ip

Creates an access control list (ACL) and enters its configuration mode. Access lists define access permissions to the network using a set of rules. Each rule specifies an action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

ip [access-list|ex3500-ext-access-list|ex3500-std-access-list|snmp-access-list]
ip ex3500-ext-access-list <EX3500-EXT-ACL-NAME>
ip ex3500-std-access-list <EX3500-STD-ACL-NAME>
ip access-list <IP-ACL-NAME>
ip snmp-access-list <IP-SNMP-ACL-NAME>

Parameters

ip access-list <IP-ACL-NAME>
access-list <IP-ACL-NAME> Creates an IP ACL and enters its configuration mode
  • <IP-ACL-NAME> – Specify the ACL name. If the access list does not exist, it is created.
ip ex3500-ext-access-list <EX3500-EXT-ACL-NAME>
ex3500-ext-access-list <EX3500-EXT-ACL-NAME> Creates an EX3500 Extended ACL and enters its configuration mode
  • <EX3500-EXT-ACL-NAME> – Specify the ACL name. If an ACL with the specified name does not exist, it is created.
ip ex3500-std-access-list <EX3500-STD-ACL-NAME>
ex3500-std-access-list <EX3500-STD-ACL-NAME> Creates an EX3500 Standard ACL and enters its configuration mode
  • <EX3500-EXT-ACL-NAME> – Specify the ACL name. If an ACL with the specified name does not exist, it is created.
ip snmp-access-list <IP-SNMP-ACL-NAME>
snmp-access-list <IP-SNMP-ACL-NAME> Creates a SNMP IP ACL and enters its configuration mode. An SNMP IP ACL is an access control mechanism that uses a combination of IP ACL and SNMP community string.

SNMP performs network management functions using a data structure called a MIB. SNMP is widely implemented but not very secure, since it uses only text community strings for accessing controller or service platform configuration files.

Use SNMP ACLs (firewalls) to help reduce SNMP‘s vulnerabilities, as SNMP traffic can be easily exploited to produce a DoS.
  • <IP-SNMP-ACL-NAME> – Specify the SNMP IP ACL name. If the access list does not exist, it is created. After creating the SNMP ACL, define the deny/permit rules based on the network and/or host IP addresses. Once created and configured, link this SNMP IP ACL with a SNMP community string.

To link the SNMP community string with the SNMP IP ACL, in the management-policy-config-mode, use the following command: snmp-server > community <COMMUNITY-STRING> > [ro|rw] > ip-snmp-access-list <IP-SNMP-ACL-NAME>.

Examples

nx9500-6C8809(config)#ip access-list test
nx9500-6C8809(config-ip-acl-test)#?
ACL Configuration commands:
  deny     Specify packets to reject
  disable  Disable rule if not needed
  no       Negate a command or set its defaults
  permit   Specify packets to forward

  clrscr   Clears the display screen
  commit   Commit all changes made in this session
  end      End current mode and change to EXEC mode
  exit     End current mode and down to previous mode
  help     Description of the interactive help system
  revert   Revert changes
  service  Service Commands
  show     Show running system information
  write    Write running configuration to memory or terminal

nx9500-6C8809(config-ip-acl-test)#
nx9500-6C8809(config)#ip snmp-access-list SNMPAcl
nx9500-6C8809(config-ip-snmp-acl-SNMPAcl)#?
SNMP ACL Configuration commands:
  deny     Specify packets to reject
  no       Negate a command or set its defaults
  permit   Specify packets to forward

  clrscr   Clears the display screen
  commit   Commit all changes made in this session
  do       Run commands from Exec mode
  end      End current mode and change to EXEC mode
  exit     End current mode and down to previous mode
  help     Description of the interactive help system
  revert   Revert changes
  service  Service Commands
  show     Show running system information
  write    Write running configuration to memory or terminal

nx9500-6C8809(config-ip-snmp-acl-SNMPAcl)#

Related Commands

no Removes an existing IP access control list
Note

Note

For more information on Access Control Lists, see Access-List Policy.