Inbound and Outbound ACL Logic

September 21, 2019

Inbound ACL Logic

When a router receives a packet, it starts comparing the information in the packet header with the ACL. If the information in the packet header and an ACL entry match, the rest of the entries in ACLs are skipped, and the packet is permitted or denied as configured by the matching entry. If the information in the packet header does not match an ACE, the packet is tested with the next ACE in the list. The matching process continues until the end of the list is reached.

Table of Contents

When the matching process ends, and no match is found, the implied statement is applied to the packet. This statement is not shown in the output. This implicit deny matches all packets that have no match found and results in a “deny” action, so Instead of proceeding in or out of an interface, the router discards and drops all of these remaining packets. This statement is referred to as the “implicit deny any” statement. So, due to this statement, an ACL should have at least one permit statement. Otherwise, the ACL blocks all traffic. The figure below illustrates the inbound ACL logic process.

Outbound ACL Logic

The outbound ACL logic is a little different than the inbound ACL logic. The figure below illustrates the outbound ACL logic. The router receives the traffic and sends it to the routing table. The routing table processes the packet if the packet is not routable the route drop the packet, if the packet is routable then the router sends the packet for ACL matching. Next, the router checks whether the outbound interface is grouped to an ACL. If the outbound interface is not grouped to an ACL, the packet is sent directly to the outbound interface.

If the outbound interface is grouped to an outbound ACL, the packet is not sent directly to the outbound interface until it is matched with the ACEs in the ACL linked to that interface. Based on the ACL matching process, the packet is permitted or denied.

ACL Logic Operations

When a router receives a frame at the router interface, it checks the destination Layer 2 address to see if it matches its interface Layer 2 address or whether the frame is a broadcast frame. If the frame address is accepted, the frame information is stripped off, and the router checks for an ACL on the inbound interface. If an ACL exists on the inbound interface, the packet is tested against the entries in the list.

If the packet matches an entry, it is either permitted or denied. If the packet is permitted in ACEs, it is then checked against routing table entries to decide the destination interface. If a routing table entry exists for the destination address, the packet is switched to the outgoing interface; otherwise, it is dropped.

When the routing table forwards a packet to the outgoing interface, the router checks whether the outgoing interface has an ACL linked. If an ACL exists, the packet is tested against the entries in the list. If the packet matches an entry in the list, it is either permitted or denied. Suppose there is no ACL on the outbound interface or the packet is permitted. In that case, the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device.

Standard ACL Decision Process

Standard ACLs examine only the packet’s source IP address; they do not check the packet’s destination or consider the ports involved. Cisco IOS tests the address against the conditions in the ACL one by one. The first match decides whether the packet is accepted or rejected. Because Cisco IOS stops testing conditions after the first match is found, the order of the conditions is serious. If no conditions match, the address is rejected.

Extended ACL Decision Process

The extended ACL decides using the source and destination addresses, protocol, and port numbers. The ACL first filters traffic on the source address, then on the port and protocol of the source. It then filters traffic on the destination address, then on the port and protocol of the destination, and finally makes a permit or denies decision. The ACEs are processed one after the other, So no-decision

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.