ipv4 access-group (BNG)
To control access to an interface, use the ipv4 access-group command in an appropriate configuration mode. To remove the specified access group, use the no form of this command.
ipv4 access-group access-list-name {common acl-p { [acl1 ingress [hardware-count] [interface-statistics]] | ingress} | acl1 {ingress | egress} [hardware-count] [interface-statistics]}
Syntax Description
access-list-name |
The name of the ipv4 access list as specified by the ipv4 access-list command. |
common |
The name of the common ACL. Common ACL is only supported on the ingress direction. |
ingress |
Filters on inbound packets. |
egress |
Filters on outbound packets. |
hardware-count |
(Optional) Specifies to access a group's hardware counters. |
interface-statistics |
(Optional) Specifies per-interface statistics in the hardware. Not available for common ACL. |
Command Default
The interface does not have an IPv4 access list applied to it.
Command Modes
Global Configuration mode
Command History
Release | Modification |
---|---|
Release 4.1.1 |
This command was introduced. |
Release 4.2.0 |
This command was supported in the dynamic template configuration mode for BNG. |
Usage Guidelines
Use the ipv4 access-group command to control access to an interface. To remove the specified access group, use the no form of the command. Use the access-list-name argument to specify a particular IPv4 access list. Use the ingress keyword to filter on inbound packets or the egress keyword to filter on outbound packets. Use the hardware-count argument to enable hardware counters for the access group.
Permitted packets are counted only when hardware counters are enabled using the hardware-count argument. Denied packets are counted whether hardware counters are enabled or not.
To enter the dynamic template configuration mode, run dynamic-template command in the Global Configuration mode(applicable only for BNG).
Note |
Under the dynamic template configuration mode, only the egress and ingress keywords are displayed. |
Note |
For packet filtering applications using the ipv4/ipv6 access-group command, packet counters are maintained in hardware for each direction. If an access group is used on multiple interfaces in the same direction, then packets are counted for each interface that has the hardware-count argument enabled. |
If the access list permits the addresses, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns an Internet Control Message Protocol (ICMP) host unreachable message.
If the specified access list does not exist, all packets are passed.
By default, the unique or per-interface ACL statistics are disabled.
Task ID
Task ID | Operation |
---|---|
acl |
read, write |
network |
read, write |
config-services |
read, write |
Examples
RP/0/RSP0/CPU0:router# show access-lists
ipv4 access-list acl-common
10 permit ipv4 host 205.205.205.1 host 200.175.175.1 log-input
15 deny ipv4 any host 200.175.175.1
20 permit ipv4 host 205.205.205.1 host 201.175.175.1 log-input
25 deny ipv4 any host 201.175.175.1
30 permit ipv4 host 205.205.205.1 host 202.175.175.1 log-input
35 deny ipv4 any host 202.175.175.1
ipv4 access-list acl-unique1
10 permit ipv4 host 205.205.205.1 host 203.175.175.1 log-input
15 deny ipv4 any host 203.175.175.1
20 permit ipv4 any any
ipv4 access-list ssm-acl
10 permit ipv4 232.0.0.0 0.255.255.255 any log
RP/0/RSP0/CPU0:router(config-if)#ipv4 access-group common acl-common acl-unique1 ingress
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# dynamic-template type ppp p1
RP/0/RSP0/CPU0:router(config-dynamic-template-type)# ipv4 access-group a1 egress