Table of Contents
Advertisement
ip access-group
Command Mode
Description
CAUTION:
Syntax
Document No. 10-300090, Issue 1
Global Configuration
Enables an access control list (ACL) and optionally sets the default action to
deny.
The default-action-deny option is a global setting and is not available in
the Web Agent. If you use the CLI to enable the default-action-deny option
and then use the Web Agent to enable a different ACL, the default-action-
deny option remains enabled. When this option is enabled, the switch
blocks all traffic that does not match an access rule in the enabled ACL.
Do not use the Web Agent to enable a different ACL if the default-
action-deny option is enabled. Because the option remains enabled,
you can unexpectedly lose connectivity to the switch.
To ensure that you never inadvertently lose all connectivity to the switch,
you can add an access rule that always permits a specific connection. You
must add the rule to all ACLs on the switch, though, so that regardless of
the ACL that is enabled, the default-action-deny option does not block the
connection.
For example, to ensure that you can always connect to the switch from a PC
that has an IP address of 192.168.10.10, add the following access rule to all
ACLs on the switch: ip access-list <access-list- name> <access-list-index>
permit 192.168.10.10 0.0.0.0.
The no form of this command disables the access control list. The default
action is by default set to permit.
To Enable:
ip access-group <access-list-name> [default-action-deny]
To
[no] ip access-group <access-list-name>
Disable:
Policy
20-9
Advertisement
Table of Contents
