Creates an IP Source Guard (IPSG) ACL.

ip sg-access-list { acl_name }
no ip sg-access-list { acl_name }
acl_name
Specifies the ACL to be defined.

Global configuration mode

The following syntax is used to create ip sg-access-list filter statements:

device(config-sgacl-name)# permit { protocol any | range port_range any | range port_range }

The command supports only wildcard IP host and IP network addresses ("any any").

The command supports the following port range operators only if port ranges are available:

  • eq
  • gt
  • lt
  • neq

The command supports permit actions for the following protocols:

  • esp
  • gre
  • icmp
  • igmp
  • ip
  • ipv6
  • ospf
  • pim
  • rsvp
  • tcp
  • udp

The command does not support deny actions, logging, mirroring, or DSCP.

The source-guard enable command must be configured on an interface before an IPSG ACL can be bound to the interface.

The no form of the command deletes the ACL.

The following example defines IP Source Guard ACL sg123 to allow all TCP traffic and all UDP traffic.


device# configure terminal
device(config)# ip sg-access-list sg123
device(config-sg-sg123)# permit tcp any any
device(config-sg-sg123)# permit udp any any
device(config-sg-sg123)# exit
device(config)# 

The following example defines IP Source Guard ACL sg456 to allow TCP traffic destined for any port number from 100 through 200.


device# configure terminal
device(config)# ip sg-access-list sg456
device(config-sg-sg123)# permit tcp any range 100 200
device(config-sg-sg123)# exit
device(config)# 

The following example binds IP Source Guard ACL sg-acl1 to port 1/1/2.


device# configure terminal
device(config)# interface ethernet 1/1/2
device(config-if-e1000/1/1/2)# source-guard enable
device(config-if-e1000/1/1/2)# ip sg-access-group sg-acl1

The following example unbinds the ACL.


device# configure terminal
device(config)# interface ethernet 1/1/2
device(config-if-e1000/1/1/2)# no ip sg-access-group sg-acl1
Release version Command history
08.0.95 This command was introduced.