Cisco ACL Direction Reference

cisco acl command


ACL Direction Concepts

The in and out directions are relative to the interface/SVI, not the traffic flow through the network.

VLAN SVIs

int vlan 500
ip access-group restrict-to-equip-3205 out

Outbound Direction (on an SVI): On an SVI, the out direction means traffic leaving the VLAN through the SVI. This means the traffic has already been processed by the switch’s routing engine.

  • The access list sees the source IP addresses as those belonging to devices within the VLAN that are trying to communicate with destinations outside of the VLAN.

Physical Interfaces

int gi0/0/0
ip access-group restrict-to-equip-3205 out

On a physical interface, out means traffic leaving the switch through that specific port.

  • Direction is Relative to the Switch: The out direction is relative to the switch itself, not a VLAN. It’s traffic the switch is sending out of port gi0/0/0.
  • If the port is an access port, the source will be from the switch, and the destination is the connected device.

Direction Summary

Interface Typeinout
SVITraffic entering VLAN from other VLANs/routingTraffic leaving VLAN to other VLANs/routing
Physical (Routed)Traffic arriving from connected networkTraffic leaving to connected network
Physical (L2 Access)Traffic from connected device into switchTraffic from switch to connected device

Verification Commands

Show ACL Applied to Interface

show ip interface gi0/0/0
show ip interface vlan 500

Look for Outgoing access list and Inbound access list lines.

Show ACL Contents

show access-lists restrict-to-equip-3205
show ip access-lists

Show ACL Hit Counts

show access-lists restrict-to-equip-3205

Each line shows match count (resets on reload or clear).

Clear ACL Counters

clear access-list counters restrict-to-equip-3205

IPv6 Considerations

IPv6 ACLs use ipv6 traffic-filter instead of ip access-group:

interface vlan 500
ipv6 traffic-filter IPV6-FILTER out

Show IPv6 ACLs

show ipv6 access-list
show ipv6 interface vlan 500

Best Practices

  • Apply ACLs as close to the source as possible for deny rules (reduces unnecessary traffic)
  • Apply ACLs close to the destination for permit rules when using named ACLs with logging
  • Use established keyword for return traffic on extended ACLs
  • Consider implicit deny at end of every ACL
  • Document with remarks:
    ip access-list extended WEB-ACL
     remark Allow HTTPS from trusted network
     permit tcp 10.1.0.0 0.0.255.255 any eq 443