access-group command doesnt exist

Unanswered Question
Jun 19th, 2007


I just acquired a 2811 running IOS 12.4, but I cannot run the access-group command simply because it doesn't exist. Has anyone experience this before. I can run access-list no problem, but access-group is not existing. Please help me.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
JORGE RODRIGUEZ Tue, 06/19/2007 - 08:54

IP access-groups are use on interfaces.

You first use an access-list command to create a single access list entry. Then use the ip access-group command to bind one of more access-list to an interface .

see ip access-list, and IP access-group.

HTH, please rate if this helps.


Richard Burts Tue, 06/19/2007 - 09:14


The command certainly exists in your IOS but perhaps in a place or in a syntax that you are not expecting. Jorge is absolutely correct that the access-group command is under interface config mode. So if you are looking in global config mode (where the access-list command exists, then you will not find the access-group command). But if you look in interface config mode then you will find it.

It may also be that the syntax is not quite what you expected. The command to create an access list is simply access-list. But the command to apply it to an interface is ip access-group. Sometimes it is confusing to remember which commands just start with the command words and which commands start with ip and then the command words. So if you are looking just for access-group then you will not find it. But you can find ip access-group.



mujosmujoma Tue, 06/19/2007 - 09:39

Thanks for your reply

But I can assure you that I did all you said but the command 'ip access-group' simply doesn't exist in my IOS 12.4 (Please check the console print screen)

Maybe it's a bug and I need to upgrade or patch my router!

The screen shows all the command that exist under interface config

Thanks again for your help

sundar.palaniappan Tue, 06/19/2007 - 10:07

Just wondering whether the interface he's trying to apply the access list is a layer 2 interface like etherswitch interface.



JORGE RODRIGUEZ Tue, 06/19/2007 - 10:17

Sundar, that sounds like right, that interface does not look like a layer 3 interface.

mujosmujoma Wed, 06/20/2007 - 22:24

Hi Sundar,

How can an interface on a router be Layer 2? Althought I think my interface in L3, is there a command to turn it to a L3? How can you see that?

Thanks for your light!

Edison Ortiz Tue, 06/19/2007 - 10:44

Let's see your privilege level by typing

show privilege

You are missing a lot of options for ip under that interface.

Anand S Tue, 06/19/2007 - 23:59


i wouldn't say its a IOS bug, but i faced a problem on 3750 switch similar to this to such incidents,

while i was giving training to the juniors in my office, i was explaining that that interface vlan 1 cannot be deleted, so i told them to try that option by issuing "no interface vlan 1" but that got deleted also i told them to issue "router eigrp 444" surprisingly this command didn't accept, i was wondering & felt bad infront of the juniors, immediately i doubted that IOS probz, so i had the same back-up image of the switch, juz upgraded & the eigrp command worked out & the "interface vlan 1" was also not able to delete.

IOS was using 12.2(25r)SEC in cisco 3750.

so juz try the option of upgrading the image.

but NO idea what went wrong, the same IOS i was using it on my network for 7 nos. 3750 switches & those never faced such kind of probz.

mujosmujoma Wed, 06/20/2007 - 22:27

So the problem must be the flash version? This means its a bug in my flash then, how can brand new router with IOS 12.4 not be able to run the basic access-group command?

Anyway please help me to clarify this, and the exact action to take to solving this issue

Thanks for your help


Anand S Wed, 06/20/2007 - 22:29

it is not a bug in the flash or the IOS, juz try upgrading the IOS once again, it will certainly solve the problem, it might happens on rare cases.

royalblues Wed, 06/20/2007 - 23:12


As per the show version you have 6 fast ethernet interfaces whereas the router ships with only 2 by default with the motherboard. This means that you have additional ethernet modules on the router (mostly a four port switch).

This will by default be a layer 2 interface as said by sundar and hence you are not able to use this command. you need to check whether this ether switch module supports L3 functions. posting a sh diag would help

also just to make sure that the command is supported, try this on the fa0/0 or fa0/1 which is shipped by default with the router. you should be able to execute the command

HTH, rate if it does


mujosmujoma Wed, 06/20/2007 - 23:42

Right Narayan!

Fa0/0 indeed supports the command access-group!

so this means that my Four (non-default) Ethernet ports cannot be configured with routing commands!!

How can I turn them to L3

Attached is my 'sh diag' result

Thank you for your help!


mujosmujoma Thu, 06/21/2007 - 00:21

Why would cisco sell L2 only interfaces to plug into a router? A router is supposed to do L3, right? It doesn't make sense to me!

Now I'm stick to 4 L2 ports, and there is no way to software-upgrade it.

Thanks for your light


royalblues Thu, 06/21/2007 - 00:30


It is actually the other way. These modules are used on the router to give them some switch functionality.

There are few modules which do support L3 functioanlity as well


Richard Burts Thu, 06/21/2007 - 06:02


What if you assign the switch ports to a VLAN (for example VLAN 20) and then try to create an SVI (for example interface vlan 20) and try to put an IP address on it and then try the ip access-group command. I think that should work.




This Discussion