To control access to an interface, use the ip access-group interface configuration command. To remove the specified access group, use the no form of this command.
ip access-group {access-list-number | name}{in | out}
no ip access-group {access-list-number | name}{in | out}
Syntax Description
access-list-number Number of an access list. This is a decimal number from 1 to 199. name Name of an IP access list as specified by an ip access-list command. in Filters on inbound packets. out Filters on outbound packets. Default
Entering a keyword is strongly recommended, but if a keyword is not specified, out is the default.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0. The name argument first appeared in Cisco IOS Release 11.2.
Access lists are applied on either outbound or inbound interfaces. For standard inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.
For standard outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software transmits the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.
If the specified access list does not exist, all packets are passed.
When you enable outbound access lists, you automatically disable autonomous switching for that interface.When you enable input access lists on any cBus or CxBus interface, you automatically disable autonomous switching for all interfaces (with one exception--an SSE configured with simple access lists can still switch packets, on output only).
Example
The following example applies list 101 on packets outbound from Ethernet interface 0:
interface ethernet 0 ip access-group 101 out