The Ip Access-Group [Number] [In | Out] Cisco command

The Cisco command 'ip access-group [number] [in | out]' is used to create and configure an IP access control list (ACL) on a Cisco router or switch. An access control list is a set of rules that define which IP packets are allowed to enter or leave an interface.

To use the command, you must first specify the number of the ACL you want to create or configure. The number can be any value from 1 to 199. You must then specify whether the ACL will be used for inbound or outbound traffic. The keyword 'in' is used for inbound traffic, and the keyword 'out' is used for outbound traffic.

Next, you must specify the rules that will be used to filter traffic. Each rule consists of a source IP address, a destination IP address, a protocol, and an action. The source and destination IP addresses can be specified as a single IP address, a range of IP addresses, or a network address. The protocol can be specified as a specific protocol (such as TCP or UDP) or as a group of protocols (such as IP). The action can be either 'permit' or 'deny'.

Once you have specified all of the rules for the ACL, you must save the configuration changes. You can do this by using the 'copy running-config startup-config' command.

The 'ip access-group [number] [in | out]' command can be used on a wide variety of Cisco routers and switches. It is a powerful tool that can be used to control access to and from a network.

Here are some additional details about the command:

• The ACL number can be any value from 1 to 199.
• The ACL can be used to filter inbound or outbound traffic.
• Each rule in the ACL consists of a source IP address, a destination IP address, a protocol, and an action.
• The source and destination IP addresses can be specified as a single IP address, a range of IP addresses, or a network address.
• The protocol can be specified as a specific protocol (such as TCP or UDP) or as a group of protocols (such as IP).
• The action can be either 'permit' or 'deny'.
• The ACL can be applied to an interface using the 'ip access-group [number]' command.
• The ACL can be applied to a VLAN using the 'vlan access-map [name]' command.
• The ACL can be applied to a route map using the 'set ip access-group [number]' command.

ip access-group [number] [in | out] Usage Examples

Examples:

1. To permit TCP traffic on port 23 from any source to any destination:

ip access-group 100 out
permit tcp any any eq 23

1. To deny all traffic from the 192.168.1.0/24 network to any destination:

ip access-group 101 out
deny   any 192.168.1.0 0.0.0.255

1. To permit all traffic from the 172.16.0.0/16 network to the 10.0.0.0/8 network:

ip access-group 102 in
permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255

1. To deny all traffic from the 192.168.10.0/24 network to the 172.16.3.0/24 network:

ip access-group 103 in
deny   ip 192.168.10.0 0.0.0.255 172.16.3.0 0.0.0.255

1. To permit all ICMP traffic from any source to any destination:

ip access-group 104 in
permit icmp any any

1. To deny all traffic that is not TCP or UDP:

ip access-group 105 in
deny   ip any any [^tcp][^udp]

1. To permit all traffic to and from the host with the IP address 10.10.10.10:

ip access-group 106 in
permit ip any host 10.10.10.10
ip access-group 106 out
permit ip host 10.10.10.10 any

1. To permit all traffic to and from the network 172.16.1.0/24:

ip access-group 107 in
permit ip any 172.16.1.0 0.0.0.255
ip access-group 107 out
permit ip 172.16.1.0 0.0.0.255 any

1. To permit all traffic from the 192.168.10.0/24 network to the 10.0.0.0/8 network, but only if the source port is greater than 1024:

ip access-group 108 in
permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.0.255 gt 1024

1. To deny all traffic from the 172.16.2.0/24 network to the 192.168.1.0/24 network, but only if the destination port is less than 1024:

ip access-group 109 out
deny   ip 172.16.2.0 0.0.0.255 192.168.1.0 0.0.0.255 lt 1024