Inbound ACL Logic
When a router receives a packet the router start comparing the information in packet header with the ACL, If packet header information and an ACL entry match, the rest of the entries in ACLs are skipped, and the packet is permitted or denied as configured the matching entry. If the information in packet header does not match an ACE, the packet is tested with next ACE in the list. The matching process continues until the end of the list is reached.
When the matching process reached at the end and there is no match found the implied statement applied to the packet. This statement is not shown in the output. This implicit deny matches all packets which has no match found and results in a “deny” action so, Instead of proceeding in or out of an interface, the router discard and drops all of these remaining packets. This statement is referred to as the “implicit deny any” statement. So due to this statement, an ACL should have at least one permit statement otherwise, the ACL blocks all traffic. The figure below illustrates the inbound ACL logic process.
Outbound ACL Logic
The outbound ACL logic is little different than inbound ACL logic. The figure below illustrates the outbound ACL logic. The router receives the traffic and sends it to the routing table. The routing table processes the packet if the packet is not routable the route drop the packet, if the packet is routable then the router sends the packet for ACL matching. Next, the router checks the outbound interface is grouped to an ACL or not. If the outbound interface is not grouped to an ACL, the packet is sent directly to the outbound interface.
If the outbound interface is grouped to an outbound ACL, then the packet is not sent out on the outbound interface directly until it is matched with the ACEs in the ACL that are linked with that interface. Based on the ACL matching process, the packet is permitted or denied.
ACL Logic Operations
When a router receives a frame at the router interface, the router checks the destination Layer 2 address, if the destination layer 2 address matches its interface Layer 2 address, or whether the frame is a broadcast frame. So, ff the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface. If an ACL exists on the inbound interface, the packet is tested against the entries in the list.
If the packet matches an entry, the packet is either permitted or denied. If the packet is permitted in ACEs, it is then checked against routing table entries to decide the destination interface. If a routing table entry exists for the destination address, the packet is then switched to the outgoing interface, otherwise, the packet is dropped.
When routing table forwards a packet to the outgoing interface, the router checks whether the outgoing interface has an ACL linked. If an ACL exists, the packet is tested against the entries in the list. If the packet matches an entry in the list then either permitted or denied. If there is no ACL on the outbound interface or the packet is permitted, then the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device.
Standard ACL Decision Process
Standard ACLs examine only the source IP address of the packet, it does not check the destination of the packet and the ports involved are not considered. Cisco IOS tests address against the conditions in the ACL one by one. The first match decides whether the packet is accepted or rejected. Because the Cisco IOS stops testing conditions after the first match found, the order of the conditions is serious. If no conditions match, the address is rejected.
Extended ACL Decision Process
The extended ACL make a decision using the source and destination addresses, protocol and port numbers. The ACL first filters traffic on the source address, then on the port and protocol of the source. It then filters traffic on the destination address, then on the port and protocol of the destination, and makes a permit or denies decision finally. The ACEs are processed one after the other, So no-decision