Reference Guide
Access Control Lists (ACLs) | 113
The same ACL may be applied to different interfaces and that changes its functionality. For example, you
can take ACL “ABCD”, and apply it using the
in keyword and it becomes an ingress access list. If you
apply the same ACL using the
out keyword, it becomes an egress access list. If you apply the same ACL to
the loopback interface, it becomes a loopback access list.
This chapter covers the following topics:
• Configuring Ingress ACLs
• Configuring Egress ACLs
• Configuring ACLs to Loopback
For more information on Layer-3 interfaces, refer to Interfaces.
To apply an IP ACL (standard or extended) to a physical or port channel interface, use these commands in
the following sequence in the INTERFACE mode:
To view which IP ACL is applied to an interface, use the
show config command in the INTERFACE mode
as shown below or the
show running-config command in the EXEC mode.
FTOS(conf-if)#show conf
!
interface GigabitEthernet 0/0
ip address 10.2.1.100 255.255.255.0
ip access-group nimule in
no shutdown
FTOS(conf-if)#
Use only Standard ACLs in the access-class command to filter traffic on Telnet sessions.
Counting ACL Hits
Step Command Syntax Command Mode Purpose
1
interface interface slot/port
CONFIGURATION Enter the interface number.
2
ip address ip-address
INTERFACE Configure an IP address for the interface, placing
it in Layer-3 mode.
3
ip access-group access-list-name
{in | out} [implicit-permit] [vlan
vlan-range]
INTERFACE Apply an IP ACL to traffic entering or exiting an
interface.
• out: configure the ACL to filter outgoing
traffic. This keyword is supported only on
E-Series.
Note: The number of entries allowed per ACL is
hardware-dependent. Refer to your line card
documentation for detailed specification on entries
allowed per ACL.
4
ip access-list [standard |
extended]
name
INTERFACE Apply rules to the new ACL.