Reference Guide

Access Control Lists (ACLs) | 83

To view the number of packets matching an ACL that is applied to an interface, follow these steps:

Configuring Ingress ACLs

Ingress ACLs are applied to interfaces and to traffic entering the system.These system-wide ACLs

eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target

traffic, it is a simpler implementation.

To create an ingress ACL, use the

ip access-group command in EXEC Privilege mode (Figure 5-13). This

example also shows applying the ACL, applying rules to the newly created access group, and viewing the

access list.

Figure 5-13. Creating an Ingress ACL

Step Task

1 Create an ACL that uses rules with the count option. Refer to Configure a Standard IP ACL

2 Apply the ACL as an inbound or outbound ACL on an interface. Refer to Assign an IP ACL to an Interface

3 View the number of packets matching the ACL using the

show ip accounting access-list command from EXEC

Privilege mode.

FTOS(conf)#interface tengig 0/0

FTOS(conf-if-tengig0/0)#ip access-group abcd in

FTOS(conf-if-tengig0/0)#show config

tengigethernet 0/0

no ip address

ip access-group abcd in

no shutdown

FTOS(conf-if-tengig0/0)#end

FTOS#configure terminal

FTOS(conf)#ip access-list extended abcd

FTOS(conf-ext-nacl)#permit tcp any any

FTOS(conf-ext-nacl)#deny icmp any any

FTOS(conf-ext-nacl)#permit 1.1.1.2

FTOS(conf-ext-nacl)#end

FTOS#show ip accounting access-list

Extended Ingress IP access list abcd on tengigethernet 0/0

seq 5 permit tcp any any

seq 10 deny icmp any any

seq 15 permit 1.1.1.2

Use the “in” keyword

to specify ingress.

Begin applying rules to

the ACL named

“abcd.”

View the access-list.