NME-IPS and 3825 access list to bypass inspection

Unanswered Question
May 4th, 2010

We have just installed an NME-IPS into our 3825 head-end router which connects all of our remote sites.  We have an access list applied on the serial interface to block certain traffic coming from the remote sites.  With the installation of the NME-IPS, we now also want to exclude any voice traffic from being inspected.  I know this can be accomplished by adding an ACL to the ids-service-module monitoring command.  My question is can both access lists be applied at the same time on the same interface.  And if both can be applied, in what order to they process traffic - interface ACL then IPS ACL or vice-versa.  An example of what we would like to do is shown here:

interface Serial 1/0

description Interface connecting remote sites

ip access-group 102 in

ids-service-module monitoring promiscuous access-list 103



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Wed, 05/05/2010 - 23:16

Yes, you are absolutely right. Interface ACL will be processed first, and it will either allow or drop the traffic. If traffic is being dropped by interface ACL, it will not even be passed through to the NME-IPS module, so ACL 103 becomes redundant if traffic is being dropped by interface ACL 102.

Hope that answers your question.


This Discussion