ip access-group [acl] [in|out]
Applies an access control list (ACL) to an interface to filter inbound or outbound traffic based on the ACL rules.
ip access-group [acl] [in|out]When to Use This Command
- Restrict inbound traffic on a WAN interface to only allow specific services like HTTP and HTTPS from the internet.
- Block outbound traffic from a specific subnet to the internet on a LAN interface.
- Apply a standard ACL to a router's serial interface to permit or deny traffic based on source IP address.
- Use an extended ACL on a VLAN interface to filter traffic between different departments in a corporate network.
Command Examples
Apply standard ACL to inbound traffic on GigabitEthernet0/0
interface GigabitEthernet0/0
ip access-group 10 inRouter(config-if)# interface GigabitEthernet0/0 Router(config-if)# ip access-group 10 in Router(config-if)#
The command enters interface configuration mode for GigabitEthernet0/0 and applies ACL 10 to inbound traffic. No output is shown if successful; the prompt returns to interface config mode.
Apply extended ACL to outbound traffic on Serial0/0/0
interface Serial0/0/0
ip access-group 110 outRouter(config-if)# interface Serial0/0/0 Router(config-if)# ip access-group 110 out Router(config-if)#
This applies extended ACL 110 to outbound traffic on Serial0/0/0. The command completes without error if the ACL exists and is valid.
Understanding the Output
The ip access-group command does not produce any output on success; it simply configures the interface. To verify the applied ACL, use 'show ip interface [interface]' or 'show access-lists'. In 'show ip interface', look for 'Inbound access list is 10' or 'Outbound access list is 110' to confirm the ACL is applied. If the ACL is missing or invalid, the router will reject the command with an error like 'Access list 10 does not exist'. Always ensure the ACL is created before applying it.
CCNA Exam Tips
Remember that standard ACLs (1-99, 1300-1999) should be placed as close to the destination as possible, while extended ACLs (100-199, 2000-2699) should be placed close to the source.
The 'in' or 'out' keyword is mandatory; omitting it causes a syntax error.
Only one ACL per interface per direction is allowed; applying a new ACL overwrites the previous one.
ACLs without a permit statement at the end implicitly deny all traffic; be careful with outbound ACLs that might block routing updates.
Common Mistakes
Applying an ACL that does not exist yet, causing the command to be rejected.
Forgetting to specify the direction (in/out), leading to a syntax error.
Applying a standard ACL to filter destination IPs incorrectly; standard ACLs only filter source IPs.
Placing an extended ACL too far from the source, wasting router resources by processing unnecessary traffic.
Related Commands
show access-lists
Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.
show ip interface
Displays the status and configuration of all IP interfaces on a Cisco router, including IP address, protocol status, and interface statistics, used for verifying interface IP configuration and troubleshooting connectivity issues.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions