Understanding ACL Processing
This section helps you to understand ACL processing by explaining inbound and outbound ACLs, packet flow
rules, and guidelines for implementing ACLs.
Inbound ACL
Examine the pseudocode that follows to understand packet processing. When an inbound ACL is applied on an
interface, the router checks the received packet against the ACL's statements for a match.
Code View:
if {a match is found} then
 if {the action is to permit) then
{router continues to process the packet}
   else {the action is to deny} then
{router discards the packet sending an ICMP Unreachable message to the
source address in the packet - assuming this is not disabled}
endif
else {a match is not found} then
{with the default 'implicit deny' statement—the router discards the packet,
sending an ICMP Unreachable message}
endif
Outbound ACL
Examine the pseudocode that follows to understand packet processing. When an outbound ACL is applied on an
interface, the router first performs a route lookup for the destination address in the routing table to determine
the exit (egress) interface.
Code View:
if {valid path found in routing table} then
if {a match is found} then
if {the action is to permit) then
{router continues to process the packet}
else {the action is to deny} then
{router discards the packet sending an ICMP Unreachable message to the source
address in the packet - assuming this is not disabled}
endif
else {a match is not found} then
{with the default 'implicit deny' statement—the router discards the packet,
sending an ICMP Unreachable message}
endif
else {valid path not found in routing table, the router drops the packet}
endif