Home
Support
Product Support
Optical Networking
Cisco Network Convergence System 1000 Series
Configuration Guides

System Setup and Software Installation Guide for Cisco NCS 1010, IOS XR Releases

How do ACL entries decide whether to permit or deny traffic?
What changes when ACLs are applied inbound instead of outbound?
How should IPv4 and IPv6 ACL behavior be verified after applying them?

View all Saved Content

PDF

Is this content helpful?

Helpful Unhelpful

Suggestions for Improvement

Thank you for your feedback. Your response has been recorded.

Ask about this content

System Setup and Software Installation Guide for Cisco NCS 1010, IOS XR Releases

How do ACL entries decide whether to permit or deny traffic?
What changes when ACLs are applied inbound instead of outbound?
How should IPv4 and IPv6 ACL behavior be verified after applying them?

Expand all sections

About this content

Cisco NCS 1010 optical line system

Cisco NCS 1010 chassis and line cards
Cisco NCS 1000 passive modules

Software setup fundamentals

Types of software releases for Cisco NCS 1010
Downloadable software files for Cisco NCS 1010
Command modes for Cisco NCS 1010

Setup procedures

Pre-setup requirements for Cisco NCS 1010
Cisco NCS 1010 setup workflow
Cisco NCS 1010 software and hardware verification
Cisco NCS 1010 post-setup tasks

TACACS+ and RADIUS configuration

TACACS+ and RADIUS configuration details
Deprecation of type 7 password and type 5 secret
TACACS+ protocol
Configure TACACS+ server
Configure and verify TACACS+ server groups
RADIUS protocol
Configure and verify RADIUS server groups

Setup and upgrade workflow

NCS 1010 upgrade
Software and firmware compatibility matrix
Software upgrade plan
Back up the current configuration
Field programmable devices
System stability checks
Install file sources
Download install files from Cisco Software Center
Software upgrade methods
Data model software upgrade method
Software upgrade verification

Classic ZTP deployment

DHCP configuration
Provision Cisco NCS 1010 using DHCP-based ZTP fresh boot

Software maintenance

Install additional RPMs and bug fixes
Downgrade software version
Telemetry sensor paths for install operations

Setup and upgrade troubleshooting

NCS 1010 boot failure recovery
Recover password
Resolve insufficient disk space during software installation
Recover frozen console prompt

Disaster recovery

Disaster recovery partitions
CPU replacement considerations
Backup ISO image health check
Automated file management behavior

BGP configuration

BGP routing

CDP configurations

CDP support on Cisco NCS 1010

Daisy chain topology

Daisy chain topology
Configure daisy chain on management ports
Verify daisy chain
Enable storm control on TOR switch
Disable DAD on the management port

Access control lists

Access control lists
How access control lists work
Apply ACLs
ACL configuration procedures

Remote node management

Remote node management details for NCS 1010
Remote node management with OSC
Remote node management prerequisites
DHCP relay configuration for OLT node
Loopback IP address for OSC interface
OSPF neighbor discovery
ILA node configuration
OLT node configuration

Remote console connection workflow

Remote console connection details
Remote console connection support for Cisco NCS 1010
Find the MAC address of all the nodes
Connect to a remote node

Automated file management

Automated file management behavior

Audit log storage and monitoring

Audit logging and monitoring details
Audit logs
How audit logging works
Guideline: Use audit logging
Note: Review audit log storage behavior
Configure audit logging

Process memory management

Process memory management details
Core dump folders

How access control lists work

Updated: June 17, 2026

Want to summarize with AI?

This section describes how access control lists evaluate packet fields and apply matching permit or deny statements to control network traffic.

An ACL is a sequential list consisting of permit and deny statements that apply to IP addresses and upper-layer IP protocols. The ACL has a name by which it is referenced. Many software commands accept an ACL as part of their syntax.

An ACL can be configured and named; however, it does not take effect until the ACL is referenced by a command that accepts an ACL. Multiple commands can reference the same ACL. An ACL can control traffic arriving at the router or leaving the router, but not traffic originating at the router.

Source address and destination address are two of the most typical fields in an IP packet on which to base an ACL. Specify source addresses to control packets from certain networking devices or hosts. Specify destination addresses to control packets that are sent to certain networking devices or hosts.

You can also filter packets on the basis of transport layer information, such as whether the packet is a TCP, UDP, Internet Control Message Protocol (ICMP), or Internet Group Management Protocol (IGMP) packet.

ACL Workflow

The following image illustrates the workflow of an ACL.

Workflow of Access Control List — Figure 1. ACL Workflow

Helpful Hints for Creating ACLs

Consider the following when creating ACLs:

Guidelines and Restrictions for Configuring ACLs

You must be aware of the following restrictions for configuring ACLs.

Summary

The key components involved in how access control lists work are:

ACL entries: Define permit and deny statements for network traffic.
Interfaces: Apply access lists to inbound or outbound traffic.
Traffic flows: Match configured rules before the device permits or denies packets.

Workflow

The how access control lists work process involves the following stages:

An ACL is a sequential list consisting of permit and deny statements that apply to IP addresses and upper-layer IP protocols. The ACL has a name by which it is referenced. Many software commands accept an ACL as part of their syntax.
An ACL can be configured and named; however, it does not take effect until the ACL is referenced by a command that accepts an ACL. Multiple commands can reference the same ACL. An ACL can control traffic arriving at the router or leaving the router, but not traffic originating at the router.
Source address and destination address are two of the most typical fields in an IP packet on which to base an ACL. Specify source addresses to control packets from certain networking devices or hosts. Specify destination addresses to control packets that are sent to certain networking devices or hosts.
You can also filter packets on the basis of transport layer information, such as whether the packet is a TCP, UDP, Internet Control Message Protocol (ICMP), or Internet Group Management Protocol (IGMP) packet.
ACL Workflow
The following image illustrates the workflow of an ACL.
ACL Workflow
Helpful Hints for Creating ACLs

Result

The process determines how matching traffic is permitted, denied, or forwarded.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.