Implementing an ACL and a Service-Policy on same interface

Answered Question
Sep 9th, 2009

Looking for a sanity check. I was going to lab it up but decided to check here first.

On an inbound interface, I want to apply a "go-nogo" ACL filter, and then use a service -policy to modify the traffic that made it through the initial ACL.

For example: I want the inbound ACL to only permit traffic from 1.1.1.0/24 and deny all else. Then, I want the service-policy (using class maps and policy maps) to manipulate/modify the traffic before it hits the routing process. So, in this example, the only traffic that would hit the class map ACLs would be sourced from 1.1.1.0/24 - as all other traffic would have been denied by the inbound ACL.

Is this correct?

Jeff

I have this problem too.
0 votes
Correct Answer by Nicholas Matthews about 7 years 2 months ago

Hi Jeff,

This link I think points you to your answer:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Specifically, the first check in each of these operations is the input ACL, and the last is 'Queueing'. The outbound ACL is before Queueing in this as well.

The document was created for NAT, but I believe that by taking the NAT steps out you will see what the order of operation is here.

In short - you should be fine, and will queue only allowed traffic.

Hope this clarifies.

-nick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nicholas Matthews Wed, 09/09/2009 - 20:31

Hi Jeff,

This link I think points you to your answer:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Specifically, the first check in each of these operations is the input ACL, and the last is 'Queueing'. The outbound ACL is before Queueing in this as well.

The document was created for NAT, but I believe that by taking the NAT steps out you will see what the order of operation is here.

In short - you should be fine, and will queue only allowed traffic.

Hope this clarifies.

-nick

Actions

This Discussion