System Setup and Software Installation Guide for Cisco NCS 1010, IOS XR Releases

PDF

System Setup and Software Installation Guide for Cisco NCS 1010, IOS XR Releases

Access control list application behavior

Want to summarize with AI?

Log in

This section provides details about access control list application behavior, including ACL references, inbound and outbound packet checks, and undefined ACL handling on terminal lines and network interfaces.


Review how Cisco IOS XR software applies access control lists to terminal lines and network interfaces after you create an ACL.

Access control list application behavior depends on these conditions.

  • ACL creation and reference requirements.

  • Inbound and outbound packet processing.

  • Undefined ACL handling.

Table 1. ACL application behavior

If

Then

You create an ACL.

You must reference the ACL to make it work. You can apply an ACL to outbound or inbound interfaces. This behavior applies to terminal lines and network interfaces.

An inbound ACL receives a packet.

Cisco IOS XR software checks the source address of the packet against the ACL. If the ACL permits the address, the software continues to process the packet. If the ACL rejects the address, the software discards the packet and returns an ICMP host unreachable message. The ICMP message is configurable.

An outbound ACL receives a packet that is routed to a controlled interface.

Cisco IOS XR software checks the source address of the packet against the ACL. If the ACL permits the address, the software sends the packet. If the ACL rejects the address, the software discards the packet and returns an ICMP host unreachable message.

You apply an ACL that has not yet been defined to an interface.

Cisco IOS XR software acts as if the ACL has not been applied to the interface and accepts all packets. Note this behavior if you use undefined ACLs as a means of security in your network.