Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/switch/help/en-us/index.html?contextId=cli-security-ACL

ACL

ip access-list extend

Command Objective: This command creates IP ACLs and enters the IP Access-list configuration mode.

The no form of the command deletes the IP access-list.

Syntax:

  • ip access-list extended <string(31)>
  • no ip access-list extended <string(31)>

Parameter Description:

  • <string(31)>: Configures the extended access-list name.

Mode: Global Configuration Mode.

permit- ip/ospf/pim/protocol type

Command Objective: This command allows traffic for a particular protocol packet if the conditions defined in the permit statement are matched.

Syntax: permit {ip | ospf | pim | <protocol-type (1-255)> | IPinIP | egp | igp | hmp | rdp | ipv6 | ipv6:route | ipv6:frag | rsvp | ipv6:icmp | l2tp} {any | host <src-ip-address> | <src-ip-address> <mask>} {any | host <dest-ip-address> | <dest-ip-address> <mask>} ace-priority <integer (1-2147483647)> [dscp <value (0-63)>]

Parameter Description:

  • ip | ospf |pim | <protocol-type (1-255)> | IPinIP | egp | igp | hmp | rdp | ipv6 | ipv6:route | ipv6:frag | rsvp | ipv6:icmp | l2tp: Type of protocol for the packet. It can also be a protocol number.

  • any | host <src-ip-address> | <src-ip-address> <mask>: Source IP address can be:

    • 'any'
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • any | host <dest-ip-address> | <dest-ip-address> <mask>: Destination IP address can be:

    • 'any'
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address.

  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV4 ACL Extended Access List Configuration Mode.

deny- ip/ospf/pim/protocol type

Command Objective: This command denies traffic for a particular protocol packet if the conditions defined in the deny statement are matched.

Syntax: deny {ip | ospf | pim | <protocol-type (1-255)> | IPinIP | egp | igp | hmp | rdp | ipv6 | ipv6route | ipv6frag | rsvp | ipv6icmp | l2tp} {any | host <src-ip-address> | <src-ip-address> <mask>} {any | host <dest-ip-address> | <dest-ip-address> <mask>} ace-priority <integer (1-2147483647)> [dscp <value (0-63)> ]

Parameter Description:

  • ip | ospf | pim | <protocol-type (1-255)> | IPinIP | egp | igp | hmp | rdp | ipv6 | ipv6route | ipv6frag | rsvp | ipv6icmp | l2tp: Type of protocol for the packet. It can also be a protocol number.

  • any | host <src-ip-address> | <src-ip-address> <mask>: Source IP address can be:

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • any | host <dest-ip-address> | <dest-ip-address> <mask>: Destination IP address can be:

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV4 ACL Extended Access List Configuration Mode.

permit tcp

Command Objective: This command specifies the TCP packets to be forwarded based on the associated parameters.

Syntax: permit tcp {any | host <src-ip-address> | <src-ip-address> <src- mask>} [eq <port-number (1-65535)>] {any | host <dest-ip-address> | <dest-ip-address> <dest-mask>} [eq <port-number (1- 65535)>] ace-priority <integer (1-2147483647)> [{ack | non_ack}] [{rst | non_rst}] [{psh | non_psh}] [{urg | non_urg}] [{syn | non_syn}] [{fin | non_fin}] [dscp <value (0-63)>]

Parameter Description:

  • tcp: Transport Control Protocol.

  • any | host <src-ip-address> | <src-ip-address> <src-mask>: Source IP address can be:

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • eq <short (1-65535)>: Port Number.

  • any | host <dest-ip-address> | <dest-ip-address> <dest-mask>: Destination IP address can be:

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • ack | non_ack: TCP ACK bit to be checked against the packet.
  • rst | non_rst: TCP RST bit to be checked against the packet.
  • psh | non_psh: TCP PSH bit to be checked against the packet.
  • urg | non_urg: TCP URG bit to be checked against the packet.
  • syn | non_syn: TCP SYN bit to be checked against the packet.
  • fin | non_fin: TCP FIN bit to be checked against the packet.
  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV4 ACL Extended Access List Configuration Mode.

deny tcp

Command Objective: This command specifies the TCP packets to be rejected based on the associated parameters.

