Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Implementing an ACL and a Service-Policy on same interface

Looking for a sanity check. I was going to lab it up but decided to check here first.

On an inbound interface, I want to apply a "go-nogo" ACL filter, and then use a service -policy to modify the traffic that made it through the initial ACL.

For example: I want the inbound ACL to only permit traffic from 1.1.1.0/24 and deny all else. Then, I want the service-policy (using class maps and policy maps) to manipulate/modify the traffic before it hits the routing process. So, in this example, the only traffic that would hit the class map ACLs would be sourced from 1.1.1.0/24 - as all other traffic would have been denied by the inbound ACL.

Is this correct?

Jeff

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Implementing an ACL and a Service-Policy on same interface

Hi Jeff,

This link I think points you to your answer:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Specifically, the first check in each of these operations is the input ACL, and the last is 'Queueing'. The outbound ACL is before Queueing in this as well.

The document was created for NAT, but I believe that by taking the NAT steps out you will see what the order of operation is here.

In short - you should be fine, and will queue only allowed traffic.

Hope this clarifies.

-nick

2 REPLIES

Re: Implementing an ACL and a Service-Policy on same interface

Hi Jeff,

This link I think points you to your answer:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Specifically, the first check in each of these operations is the input ACL, and the last is 'Queueing'. The outbound ACL is before Queueing in this as well.

The document was created for NAT, but I believe that by taking the NAT steps out you will see what the order of operation is here.

In short - you should be fine, and will queue only allowed traffic.

Hope this clarifies.

-nick

New Member

Re: Implementing an ACL and a Service-Policy on same interface

Nick -

Thanks for the sanity check. Will lab it up now

Jeff

109
Views
0
Helpful
2
Replies