Applying an ACL to an interface (inbound): On a Cisco router, which exact command and mode are used to apply standard or extended access list 110 inbound on interface Ethernet0 (i.e., filter packets as they enter that interface)?

Introduction / Context:
In Cisco IOS, Access Control Lists (ACLs) are attached to interfaces in a specific direction: inbound (in) or outbound (out). Knowing the correct command syntax and configuration mode prevents misapplication of security policies and ensures that packets are filtered at the right point in the forwarding path.

Given Data / Assumptions:

• ACL number is 110 (an extended ACL by convention).
• The target interface is Ethernet0.
• The desired direction is inbound, meaning packets are filtered as they arrive on the interface.

Concept / Approach:

Binding an ACL to an interface is done under interface configuration mode using the command ip access-group in|out. Global configuration is not sufficient; you must enter the interface submode. The ACL content (the permit/deny lines) is created separately and is not part of the binding command itself.

Step-by-Step Solution:

Verification / Alternative check:

Use show ip interface Ethernet0 to confirm lines such as “Inbound access list is 110”. Packet counters on the ACL (via show access-lists 110) help verify hits and effectiveness.

Why Other Options Are Wrong:

Global-mode ip access-group (A) is invalid; binding must occur under the interface.

ip access-list (B/D) is used to define ACL entries (named/numbered), not to apply them to interfaces.

Common Pitfalls:

Applying the ACL in the wrong direction, forgetting to place extended ACLs near the source for efficiency, and assuming global mode suffices. Always verify with show commands.

Final Answer:

Router(config-if)# ip access-group 110 in