Applying ACLs to Interfaces – Detailed Explanation

1. Why Apply ACLs to Interfaces?

Applying an Access Control List (ACL) to an interface allows you to control which traffic is permitted or denied as it enters (inbound) or leaves (outbound) a network device.
Objectives: Enforce security policies, restrict resource access, and filter unwanted or dangerous traffic at the network’s edge or internally.

2. Inbound vs. Outbound ACLs

Direction	What It Controls	Example Use Case
Inbound	Traffic entering the interface	Block access to a server from certain hosts
Outbound	Traffic leaving the interface	Prevent internal users from reaching the WAN

Inbound: Filters packets before routing or switching by the device.
Outbound: Filters packets after routing, just before they leave the interface.

3. Use Case Scenarios

Inbound Example: Prevent hosts from accessing a sensitive server on a specific subnet.
Outbound Example: Block certain devices from sending traffic out to the Internet or a WAN.

4. Interface Types Where ACLs Can Be Applied

Physical: Ethernet, FastEthernet, GigabitEthernet, Serial
Virtual: SVIs (Switch Virtual Interfaces: interface vlan X), Loopback, Tunnel interfaces

5. Configuring ACL Application on Interfaces

Use ip access-group command in interface configuration mode.

interface GigabitEthernet0/1
 ip access-group 10 in             ! Apply Standard ACL 10 inbound
 ip access-group BLOCK_TELNET out  ! Apply Named ACL outbound

in: Applies to incoming packets
out: Applies to outgoing packets

Example:

access-list 20 deny 192.168.1.100
access-list 20 permit any
interface GigabitEthernet0/1
 ip access-group 20 in

This blocks inbound traffic from 192.168.1.100 on the interface.

6. Best Practices for ACL Placement

Standard ACLs: Place close to the destination (since they are less specific).
Extended ACLs: Place close to the source (to filter unwanted traffic as early as possible).
Reason: Prevent unnecessary traffic from traversing your network.

7. Impact of ACL Direction on Traffic Flow

Inbound ACLs: Traffic is filtered as it arrives on the interface—good for early blocking/permitting.
Outbound ACLs: Traffic is filtered just before it exits the interface—useful for restricting egress.

User --> [inbound ACL] --> [Router] --> [outbound ACL] --> Internet

8. Verifying ACL Application

show ip interface [interface] – See which ACLs are applied and their directions
show access-lists – Show ACL definitions and counters
show running-config – See the ACLs in interface configuration

Sample Output:

GigabitEthernet0/1 is up, line protocol is up
  Inbound access list is 20
  Outbound access list is BLOCK_TELNET

9. Troubleshooting ACL Application Issues

Common Mistake	Result	Fix
Wrong ACL direction (in/out)	No effect or unintended blocks	Confirm direction with `show ip int`
Applied to wrong interface	Policy not enforced as expected	Check configuration and network diagram
Overly broad/wrong mask	Unwanted traffic allowed/blocked	Review wildcard masks and ACL entries
Forgetting implicit deny	Legitimate traffic blocked	Add explicit permit as needed

Tip: Use show access-lists counters to see if traffic is hitting your rules.

10. Removing ACLs from Interfaces

interface GigabitEthernet0/1
 no ip access-group 20 in

Use no ip access-group [acl-number|acl-name] [in|out] to remove the ACL from the interface.

11. Interaction with Other Features

NAT: ACLs may define which traffic is translated.
QoS: ACLs can be used to classify traffic.
Firewalls: ACLs provide base packet filtering; stateful firewall rules can take precedence.
Precedence: On routers, ACLs process before NAT; on firewalls, order can differ.

12. Performance Considerations

ACLs are usually processed in software, so large or complex lists may impact device CPU and throughput.
Best Practice: Keep ACLs clear and simple; place them where they minimize performance impact.

Example Scenario:
Block all Telnet (TCP port 23) traffic from subnet 10.1.1.0/24 outbound on interface Gi0/1.

access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 23
access-list 101 permit ip any any
interface GigabitEthernet0/1
 ip access-group 101 out

This prevents any host in 10.1.1.0/24 from initiating Telnet sessions out of this interface.

Key Points and Exam Tips

Key Point	Explanation
ip access-group [number\|name] in\|out	Command to apply ACL to interface
Inbound ACLs	Filter before routing
Outbound ACLs	Filter after routing
Standard ACLs	Place near destination
Extended ACLs	Place near source
Verification	Use `show ip interface` and `show access-lists`
Removal	Use `no ip access-group ...`
Implicit deny	All ACLs deny unmatched traffic by default
Performance	Optimize ACLs for clarity and speed
Interface type	Can be applied to physical, SVI, loopback, tunnel

When and Where to Apply ACLs:
Apply on router or switch interfaces where you need to enforce security, policy, or traffic filtering—at the edge, between zones, or on sensitive subnets.

Applying ACLs to Interfaces Quiz

1. Why do we apply ACLs to interfaces?

A. To speed up interface hardware processing B. To change IP addressing on the interface C. To control traffic flow entering or leaving the interface D. To configure interface speed and duplex

Correct answer is C. ACLs on interfaces control incoming or outgoing traffic for security and filtering.

2. What does an inbound ACL filter?

A. Traffic entering the interface before routing B. Traffic leaving the interface after routing C. Traffic that is being switched within the device D. Management traffic only

Correct answer is A. Inbound ACL filters traffic before it enters routing or switching processes.

3. Where should you place a standard ACL for best efficiency?

A. Close to the source of the traffic B. On the WAN interface C. On the loopback interface D. Close to the destination of the traffic

Correct answer is D. Standard ACLs filter by source IP only, so placing them near destination limits impact.

4. How do you apply a named ACL called BLOCK_TELNET outbound on interface GigabitEthernet0/1?

A. ip access-group BLOCK_TELNET in B. ip access-group BLOCK_TELNET out C. access-list BLOCK_TELNET out D. access-list BLOCK_TELNET in

Correct answer is B. Use "ip access-group [name] out" to apply named ACL outbound.

5. Which interface types can ACLs be applied to?

A. Only physical Ethernet interfaces B. Only Loopback interfaces C. Physical, virtual (SVI), loopback, and tunnel interfaces D. Only tunnel interfaces

Correct answer is C. ACLs can be applied to multiple interface types, including physical, SVIs, loopbacks, and tunnels.

6. What happens if you apply an ACL in the wrong direction?

A. The ACL will have no effect or block unintended traffic B. The interface shuts down automatically C. The device reboots D. The ACL will allow all traffic

Correct answer is A. Wrong direction means ACL may not filter intended traffic or block the wrong traffic.

7. Which command removes an ACL from an interface?

Correct answer is D. Use "no ip access-group [acl] in|out" to remove ACL from an interface.

8. When is it best to apply extended ACLs close to the source?

A. When filtering based on MAC addresses B. To filter specific traffic before it traverses the network C. To encrypt traffic at the source D. To increase interface speed

Correct answer is B. Extended ACLs filter specific traffic close to source to reduce unwanted network traffic.

9. What command shows the ACLs applied to interfaces and their direction?

A. show ip access-list B. show running-config C. show ip interface [interface] D. show interfaces status

Correct answer is C. "show ip interface" displays ACLs applied to interfaces and their direction.

10. What is a best practice when applying ACLs to interfaces?

A. Keep ACLs simple, documented, and placed strategically B. Always apply ACLs only inbound C. Avoid documenting ACLs to enhance security D. Use ACLs to increase network bandwidth

Correct answer is A. Simplicity, documentation, and strategic placement optimize ACL effectiveness and performance.

← Back to Home