Command:

ip access-group


Mode:

Router(config-if)#


Syntax:

ip access-group access-list-number | access-list-name {in | out}

no ip access-group access-list-number |access-list-name


Syntax Description:

 

access-list-number | access-list-name

Assigned IP access list number or name

in

This defines access control on packets transmitted from the host. These packets are received into the router interface.

out

This defines access control on packets being sent to the host. These packets are transmitted out of the router interface. The default is out.


Command Description:

To configure an access list to be used for packets transmitted to and from the host, use the ip access-group interface configuration command. To disable control over packets transmitted to or from a host, use the no form of this command.

With this command in effect, various fields within the packet are compared to criteria within the access list for acceptability and dropped or passed. Some of the fields that can be compared include: source IP address, destination IP address, protocol, source port number and destination port number.


Example:

 

The following example assumes that users are restricted from accessing certain servers, but access to other hosts can be accessed. 

 Router(config)#access-list 2 deny 172.16.42.55
 Router(config)#access-list 2 deny 172.16.111.1 
 Router(config)#access-list 2 deny 172.16.55.99 
 Router(config)#access-list 2 permit 172.16.0.0 0.0.255.255

!! Specify the access list interface 

 Router(config)#async 6
 Router(config-if)#async dynamic address
 Router(config-if)#ip access-group 2 out


Misconceptions:

 

None


Related Commands:

 

access-list

 


� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)