ip access-group

Applies rules specified in an IPv4 access control list (ACL) to traffic entering or exiting an interface.

Syntax

ip access-group ACLname { in [ routed ]| out }
no ip access-group ACLname { in | out }

Parameters

ACLname
Specifies the name of the standard or extended IPv4 access list.
in
Applies the ACL to incoming switched and routed traffic.
out
Applies the ACL to outgoing routed and (for SLX 9150 and SLX 9250 devices) also to switched traffic.
routed
Optional Parameter. Applies only to an ingress ACL. This parameter is only supported when ACL is applied to inbound traffic on a Layer 3 sub-interface such as the VE interface.

Modes

Interface subtype configuration mode

Usage Guidelines

Use this command to apply an IPv4 ACL to one of the following interface types:
  • User interfaces
    • Physical Ethernet interfaces
    • Port-channels (LAGs).
    • Virtual Ethernet (VE) (attached to a VLAN or to a bridge domain)
  • The management interface
You can apply a maximum of five ACLs to a user interface, as follows:
  • One ingress MAC ACL—if the interface is in switchport mode
  • One egress MAC ACL—if the interface is in switchport mode
  • One ingress IPv4 ACL
  • One egress IPv4 ACL
  • One ingress IPv6 ACL
You can apply a maximum of two ACLs to the management interface, as follows:
  • One ingress IPv4 ACL
  • One ingress IPv6 ACL

You can apply an ACL to multiple interfaces. And you can apply an ACL twice—ingress and egress—to a given user interface.

To remove an ACL from an interface, enter the no form of this command.

The routed parameter can only be applied for ingress ACLs applied to a VE interface. This option is not available on other interfaces.

You cannot modify an existing ingress ACL definition to include the routed parameter. An error is displayed.

The no format of the command cannot be used to remove the routed parameter from the ACL. You must delete the entire ACL configuration and re-configure to change the ACL.

Examples

The following example applies an ingress IP ACL on an Ethernet interface: 
SLX (config)# interface ethernet 0/2
SLX (conf-if-eth-0/9)# ip access-group ipacl2 in
The following example removes an ingress IP ACL from an Ethernet interface: 
SLX (config)# interface ethernet 0/2
SLX (conf-if-eth-0/9)# no ip access-group ipacl2 in

This example shows the configuration of the routed parameter on an ingress ACL on a VE. 

SLX (config)# interface ve 10
SLX (config-if-ve-10)# ip access-group ipacl2 in routed
SLX (config-if-ve-10)# do show run interface ve 10
    interface Ve 10
    ip access-group ipacl2 in routed
SLX (config-if-ve-10)#
9038039-00 Rev AA