Dell Command Line Reference Guide for the S4048–ON System


ip access-group

Assign an IP access list (IP ACL) to an interface.

ip access-group access-list-name {in | out} [implicit-permit] [vlan vlan-id] [layer3] [vrf vrf-name]

To delete an IP access-group configuration, use the no ip access-group access-list-name {in | out} [implicit-permit] [vlan vlan-id][layer3] [vrf vrf-name] command.

Enter the name of a configured access list, up to 140 characters.
Enter the keyword in to apply the ACL to incoming traffic.
Enter the keyword out to apply the ACL to outgoing traffic.
(OPTIONAL) Enter the keyword implicit-permit to change the default action of the ACL from implicit-deny to implicit-permit (that is, if the traffic does not match the filters in the ACL, the traffic is permitted instead of dropped).
vlan vlan-id
(OPTIONAL) Enter the keyword vlan then the ID numbers of the VLANs. The range is from 1 to 4094 (you can use IDs from 1 to 4094).
vrf vrf-name
(OPTIONAL) Enter the keyword vrf then the ID numbers of the VRFs. The range is from 1 to 511 (you can use IDs from 1 to 511).
NOTE: When you specify a single VRF, use the name of the VRF instead of the VRF ID number. Use the VRF ID numbers only when you specify a range of VRFs.
(OPTIONAL) Enter the keyword layer3 to enable layer 3 mode. It ensures that all the ACL rules in the access-group are applied only for L3 router packets.
Not enabled.
Command Modes
Command History

This guide is platform-specific. For command information about other platforms, see the relevant Dell EMC Networking OS Command Line Reference Guide.

Introduced on the S6010-ON and S4048T-ON.
Introduced on the S3148.
Introduced on the S6100-ON.
Introduced on the S3100 series.
Introduced on the Z9100–ON.
Introduced on the S4048-ON.
Introduced on the S3048-ON.
Introduced on the S6000–ON.
Added support for VRF.
Introduced on the Z9500.
Introduced on the S6000.
Introduced on the S4820T.
Introduced on the Z9000.
Introduced on the S4810.
Introduced on the E-Series.
Increased the name string to accept up to 140 characters. Prior to, names were up to 16 characters long.
Introduced on the S-Series.
Introduced on the C-Series.
Introduced on the E-Series.
Usage Information
You can assign one ingress ACL and one egress ACL to an interface.
NOTE: This command supports Loopback interfaces EE3 and EF series route processor modules (RPMs). This command does not support Loopback interfaces ED series RPMs and S-Series Loopback interfaces.
NOTE: If you apply outbound(egress) IP acl on a switch port, the filter applies only for routed traffic egressing out of that port.

To associate an access-list to a non-default VRF, use the vrf attribute of this command. You can use this command at the interface context (physical/LAG) to apply the access-list to a range of VRFs.

The VRF MODE is not available for the default and management VRFs.

In the Dell EMC Networking OS versions prior to 9.13(0.0), the system does not install any of your ACL rules if the available CAM space is lesser than what is required for your set of ACL rules. Effective with the Dell EMC Networking OS version 9.13(0.0), the system installs your ACL rules until all the allocated CAM memory is used. If there is no implicit permit in your rule, the Dell EMC Networking OS ensures that an implicit deny is installed at the end of your rule. This behavior is applicable for IPv4 and IPv6 ingress and egress ACLs.

One of the usage scenarios for using the layer3 keyword at the VLAN level, is to avoid ACL being applied on the L2 traffic which comes in via ICL.

NOTE: The usage scenario listed above is one of many other usage scenarios.
Related Commands

Rate this content

Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\