ip access-group
You cannot apply an IP ACL to a Layer 3 interface on a switch that has a Layer 2 interface with an
applied IP ACL or MAC ACL, and you cannot apply a VLAN map to any of the switch VLANs.
You cannot apply an IP ACL or MAC ACL to a Layer 2 interface on a switch that has an input Layer 3
ACL or a VLAN map applied to it.
For standard inbound access lists, after the switch receives a packet, it checks the source address of the
packet against the access list. IP extended access lists can optionally check other fields in the packet,
such as the destination IP address, protocol type, or port numbers. If the access list permits the packet,
the switch continues to process the packet. If the access list denies the packet, the switch discards the
packet. If the access list has been applied to a Layer 3 interface, discarding a packet (by default) causes
the generation of an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP Host
Unreachable messages are not generated for packets discarded on a Layer 2 interface.
For standard outbound access lists, after receiving a packet and sending it to a controlled interface, the
switch checks the packet against the access list. If the access list permits the packet, the switch sends the
packet. If the access list denies the packet, the switch discards the packet and, by default, generates an
ICMP Host Unreachable message.
If the specified access list does not exist, all packets are passed.
Examples
This example shows how to apply IP access list 101 to inbound packets on an interface:
Switch(config)# interface fastethernet0/1
Switch(config-if)# ip access-group 101 in
You can verify your settings by entering the show ip interface, show access-lists, or show ip
access-lists privileged EXEC command.
Related Commands
Command
access list
ip access-list
show access-lists
show ip access-lists
show ip interface
Catalyst 3550 Multilayer Switch Command Reference
2-128
Chapter 2
Description
Configures a numbered ACL. For syntax information, select Cisco
IOS Release 12.2 Configuration Guides and Command References
> Cisco IOS IP Command Reference, Volume 1 of 3: Addressing
and Services, Release 12.2 > IP Services Commands.
Configures a named ACL. For syntax information, select Cisco IOS
Release 12.2 Configuration Guides and Command References >
Cisco IOS IP Command Reference, Volume 1 of 3: Addressing
and Services, Release 12.2 > IP Services Commands.
Displays ACLs configured on the switch.
Displays IP ACLs configured on the switch. For syntax
information, select Cisco IOS Release 12.2 Configuration Guides
and Command References > Cisco IOS IP Command Reference,
Volume 1 of 3: Addressing and Services, Release 12.2 > IP
Services Commands.
Displays information about interface status and configuration. For
syntax information, select Cisco IOS Release 12.2 Configuration
Guides and Command References > Cisco IOS IP Command
Reference, Volume 1 of 3: Addressing and Services, Release
12.2 > IP Services Commands.
Catalyst 3550 Switch Cisco IOS Commands
OL-8566-02