Reference Guide
• Apply the ACL as an inbound or outbound ACL on an interface in CONFIGURATION mode, and view the number of packets matching
the ACL.
show ip access-list {in | out}
Ingress ACL lters
To create an ingress ACL lter, use the ip access-group command in EXEC mode. To congure ingress, use the in keyword. Apply
rules to the ACL with the ip access-list acl-name command. To view the access-list, use the show access-lists command.
1 Apply an access-list on the interface with ingress direction in INTERFACE mode.
ip access-group access-group-name in
2 Return to CONFIGURATION mode.
exit
3 Create the access-list in CONFIGURATION mode.
ip access-list access-list-name
4 Create the rules for the access-list in ACCESS-LIST mode.
permit ip host ip-address host ip-address count
Apply ACL rules to access-group and view access-list
OS10(config)# interface ethernet 1/1/28
OS10(conf-if-eth1/1/28)# ip access-group abcd in
OS10(conf-if-eth1/1/28)# exit
OS10(config)# ip access-list acl1
OS10(conf-ipv4-acl)# permit ip host 10.1.1.1 host 100.1.1.1 count
Egress ACL lters
Egress ACL lters aect the trac leaving the network. Conguring egress ACL lters onto physical interfaces protects the system
infrastructure from a malicious and intentional attack by explicitly allowing only authorized trac. These system-wide ACL lters eliminate
the need to apply ACL lters onto each interface and achieves the same results.
You can use an egress ACL lter to restrict egress trac. For example, when a denial of service (DOS) attack trac is isolated to a specic
interface, apply an egress ACL lter to block the ow from exiting the network and thus protect downstream devices.
1 Apply an access-list on the interface with egress direction in INTERFACE mode.
ip access-group access-group-name out
2 Return to CONFIGURATION mode.
exit
3 Create the access-list in CONFIGURATION mode.
ip access-list access-list-name
4 Create the rules for the access-list in ACCESS-LIST mode.
seq 10 deny ip any any count fragment
Apply rules to ACL lter
OS10(config)# interface ethernet 1/1/29
OS10(conf-if-eth1/1/29)# ip access-group egress out
OS10(conf-if-eth1/1/29)# exit
OS10(config)# ip access-list egress
OS10(conf-ipv4-acl)# seq 10 deny ip any any count fragment
View IP ACL lter conguration
OS10# show ip access-lists out
Egress IP access-list abcd
Active on interfaces :
Access Control Lists
487