Syntax: deny tcp {any | host <src-ip-address> | <src-ip-address> <src- mask>} [eq <port-number (1-65535)>] {any | host <dest-ip-address> | <dest-ip-address> <dest-mask>} [eq <port-number (1-65535)>] ace-priority <integer (1-2147483647)> [{ack | non_ack}] [{rst | non_rst}] [{psh | non_psh}] [{urg | non_urg}] [{syn | non_syn}] [{fin | non_fin}] [dscp <value (0-63)>]

Parameter Description:

  • tcp: Transport Control Protocol.

  • any | host <src-ip-address> | <src-ip-address> <src-mask>: Source IP address can be:

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • eq <short (1-65535)>: Port Number.

  • any | host <dest-ip-address> | <dest-ip-address> <dest-mask>: Destination IP address can be:

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address

  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • ack | non_ack: TCP ACK bit to be checked against the packet.
  • rst | non_rst: TCP RST bit to be checked against the packet.
  • psh | non_psh: TCP PSH bit to be checked against the packet.
  • urg | non_urg: TCP URG bit to be checked against the packet.
  • syn | non_syn: TCP SYN bit to be checked against the packet.
  • fin | non_fin: TCP FIN bit to be checked against the packet.
  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV4 ACL Extended Access List Configuration Mode.

permit udp

Command Objective: This command specifies the UDP packets to be forwarded based on the associated parameters.

Syntax: permit udp {any | host <src-ip-address> | <src-ip-address> <src- mask>} [eq <port-number (1-65535)>] {any | host <dest-ip-address> | <dest-ip-address> <dest-mask>} [eq <port-number (1-65535)>] ace-priority <integer (1-2147483647)> [dscp <value (0-63)>]

Parameter Description:

  • udp: User Datagram Protocol.

  • any | host <src-ip-address> | <src-ip-address> <src-mask>: Source IP address can be:

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • eq <short (1-65535)>: Port Number.

  • any | host <dest-ip-address> | <dest-ip-address> <dest-mask>: Destination IP address can be:

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address

  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rule.

  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV4 ACL Extended Access List Configuration Mode.

deny udp

Command Objective: This command specifies the UDP packets to be rejected based on the associated parameters.

Syntax: deny udp {any | host <src-ip-address> | <src-ip-address> <src- mask>} [eq <port-number (1-65535)>] {any | host <dest-ip-address> | <dest-ip-address> <dest-mask> } [eq <port-number (1-65535)>] ace-priority <integer (1-2147483647)> [dscp <value (0-63)>]

Parameter Description:

  • udp: User Datagram Protocol.

  • any | host <src-ip-address> | <src-ip-address> <src-mask>: Source IP address can be:

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • eq <short (1-65535)>: Port Number.

  • any | host <dest-ip-address> | <dest-ip-address> <dest-mask>: Destination IP address can be:

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address

  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • dscp <short (0-63)> [- Differentiated services code point provides the quality of service control.

Mode: IPV4 ACL Extended Access List Configuration Mode.

permit icmp

Command Objective: This command specifies the ICMP packets to be forwarded based on the IP address and the associated parameters.

Syntax: permit icmp {any | host <src-ip-address> | <src-ip-address > <mask>} {any | host <dest-ip-address> | <dest-ip-address> <ma sk>} [type <message-type (0-255)>] [code <message-code (0-255)>] ace-priority <integer (1-2147483647)> [dscp <integer ( 0-63)>]

Parameter Description:

  • icmp: Internet Control Message Protocol.

  • any | host <src-ip-address> | <src-ip-address> <mask>: Source IP address can be:

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • any | host <dest-ip-address> | <dest-ip-address> <mask>: Destination IP address can be.

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address.

  • type <short (0-255)>: message type.

  • code <short (0-255)>: message code.
  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV4 ACL Extended Access List Configuration Mode.

deny icmp

Command Objective: This command specifies the ICMP packets to be rejected based on the IP address and associated parameters.

Syntax: deny icmp {any | host <src-ip-address> | <src-ip-address> <mask>} {any | host <dest-ip-address> | <dest-ip-address> <mask>} [type <message-type (0-255)>] [code <message-code (0-255)>] ace-priority <integer (1-2147483647)> [dscp <integer (0-63)>]

Parameter Description:

  • icmp: Internet Control Message Protocol.

