Introduction / Context:
Creating an ACL is only half the job; you must apply it to an interface and direction to enforce policy. In classic IPv4 IOS, the command keyword used under an interface is ip access-group. Choosing the right syntax avoids parser errors and ensures the ACL actually filters packets as intended.
Given Data / Assumptions:
- Standard or extended IPv4 ACL number 101 already exists.
- We want to apply it inbound on some interface (for example, G0/0).
- Configuration is done in interface configuration mode.
Concept / Approach:
The correct interface-level command format is: ip access-group . For ACL 101 inbound, it is ip access-group 101 in. Named ACLs use the same command but with the name instead of a number. IPv6 uses a different keyword: ipv6 traffic-filter.
Step-by-Step Solution:
Enter interface configuration mode: interface G0/0.Apply the ACL: ip access-group 101 in.Verify with: show ip interface G0/0.Confirm counters increase with: show access-lists 101 during traffic tests.
Verification / Alternative check:
Use show run interface to confirm the line ip access-group 101 in appears. Packet counters in show access-lists will increment when matches occur.
Why Other Options Are Wrong:
- ip access-list 101 out: this is the submode to define rules, not to apply an ACL to an interface.
- access-list ip 101 in and access-group ip 101 in: invalid keyword order.
- ip access-apply: not an IOS command.
Common Pitfalls:
- Forgetting to specify direction; without in or out the command is incomplete.
- Applying the ACL to the wrong interface; direction is relative to the interface.
Final Answer:
ip access-group 101 in
Discussion & Comments