in OcNOS version 5.0.

Examples

#configure terminal

(config)#ip access-list mylist

(config-ip-acl)#permit ip any any

(config-ip-acl)#exit

(config)#hardware-profile filter ingress-ipv4-ext enable

(config)#interface xe3

(config-if)#ip access-group mylist in

(config-if)#exit

(config)#interface xe3

(config-if)#no ip access-group mylist in time-range TIMER1

(config-if)#exit

(config)#line vty

(config-all-line)#no ip access-group mylist in

Usage: VLANs and LAGs

When you attach an access list to a VLAN interface or LAG interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:

1. VLAN interface

2. LAG interface

3. Physical interface

For example, if you attach access lists to both a LAG interface and a physical interface that is a member of that LAG, matching traffic rules are applied to the LAG interface, but not to the physical interface.

Usage: TCAM Groups

An access-group in the egress direction uses the TCAM group used by the QoS output service policy. Therefore, actions are unpredictable when conflicting matches are configured on same interface. IP Infusion Inc. recommends to avoid such a configuration. Otherwise, you need to configure the priority (in QoS) or the sequence number (in ACL) carefully to handle such cases.

To attach an IP ACL in the ingress direction the ingress-ipv4 or ingress-ipv4-ext TCAM group needs to be enabled and to attach an IP ACL in the egress direction the egress-ipv4 TCAM group needs to be enabled. See the hardware-profile filter commands for details.

Usage: VTY Interfaces

You can create ACLs for VTY interfaces to filter packets from management applications such as SSH, Telnet, NTP, SNMP, and SNMP traps. TCP, UDP, and ICMP are supported.

For an ACL for VTY, you create the ACL, configure it with rules, and associate the ACL to the terminal line in line mode.

VTY ACLs do not support the following:

• The default rule deny all. You must explicitly set up a deny all rule based on your requirements.

• VLAN-specific rules.

• Rules with TCP flags.

• Rules with dscp, fragments, log, precedence, and sample parameters.

• Rules with ICMP code and message types.

Usage: Timed ACL on interfaces

You create a timer range that is identified by a name and configured with a start time, end time, and frequency. Once you create the time range, you can tie the ACL configuration to the time-range object. This allows you to create an access group that is enabled when the timer has started and disabled when the timer ends. You can also disassociate an access group from the timer if needed.

Last modified date: 10/19/2023