Applying an ACL to an interface (inbound): On a Cisco router, which exact command and mode are used to apply standard or extended access list 110 inbound on interface Ethernet0 (i.e., filter packets as they enter that interface)?
-
ARouter(config)# ip access-group 110 in
-
BRouter(config)# ip access-list 110 in
-
CRouter(config-if)# ip access-group 110 in
-
DRouter(config-if)# ip access-list 110 in
Answer
Correct Answer: Router(config-if)# ip access-group 110 in
Explanation
Introduction / Context:In Cisco IOS, Access Control Lists (ACLs) are attached to interfaces in a specific direction: inbound (in) or outbound (out). Knowing the correct command syntax and configuration mode prevents misapplication of security policies and ensures that packets are filtered at the right point in the forwarding path.
Given Data / Assumptions:
- ACL number is 110 (an extended ACL by convention).
- The target interface is Ethernet0.
- The desired direction is inbound, meaning packets are filtered as they arrive on the interface.
Concept / Approach:
Binding an ACL to an interface is done under interface configuration mode using the command ip access-group
Step-by-Step Solution:
Enter privileged EXEC: enableEnter global config: configure terminalSelect interface: interface Ethernet0Apply ACL inbound: ip access-group 110 inExit and save: end, copy run startVerification / Alternative check:
Use show ip interface Ethernet0 to confirm lines such as “Inbound access list is 110”. Packet counters on the ACL (via show access-lists 110) help verify hits and effectiveness.
Why Other Options Are Wrong:
Global-mode ip access-group (A) is invalid; binding must occur under the interface.
ip access-list (B/D) is used to define ACL entries (named/numbered), not to apply them to interfaces.
Common Pitfalls:
Applying the ACL in the wrong direction, forgetting to place extended ACLs near the source for efficiency, and assuming global mode suffices. Always verify with show commands.
Final Answer:
Router(config-if)# ip access-group 110 in