ACLInterface Config

ip access-group [name] [in|out]

Applies an IPv4 ACL to an interface for inbound or outbound traffic filtering.

Overview

The 'ip access-group' command is used to bind an existing IPv4 Access Control List (ACL) to a specific interface on a Cisco Nexus switch running NX-OS. ACLs are a fundamental security feature that filter traffic based on criteria such as source/destination IP, protocol, and port numbers. By applying an ACL to an interface, you control which packets are allowed to enter or exit that interface. The command requires the ACL name and direction: 'in' for inbound traffic (packets arriving on the interface) or 'out' for outbound traffic (packets leaving the interface). In NX-OS, ACLs are stateful only if configured with reflexive or advanced features; standard ACLs are stateless. This command is typically used in security policies, traffic segmentation, and troubleshooting. It fits into workflows where you need to restrict access to sensitive network segments, block malicious traffic, or enforce compliance. On Nexus platforms, ACLs are hardware-accelerated for performance, but the configuration is similar to Cisco IOS. Always verify ACL application with 'show running-config interface' and monitor hit counts with 'show ip access-lists'.

Syntax·Interface Config
ip access-group {access-list-name} {in | out}

When to Use This Command

  • Restrict inbound traffic to a management interface to only allow SSH from specific management subnets.
  • Apply an outbound ACL on a border interface to block traffic to known malicious IP addresses.
  • Filter traffic between VLANs on a Layer 3 interface to enforce security policies.
  • Temporarily apply an ACL to a production interface during a security incident to block suspicious traffic.

Parameters

ParameterSyntaxDescription
access-list-nameWORDThe name of the IPv4 ACL to apply. Must match an existing ACL configured with 'ip access-list'.
in|outin | outDirection of traffic filtering: 'in' applies to packets entering the interface, 'out' applies to packets leaving the interface.

Command Examples

Apply inbound ACL to management interface

interface mgmt0 ip access-group MGMT-ACL in

The command is applied without output; use 'show ip access-lists' and 'show running-config interface mgmt0' to verify.

Apply outbound ACL to routed interface

interface ethernet 1/1 ip access-group BLOCK-OUT out

No immediate output; verification via 'show ip access-lists BLOCK-OUT' and 'show interface ethernet 1/1'.

Understanding the Output

The 'ip access-group' command itself does not produce output. To verify the ACL application, use 'show running-config interface <interface>' to see the 'ip access-group' line. Use 'show ip access-lists <name>' to view the ACL entries and hit counts. The hit count increments each time a packet matches a rule; a high count on a deny entry indicates blocked traffic. Healthy values show expected matches; unexpected high counts on deny entries may indicate a misconfiguration or attack.

Configuration Scenarios

Restrict SSH access to management interface

A Nexus switch management interface (mgmt0) should only accept SSH from the 10.10.10.0/24 subnet.

Topology

[Management Network 10.10.10.0/24] --- mgmt0 [Nexus Switch]

Steps

  1. 1.Create an ACL named MGMT-ACL that permits TCP from 10.10.10.0/24 to any destination port 22.
  2. 2.Apply the ACL inbound on interface mgmt0.
Configuration
! Configure ACL
ip access-list MGMT-ACL
  permit tcp 10.10.10.0/24 any eq 22
! Apply to interface
interface mgmt0
  ip access-group MGMT-ACL in

Verify: Use 'show ip access-lists MGMT-ACL' to verify ACL entries and hit counts. Use 'show running-config interface mgmt0' to confirm the access-group is applied.

Watch out: Ensure the management network is reachable; the implicit deny will block all other traffic, including necessary protocols like DHCP or NTP if not permitted.

Block outbound traffic to a malicious IP

A Nexus switch connects to the internet via interface Ethernet1/1. A known malicious IP 203.0.113.5 must be blocked outbound.

Topology

[Internal Network] --- Eth1/1 [Nexus] --- Internet (203.0.113.5)

Steps

  1. 1.Create an ACL named BLOCK-OUT that denies IP to host 203.0.113.5 and permits all other traffic.
  2. 2.Apply the ACL outbound on interface Ethernet1/1.
Configuration
! Configure ACL
ip access-list BLOCK-OUT
  deny ip any host 203.0.113.5
  permit ip any any
! Apply to interface
interface ethernet 1/1
  ip access-group BLOCK-OUT out

Verify: Use 'show ip access-lists BLOCK-OUT' to see hit counts on the deny entry. Use 'show interface ethernet 1/1' to verify ACL application.

Watch out: The order of entries matters; the deny must come before the permit. Also, outbound ACLs do not affect traffic sourced from the switch itself (e.g., management traffic).

Troubleshooting with This Command

When troubleshooting ACL issues on Nexus, start by verifying the ACL is applied correctly with 'show running-config interface <interface>'. Look for the 'ip access-group' line. If missing, reapply. Next, check the ACL content with 'show ip access-lists <name>'. Ensure the entries are in the correct order and that the desired permit/deny logic is present. Pay attention to hit counts: a high hit count on a deny entry indicates blocked traffic, which may be expected or a sign of misconfiguration. If hit counts are zero, the ACL may not be matching any traffic; verify the traffic path and that the ACL is applied in the correct direction. Use 'show interface <interface>' to check for input/output packet counters; if packets are being dropped, the ACL may be the cause. For complex issues, use 'ethanalyzer' or 'debug ip packet' with ACL logging (if configured). Remember that NX-OS ACLs are hardware-accelerated; changes may take a moment to take effect. Also, implicit deny at the end of ACLs can cause unexpected drops; always include a permit any any at the end if you want to allow all other traffic.

CCNA Exam Tips

1.

Remember that ACLs are applied per interface, per direction, and only one ACL per direction is allowed.

2.

In NX-OS, ACLs are processed in order; the first match is applied (implicit deny at end).

3.

Be aware that NX-OS uses a single 'ip access-group' command; there is no 'ipv6 access-group' separate command (IPv6 uses 'ipv6 traffic-filter').

Common Mistakes

Forgetting to create the ACL before applying it, resulting in an error.

Applying the ACL in the wrong direction (in vs out), causing unintended filtering.

Not considering the implicit deny at the end of ACLs, which blocks all traffic not explicitly permitted.

Platform Notes

In Cisco NX-OS, the 'ip access-group' command is similar to Cisco IOS but with some differences. NX-OS uses named ACLs only; numbered ACLs are not supported. The command syntax is identical: 'ip access-group <name> in|out'. However, NX-OS does not support the 'ip access-group' command on SVIs (Switch Virtual Interfaces) in some older versions; use 'ip port access-group' for Layer 2 interfaces. For IPv6, use 'ipv6 traffic-filter' instead. On Nexus, ACLs are applied to both routed and switched interfaces, but on Layer 2 interfaces, only inbound ACLs are supported (outbound ACLs on Layer 2 are not allowed). Also, NX-OS supports object-groups and time-based ACLs, which are configured separately. Performance-wise, Nexus switches use TCAM for hardware ACL processing, so large ACLs may consume TCAM resources. Always check TCAM utilization with 'show hardware access-list resource utilization'. In summary, while the command is familiar to IOS engineers, be aware of these platform-specific nuances.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions