This section provides details about access control list application behavior, including ACL references, inbound and outbound packet checks, and undefined ACL handling on terminal lines and network interfaces.
Review how Cisco IOS XR software applies access control lists to terminal lines and network interfaces after you create an ACL.
Access control list application behavior depends on these conditions.
-
ACL creation and reference requirements.
-
Inbound and outbound packet processing.
-
Undefined ACL handling.
| If |
Then |
|---|---|
| You create an ACL. |
You must reference the ACL to make it work. You can apply an ACL to outbound or inbound interfaces. This behavior applies to terminal lines and network interfaces. |
| An inbound ACL receives a packet. |
Cisco IOS XR software checks the source address of the packet against the ACL. If the ACL permits the address, the software continues to process the packet. If the ACL rejects the address, the software discards the packet and returns an ICMP host unreachable message. The ICMP message is configurable. |
| An outbound ACL receives a packet that is routed to a controlled interface. |
Cisco IOS XR software checks the source address of the packet against the ACL. If the ACL permits the address, the software sends the packet. If the ACL rejects the address, the software discards the packet and returns an ICMP host unreachable message. |
| You apply an ACL that has not yet been defined to an interface. |
Cisco IOS XR software acts as if the ACL has not been applied to the interface and accepts all packets. Note this behavior if you use undefined ACLs as a means of security in your network. |