Looking for a sanity check. I was going to lab it up but decided to check here first.
On an inbound interface, I want to apply a "go-nogo" ACL filter, and then use a service -policy to modify the traffic that made it through the initial ACL.
For example: I want the inbound ACL to only permit traffic from 18.104.22.168/24 and deny all else. Then, I want the service-policy (using class maps and policy maps) to manipulate/modify the traffic before it hits the routing process. So, in this example, the only traffic that would hit the class map ACLs would be sourced from 22.214.171.124/24 - as all other traffic would have been denied by the inbound ACL.
Is this correct?
This link I think points you to your answer:
Specifically, the first check in each of these operations is the input ACL, and the last is 'Queueing'. The outbound ACL is before Queueing in this as well.
The document was created for NAT, but I believe that by taking the NAT steps out you will see what the order of operation is here.
In short - you should be fine, and will queue only allowed traffic.
Hope this clarifies.