To control access to an interface, use the ipv4 access-group command in an appropriate configuration mode. To remove the specified access group, use the no form of this command.
To use this command, you must
be in a user group associated with a task group that includes appropriate task
IDs. If the user group assignment is preventing you from using a command,
contact your AAA administrator for assistance.
Use the ipv4 access-group command to control access to an
interface. To remove the specified access group, use the no form of
the command. Use the access-list-name argument to specify a
particular IPv4 access list. Use the ingress keyword to filter on
inbound packets or the egress keyword to filter on outbound
packets. Use the hardware-count argument to enable hardware
counters for the access group.
Permitted packets are counted only when hardware counters are
enabled using the hardware-count argument. Denied packets are
counted whether hardware counters are enabled or not.
To enter the dynamic template configuration mode, run dynamic-template command in the global configuration mode.
Under the dynamic template configuration mode, only the egress and ingress keywords are displayed.
For packet filtering applications using the ipv4/ipv6 access-group command, packet counters are maintained in hardware for each direction. If an access group is used on multiple interfaces in the same direction, then packets are counted for each interface that has the hardware-count argument enabled.
If the access list permits the addresses, the software continues
to process the packet. If the access list denies the address, the
software discards the packet and returns an Internet Control
Message Protocol (ICMP) host unreachable message.
If the specified access list does not exist, all packets are
By default, the unique or per-interface ACL statistics are
This is an example of the show access-lists command:
RP/0/RSP0/CPU0:router# show access-lists
ipv4 access-list acl-common
10 permit ipv4 host 184.108.40.206 host 220.127.116.11 log-input
15 deny ipv4 any host 18.104.22.168
20 permit ipv4 host 22.214.171.124 host 126.96.36.199 log-input
25 deny ipv4 any host 188.8.131.52
30 permit ipv4 host 184.108.40.206 host 220.127.116.11 log-input
35 deny ipv4 any host 18.104.22.168
ipv4 access-list acl-unique1
10 permit ipv4 host 22.214.171.124 host 126.96.36.199 log-input
15 deny ipv4 any host 188.8.131.52
20 permit ipv4 any any
ipv4 access-list ssm-acl
10 permit ipv4 184.108.40.206 0.255.255.255 any log
This is an example of a configured IPv4 ACL in the dynamic template configuration mode:
RP/0/RSP0/CPU0:router(config)# dynamic-template type ppp p1
RP/0/RSP0/CPU0:router(config-dynamic-template-type)# ipv4 access-group a1 egress