Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NME-IPS and 3825 access list to bypass inspection

We have just installed an NME-IPS into our 3825 head-end router which connects all of our remote sites.  We have an access list applied on the serial interface to block certain traffic coming from the remote sites.  With the installation of the NME-IPS, we now also want to exclude any voice traffic from being inspected.  I know this can be accomplished by adding an ACL to the ids-service-module monitoring command.  My question is can both access lists be applied at the same time on the same interface.  And if both can be applied, in what order to they process traffic - interface ACL then IPS ACL or vice-versa.  An example of what we would like to do is shown here:

interface Serial 1/0

description Interface connecting remote sites

ip access-group 102 in

ids-service-module monitoring promiscuous access-list 103

Thanks.

Chris

Everyone's tags (2)
1 REPLY
Cisco Employee

Re: NME-IPS and 3825 access list to bypass inspection

Yes, you are absolutely right. Interface ACL will be processed first, and it will either allow or drop the traffic. If traffic is being dropped by interface ACL, it will not even be passed through to the NME-IPS module, so ACL 103 becomes redundant if traffic is being dropped by interface ACL 102.

Hope that answers your question.

419
Views
0
Helpful
1
Replies
CreatePlease to create content