DGS-6604
ip access-group
CLI Reference Guide
224
ip access-group
Use the
ip access-group
command to specify the IP access-list to be applied to
an interface. Use the no form of this command to remove an IP access list.
ip access-group
NAME
[in]
no ip access-group
NAME
[in]
Default
None
Command Mode
Interface configuration
Usage Guideline
One MAC access-list, one IP access-list and one IPv6 access-list can be to the
same interface. An error message is displayed if the user attempts to apply the
second IP access list.
The IP access list must be created before it can be applied to an interface. An
error message is displayed if a list has not yet been created.
The keyword
in
specifies ingress direction check.
The association of an access-group with an interface will consume the filtering
entry resources in the switch controller. If the command is applied successfully,
the number of remaining entries is displayed. If the access-group contains a rule
with a port operator (e.g. gt/lt operator), the number of remaining rules for the
port operator is displayed. If the resource is insufficient to commit the command,
an error message is displayed.
There is a limitation on the number of port selectors that can be applied.
If the maximum number of available port selectors is exceeded an error message
is displayed.
Example
This example shows how to specify the IP access-list Strict-Control as an IP
access group for eth3.2
Verify the settings by entering the
show access-group
privileged EXEC
command.
Syntax Description
NAME
The name of the IP access-list to be applied. Up to 32 characters are allowed.
The syntax is a general string that does not allow spaces.
in
(Optional) Specifies that the IP access-list will be applied to ingress traffic. If no
option is specified, in direction is applied.
Switch(config)# interface eth3.2
Switch(config-if)#ip access-group Strict-Control
Summary of Contents for DGS-6600 Series
Page 1: ...0 9 3 ...