Access control lists (ACLs) on interfaces In Cisco IOS, which statement best describes how many IP access lists you can apply to a single interface, considering direction and Layer-3 protocol?
-
AYou can place as many access lists as you want on any interface until you run out of memory.
-
BYou can apply only one access list on any interface.
-
COne access list may be configured, per direction, for each Layer 3 protocol configured on an interface.
-
DYou can apply two access lists to any interface.
-
EOnly standard access lists can be applied to physical interfaces.
Answer
Correct Answer: One access list may be configured, per direction, for each Layer 3 protocol configured on an interface.
Explanation
Introduction / Context:Access control lists (ACLs) are used on Cisco routers and multilayer switches to filter traffic. A frequent exam and real-world question is how many ACLs can be applied to a single interface. The answer depends on direction (inbound or outbound) and the Layer-3 protocol family (for example, IP, IPv6). Understanding this rule prevents configuration conflicts and unintended traffic blocking.
Given Data / Assumptions:
- The device is using Cisco IOS classic ACL behavior.
- We are discussing interface-applied ACLs (with ip access-group / ipv6 traffic-filter).
- Directions considered: inbound (in) and outbound (out).
Concept / Approach:
The IOS rule is: one ACL per direction per Layer-3 protocol on an interface. For example, for IPv4 you may apply one ACL inbound and one ACL outbound on a given interface. If IPv6 is also enabled, you may additionally apply a separate IPv6 ACL per direction using the corresponding command. Attempting to apply a second IPv4 ACL in the same direction replaces the previous one rather than adding cumulatively.
Step-by-Step Solution:
Identify the protocol family: IPv4 or IPv6.Choose the direction: inbound or outbound.Apply at most one ACL per protocol per direction using ip access-group or ipv6 traffic-filter.Verify with show ip interface or show ipv6 interface to see which ACLs are active.Verification / Alternative check:
Use show running-config interface
Why Other Options Are Wrong:
- “As many as you want”: IOS does not stack multiple IPv4 ACLs in one direction; a new assignment overwrites the old.
- “Only one ACL on any interface”: ignores direction and multiple protocols.
- “Two ACLs on any interface”: incomplete; direction and protocol matter.
- “Only standard ACLs on physical interfaces”: both standard and extended ACLs can be applied.
Common Pitfalls:
- Assuming multiple ACLs “combine.” They do not; you must merge entries into one list per direction.
- Forgetting that ACL processing stops at the first match; order matters.
Final Answer:
One access list may be configured, per direction, for each Layer 3 protocol configured on an interface.