  • any | host <src-ip-address> | <src-ip-address> <mask>: Source IP address can be:

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • any | host <dest-ip-address> | <dest-ip-address> <mask>: Destination IP address can be:

    • any
    • The dotted decimal address.
    • The IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address.

  • type <short (0-255)>: message type.

  • code <short (0-255)>: message code.
  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV4 ACL Extended Access List Configuration Mode.

no ace-priority

Command Objective: This command deletes an ace entry.

Syntax: no ace-priority <integer (1-2147483647)>

Parameter Description:

  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

Mode: IPV4 ACL Extended Access List Configuration Mode.

ipv6 access-list extend

Command Objective: This command creates ipv6 ACLs and enters the ipv6 Access-list configuration mode.

The no form of the command deletes the ipv6 access-list.

Syntax:

  • ipv6 access-list extended <string(31)>
  • no ipv6 access-list extended <string(31)>

Parameter Description:

  • <string(31)>: Configures the access-list name.

Mode: Global Configuration Mode.

permit ipv6

Command Objective: This command specifies IPv6 packets to be forwarded based on protocol and associated parameters.

Syntax: permit ipv6 {any | host <src-ipv6-addr> <src-prefix-len (0- 128)>} {any | host <dst-ipv6-addr> <dst-prefix-len (0-128)>} ace-priority <integer (1-2147483647)> [dscp <short(0-63)>]

Parameter Description:

  • ipv6: Ipv6 protocol.
  • any | host <ip6_addr> <integer(0-128)>: Source address of the host / any host.
  • any | host <ip6_addr> <integer(0-128)>: Destination address of the host / any host.
  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV6 ACL Extended Access List Configuration Mode.

deny ipv6

Command Objective: This command specifies IPv6 packets to be forwarded based on protocol and associated parameters.

Syntax: deny ipv6 {any | host <ip6_addr> <src-prefix-len (0-128)>} {any | host <ip6_addr> <dst-prefix-len (0-128)>} ace-priority <integer (1-2147483647)> [dscp <short(0-63)>]

Parameter Description:

  • ipv6: Ipv6 protocol.
  • any | host <ip6_addr> <integer(0-128)>: Source address of the host / any host.
  • any | host <ip6_addr> <integer(0-128)>: Destination address of the host / any host.
  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
  • dscp <short (0-63)>: ]{.s15}[- Differentiated services code point provides the quality of service control.

Mode: IPV6 ACL Extended Access List Configuration Mode.

permit tcp

Command Objective: This command specifies the IPv6 TCP packets to be forwarded based on the associated parameters.

Syntax: permit tcp {any | host <src-ipv6-addr> <src-prefix-len (0-128)} [eq <port-number (1-65535)>] {any | host <dst-ipv6-addr> <dst- prefix-len (0-128)>} [eq <port-number (1-65535)>] ace-priority <integer (1-2147483647)> [{ack | non_ack}] [{rst | non_rst}] [{psh | non_psh}] [{urg | non_urg}] [{syn | non_syn}] [{fin | non_fin}] [dscp <value (0-63)>]

Parameter Description:

  • tcp: Transport Control Protocol.
  • any | host <ip6_addr> <integer(0-128)>: Source address of the host / any host.
  • eq <short (1-65535)>: Port Number.
  • any | host <ip6_addr> <integer(0-128)>: Destination address of the host / any host.
  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
  • ack | non_ack: TCP ACK bit to be checked against the packet.
  • rst | non_rst: TCP RST bit to be checked against the packet.
  • psh | non_psh: TCP PSH bit to be checked against the packet.
  • urg | non_urg: TCP URG bit to be checked against the packet.
  • syn | non_syn: TCP SYN bit to be checked against the packet.
  • fin | non_fin: TCP FIN bit to be checked against the packet.
  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV6 ACL Extended Access List Configuration Mode.

deny tcp

Command Objective: This command specifies the IPv6 TCP packets to be forwarded based on the associated parameters.

