ip sg-access-list
-
- Last UpdatedJul 01, 2024
- 2 minutes read
Creates an IP Source Guard (IPSG) ACL.
acl_name
| Specifies the ACL to be defined.
|
Global configuration mode
The following syntax is used to create ip sg-access-list filter statements:
device(config-sgacl-name)# permit { protocol any | range port_range any | range port_range }
The command supports only wildcard IP host and IP network addresses ("any any").
The command supports the following port range operators only if port ranges are available:
- eq
- gt
- lt
- neq
The command supports permit actions for the following protocols:
- esp
- gre
- icmp
- igmp
- ip
- ipv6
- ospf
- pim
- rsvp
- tcp
- udp
The command does not support deny actions, logging, mirroring, or DSCP.
The source-guard enable command must be configured on an interface before an IPSG ACL can be bound to the interface.
The no form of the command deletes the ACL.
The following example defines IP Source Guard ACL sg123 to allow all TCP traffic and all UDP traffic.
device# configure terminal
device(config)# ip sg-access-list sg123
device(config-sg-sg123)# permit tcp any any
device(config-sg-sg123)# permit udp any any
device(config-sg-sg123)# exit
device(config)#
The following example defines IP Source Guard ACL sg456 to allow TCP traffic destined for any port number from 100 through 200.
device# configure terminal
device(config)# ip sg-access-list sg456
device(config-sg-sg123)# permit tcp any range 100 200
device(config-sg-sg123)# exit
device(config)#
The following example binds IP Source Guard ACL sg-acl1 to port 1/1/2.
device# configure terminal
device(config)# interface ethernet 1/1/2
device(config-if-e1000/1/1/2)# source-guard enable
device(config-if-e1000/1/1/2)# ip sg-access-group sg-acl1
The following example unbinds the ACL.
device# configure terminal
device(config)# interface ethernet 1/1/2
device(config-if-e1000/1/1/2)# no ip sg-access-group sg-acl1
| Release version | Command history |
|---|---|
| 08.0.95 | This command was introduced. |