ip access-group

This command either attaches a specific IP ACL (Access Control List) identified by accesslistnumber or name to an interface (including VLAN routing interfaces), range of interfaces, or all interfaces; or associates it with a VLAN ID in a given direction. The parameter name is the name of the Access Control List.

An optional sequence number may be specified to indicate the order of this IP access list relative to other IP access lists already assigned to this interface and direction. A lower number indicates higher precedence order. If a sequence number is already in use for this interface and direction, the specified access list replaces the currently attached IP access list using that sequence number. If the sequence number is not specified for this command, a sequence number that is one greater than the highest sequence number currently in use for this interface and direction is used.

An optional control-plane is specified to apply the ACL on CPU port. The IPv4 control packets like RADIUS and TACACS+ are also dropped because of the implicit deny all rule added at the end of the list. To overcome this, permit rules must be added to allow the IPv4 control packets.

Note

Note

The keyword control-plane is only available in Global Config mode.
Note

Note

You should be aware that the out option may or may not be available, depending on the platform.
Default none
Format ip access-group {accesslistnumber|name} {{control-plane|in|out}|vlan vlan-id {in|out}} [sequence 1-4294967295]
Modes
  • Interface Config
  • Global Config
Parameter Description
accesslistnumber Identifies a specific IP ACL. The range is 1 to 199.
sequence A optional sequence number that indicates the order of this IP access list relative to the other IP access lists already assigned to this interface and direction. The range is 1 to 4294967295.
vlan-id A VLAN ID associated with a specific IP ACL in a given direction.
name The name of the Access Control List.

The following shows an example of the command.

(Extreme 220) (Config) #ip access-group ip1 control-plane