Syntax: deny tcp {any | host <src-ipv6-addr> <src-prefix-len (0-128)} [eq <port-number (1-65535)>] {any | host <dst-ipv6-addr> <dst-prefix-len (0-128)>} [eq <port-number (1-65535)>] ace-priority <integer (1-2147483647)> [{ack | non_ack}] [{rst | non_rst}] [{psh |non_psh}] [{urg | non_urg}] [{syn | non_syn}] [{fin | non_fin}] [dscp <value (0-63)>]

Parameter Description:

  • tcp: Transport Control Protocol.
  • any | host <ip6_addr> <integer(0-128)>: Source address of the host / any host.
  • eq <short (1-65535)>: Port Number.
  • any | host <ip6_addr> <integer(0-128)>: Destination address of the host / any host.
  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
  • ack | non_ack: TCP ACK bit to be checked against the packet.
  • rst | non_rst: TCP RST bit to be checked against the packet.
  • psh | non_psh: TCP PSH bit to be checked against the packet.
  • urg | non_urg: TCP URG bit to be checked against the packet.
  • syn | non_syn: TCP SYN bit to be checked against the packet.
  • fin | non_fin: TCP FIN bit to be checked against the packet.
  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV6 ACL Extended Access List Configuration Mode.

permit udp

Command Objective: This command specifies the IPv6 TCP packets to be forwarded based on the associated parameters.

Syntax: permit udp {any | host <src-ipv6-addr> <src-prefix-len (0-128)>} [eq <port-number (1-65535)>] {any | host <dst-ipv6-addr> <dst-prefix-len (0-128)>} [eq <port-number (1-65535)>] ace-priority <integer (1-2147483647)> [dscp <value (0-63)]

Parameter Description:

  • udp: User Datagram Protocol.
  • any | host <ip6_addr> <integer(0-128)>: Source address of the host / any host.
  • eq <short (1-65535)>: Port Number.
  • any | host <ip6_addr> <integer(0-128)>: Destination address of the host / any host.
  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV6 ACL Extended Access List Configuration Mode.

deny udp

Command Objective: This command specifies the IPv6 TCP packets to be forwarded based on the associated parameters.

Syntax: deny udp {any | host <src-ipv6-addr> <src-prefix-len (0-128)>} [eq <port-number (1-65535)>] {any | host <dst-ipv6-addr> <short(0-128)>} [eq <port-number (1-65535)>] ace-priority <integer (1-2147483647)> [dscp <value (0-63)>]

Parameter Description:

  • udp: User Datagram Protocol.
  • any | host <ip6_addr> <integer(0-128)>: Source address of the host / any host.
  • eq <short (1-65535)>: Port Number.
  • any | host <ip6_addr> <integer(0-128)>: Destination address of the host / any host.
  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV6 ACL Extended Access List Configuration Mode.

permit icmpv6

Command Objective: This command specifies the IPv6 TCP packets to be forwarded based on the associated parameters.

Syntax: permit icmpv6 {any | host <src-ipv6-addr> <src-prefix-len (0-128)>} {any | host <dst-ipv6-addr> <dst-prefix-len (0-128)} ace-priority <integer (1-2147483647)> [type <short(0-255)>] [code <short(0-255)>] [dscp <value (0-63)>]

Parameter Description:

  • icmpv6: Internet Control Message Protocol.
  • any | host <ip6_addr> <integer(0-128)>: Source address of the host / any host.
  • any | host <ip6_addr> <integer(0-128)>: Destination address of the host / any host.
  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
  • type <short (0-255)>: Message type.
  • code <short (0-255)>: Message code.
  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV6 ACL Extended Access List Configuration Mode.

deny icmpv6

Command Objective: This command specifies the IPv6 TCP packets to be forwarded based on the associated parameters.

Syntax: deny icmpv6 {any | host <src-ipv6-addr> <src-prefix-len (0-128)>} {any | host <dst-ipv6-addr> <dst-prefix-len (0-128)>} ace-priority <integer (1-2147483647)> [type <short (0-255)>] [code <short (0-255)>] [dscp <value (0-63)>]

Parameter Description:

  • icmpv6: Internet Control Message Protocol.
  • any | host <ip6_addr> <integer(0-128)>: Source address of the host / any host.
  • any | host <ip6_addr> <integer(0-128)>: Destination address of the host / any host.
  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
  • type <short (0-255)>: Message type.
  • code <short (0-255)>: Message code.
  • dscp <short (0-63)>: Differentiated services code point provides the quality of service control.

