Cisco ACL Direction Reference
ACL Direction Concepts
The in and out directions are relative to the interface/SVI, not the traffic flow through the network.
VLAN SVIs
int vlan 500
ip access-group restrict-to-equip-3205 out
Outbound Direction (on an SVI): On an SVI, the out direction means traffic leaving the VLAN through the SVI. This means the traffic has already been processed by the switch’s routing engine.
- The access list sees the source IP addresses as those belonging to devices within the VLAN that are trying to communicate with destinations outside of the VLAN.
Physical Interfaces
int gi0/0/0
ip access-group restrict-to-equip-3205 out
On a physical interface, out means traffic leaving the switch through that specific port.
- Direction is Relative to the Switch: The
outdirection is relative to the switch itself, not a VLAN. It’s traffic the switch is sending out of port gi0/0/0. - If the port is an access port, the source will be from the switch, and the destination is the connected device.
Direction Summary
| Interface Type | in | out |
|---|---|---|
| SVI | Traffic entering VLAN from other VLANs/routing | Traffic leaving VLAN to other VLANs/routing |
| Physical (Routed) | Traffic arriving from connected network | Traffic leaving to connected network |
| Physical (L2 Access) | Traffic from connected device into switch | Traffic from switch to connected device |
Verification Commands
Show ACL Applied to Interface
show ip interface gi0/0/0
show ip interface vlan 500
Look for Outgoing access list and Inbound access list lines.
Show ACL Contents
show access-lists restrict-to-equip-3205
show ip access-lists
Show ACL Hit Counts
show access-lists restrict-to-equip-3205
Each line shows match count (resets on reload or clear).
Clear ACL Counters
clear access-list counters restrict-to-equip-3205
IPv6 Considerations
IPv6 ACLs use ipv6 traffic-filter instead of ip access-group:
interface vlan 500
ipv6 traffic-filter IPV6-FILTER out
Show IPv6 ACLs
show ipv6 access-list
show ipv6 interface vlan 500
Best Practices
- Apply ACLs as close to the source as possible for
denyrules (reduces unnecessary traffic) - Apply ACLs close to the destination for
permitrules when using named ACLs with logging - Use
establishedkeyword for return traffic on extended ACLs - Consider implicit deny at end of every ACL
- Document with remarks:
ip access-list extended WEB-ACL remark Allow HTTPS from trusted network permit tcp 10.1.0.0 0.0.255.255 any eq 443