Solve this multiple-choice question and choose the correct option.

Access control lists (ACLs) on interfaces In Cisco IOS, which statement best describes how many IP access lists you can apply to a single interface, considering direction and Layer-3 protocol?

Difficulty: Easy

You can place as many access lists as you want on any interface until you run out of memory.
You can apply only one access list on any interface.
One access list may be configured, per direction, for each Layer 3 protocol configured on an interface.
You can apply two access lists to any interface.
Only standard access lists can be applied to physical interfaces.

Correct Answer: One access list may be configured, per direction, for each Layer 3 protocol configured on an interface.

Explanation:

Introduction / Context:
Access control lists (ACLs) are used on Cisco routers and multilayer switches to filter traffic. A frequent exam and real-world question is how many ACLs can be applied to a single interface. The answer depends on direction (inbound or outbound) and the Layer-3 protocol family (for example, IP, IPv6). Understanding this rule prevents configuration conflicts and unintended traffic blocking.

Given Data / Assumptions:

The device is using Cisco IOS classic ACL behavior.
We are discussing interface-applied ACLs (with ip access-group / ipv6 traffic-filter).
Directions considered: inbound (in) and outbound (out).

Concept / Approach:

The IOS rule is: one ACL per direction per Layer-3 protocol on an interface. For example, for IPv4 you may apply one ACL inbound and one ACL outbound on a given interface. If IPv6 is also enabled, you may additionally apply a separate IPv6 ACL per direction using the corresponding command. Attempting to apply a second IPv4 ACL in the same direction replaces the previous one rather than adding cumulatively.

Step-by-Step Solution:

Identify the protocol family: IPv4 or IPv6.Choose the direction: inbound or outbound.Apply at most one ACL per protocol per direction using ip access-group or ipv6 traffic-filter.Verify with show ip interface or show ipv6 interface to see which ACLs are active.

Verification / Alternative check:

Use show running-config interface and show ip interface to confirm exactly one IPv4 ACL per direction is active. Repeat with IPv6 commands for IPv6 ACLs.

Why Other Options Are Wrong:

“As many as you want”: IOS does not stack multiple IPv4 ACLs in one direction; a new assignment overwrites the old.
“Only one ACL on any interface”: ignores direction and multiple protocols.
“Two ACLs on any interface”: incomplete; direction and protocol matter.
“Only standard ACLs on physical interfaces”: both standard and extended ACLs can be applied.

Common Pitfalls:

Assuming multiple ACLs “combine.” They do not; you must merge entries into one list per direction.
Forgetting that ACL processing stops at the first match; order matters.

Final Answer:

One access list may be configured, per direction, for each Layer 3 protocol configured on an interface.

Discussion & Comments

No comments yet. Be the first to comment!

Access control lists (ACLs) on interfaces In Cisco IOS, which statement best describes how many IP access lists you can apply to a single interface, considering direction and Layer-3 protocol?

More Questions from Security

Discussion & Comments