Mode: IPV6 ACL Extended Access List Configuration Mode.

no ace-priority

Command Objective: This command deletes an ace entry.

Syntax: no ace-priority <integer (1-2147483647)>

Parameter Description:

  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

Mode: IPV6 ACL Extended Access List Configuration Mode.

mac access-list extend

Command Objective: This command creates mac ACLs and enters the mac Access-list configuration mode.

The no form of the command deletes the mac access-list.

Syntax:

  • mac access-list extended <string(31)>
  • no mac access-list extended <string(31)>

Parameter Description:

  • <string(31)>: Configures the access-list name.

Mode: Global Configuration Mode.

permit mac

Command Objective: This command specifies the packets to be forwarded based on the MAC address and the associated parameters, that is, this command allows non-IP traffic to be forwarded if the conditions are matched.

Syntax: permit {any | host <src-mac-address>} {any | host <dest-mac-address>} {ace-priority <integer (1-2147483647)>} [ethertype <integer (1536-65535)>] [vlan <vlan-id (1-4094)>] [vlan- priority <value (0-7)>]

Parameter Description:

  • any | host <src-mac-address>: Source MAC address to be matched with the packet.
  • any | host <dest-mac-address>: Destination MAC address to be matched with the packet.
  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
  • ethertype <integer (1-65535)>: Specifies the non-IP protocol type to be filtered.
  • vlan <integer (1-4094)>: VLAN value to match against incoming packets.
  • vlan-priority <short (0-7)>: VLAN priority value to match against incoming packets.

Mode: MAC ACL Extended Access List Configuration Mode.

deny mac

Command Objective: This command specifies the packets to be rejected based on the MAC address and the associated parameters.

Syntax: deny {any | host <src-mac-address>} {any | host <dest-mac- address>} {ace-priority <integer (1-2147483647)>} [ethertype <integer (1536-65535)>] [vlan <vlan-id (1-4094)>] [vlan-priority <priority (0-7)>]

Parameter Description:

  • any | host <src-mac-address>: Source MAC address to be matched with the packet.
  • any | host <dest-mac-address>: Destination MAC address to be matched with the packet.
  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
  • ethertype <integer (1-65535)>: Specifies the non-IP protocol type to be filtered.
  • vlan <integer (1-4094)>: VLAN value to match against incoming packets.
  • vlan-priority <short (0-7)>: VLAN priority value to match against incoming packets.

Mode: MAC ACL Extended Access List Configuration Mode.

no ace-priority

Command Objective: This command deletes an ace entry.

Syntax: no ace-priority <integer (1-2147483647)>

Parameter Description:

  • ace-priority <integer (1-2147483647)>: The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

Mode: MAC ACL Extended Access List Configuration Mode.

ip access-group

Command Objective: This command enables access control for the packets on the interface.

The no form of this command removes all access groups or the specified access group from the interface.

Syntax:

  • ip access-group <string (31)> in
  • no ip access-group [<string(31)>] in

Parameter Description:

  • <string(31)>: IP access control list name.

Mode: Interface Configuration Mode.

ipv6 access-group

Command Objective: This command enables ipv6 access control for the packets on the interface.

The no form of this command removes all access groups or the specified access group from the interface.

Syntax:

  • Ipv6 access-group <string (31)> in
  • no ipv6 access-group [<string(31)>] in

Parameter Description:

  • <string(31)>: IPv6 access control list name.

Mode: Interface Configuration Mode.

mac access-group

Command Objective: This command applies a MAC access control list (ACL) to a Layer 2 interface.

The no form of this command can be used to remove the MAC ACLs from the interface.

Syntax:

  • mac access-group <string (31)> in
  • no mac access-group [<string(31)>] in

Parameter Description:

  • <string(31)>: MAC access control list name.

Mode: Interface Configuration Mode.

show access-lists

Command Objective: This command displays the access lists configuration.

Syntax: show access-lists [{ip | mac | ipv6} [<string(31)>]]

Parameter Description:

  • ip: IP Access List.
  • mac: MAC Access List.
  • ipv6: Ipv6 Access List.
  • <string(31)>: Name of access list

Mode: Previledge EXEC Mode.