Connectivity Guide

Table Of Contents
Apply the ACL as an inbound or outbound ACL on an interface in CONFIGURATION mode, and view the number of packets matching
the ACL.
show ip access-list {in | out}
Ingress ACL lters
To create an ingress ACL lter, use the ip access-group command in EXEC mode. To congure ingress, use the in keyword. Apply
rules to the ACL with the ip access-list acl-name command. To view the access-list, use the show access-lists command.
1 Apply an ingress access-list on the interface in INTERFACE mode.
ip access-group access-group-name in
2 Return to CONFIGURATION mode.
exit
3 Create the access-list in CONFIGURATION mode.
ip access-list access-list-name
4 Create the rules for the access-list in ACCESS-LIST mode.
permit ip host ip-address host ip-address count
Apply ACL rules to access-group and view access-list
OS10(config)# interface ethernet 1/1/28
OS10(conf-if-eth1/1/28)# ip access-group abcd in
OS10(conf-if-eth1/1/28)# exit
OS10(config)# ip access-list acl1
OS10(conf-ipv4-acl)# permit ip host 10.1.1.1 host 100.1.1.1 count
Egress ACL lters
Egress ACL lters aect the trac leaving the network. Conguring egress ACL lters onto physical interfaces protects the system
infrastructure from a malicious and intentional attack by explicitly allowing only authorized trac. These system-wide ACL lters eliminate
the need to apply ACL lters onto each interface.
You can use an egress ACL lter to restrict egress trac. For example, when you isolate denial of service (DoS) attack trac to a specic
interface, and apply an egress ACL lter to block the DoS ow from exiting the network, you protect downstream devices.
1 Apply an egress access-list on the interface in INTERFACE mode.
ip access-group access-group-name out
2 Return to CONFIGURATION mode.
exit
3 Create the access-list in CONFIGURATION mode.
ip access-list access-list-name
4 Create the rules for the access-list in ACCESS-LIST mode.
seq 10 deny ip any any count fragment
Apply rules to ACL lter
OS10(config)# interface ethernet 1/1/29
OS10(conf-if-eth1/1/29)# ip access-group egress out
OS10(conf-if-eth1/1/29)# exit
OS10(config)# ip access-list egress
OS10(conf-ipv4-acl)# seq 10 deny ip any any count fragment
View IP ACL lter conguration
OS10# show ip access-lists out
Egress IP access-list abcd
Active on interfaces :
Access Control Lists
699