10.1 Access Lists
10.1.5 Syntax for applying access lists
Access lists are applied to one or more interfaces, and can filter inbound or outbound traffic. A good rule to remember is that you can apply one access list per protocol, per interface, per direction (in or out). Outbound access lists require few CPU cycles than inbound lists and therefore are preferred. A router with an outbound access list must switch every packet to an outbound interface before checking against the list. This results in a waste of processing resources if the packet ends up being denied.

To apply an access list to an interface, use the command syntax shown in the figure:

Router(config-if)#ip access-group access-list-number |
   access-list-name in | out

Applying access lists to an interface is just one part of IP traffic management. The following section looks at other ways of applying access lists to implement security.