Asr 5500 System Administration Guide, Staros Release 21.5 - Cisco ASR 5500 System Administration Manual

Access Control Lists
If ACLs are applied at multiple levels within a single context (such as an ACL is applied to an interface within
the context and another ACL is applied to the entire context), they will be processed as shown in the following
figure and table.
Figure 2: ACL Processing Order
Table 12: ACL Processing Order Descriptions
Packet coming from the mobile node to the packet data network (left to right)
Order
1
2
3
4
Packet coming from the packet data network to the mobile node (right to left)
Order
1
2
3
4
Description
An inbound ACL configured for the receiving interface in the Source Context is applied to
the tunneled data (such as the outer IP header). The packet is then forwarded to the Destination
Context.
An inbound ACL configured for the subscriber (either the specific subscriber or for any
subscriber facilitated by the context) is applied.
A context ACL (policy ACL) configured in the Destination Context is applied prior to
forwarding.
An outbound ACL configured on the interface in the Destination Context through which the
packet is being forwarded, is applied.
Description
An inbound ACL configured for the receiving interface configured in the Destination Context
is applied.
An outbound ACL configured for the subscriber (either the specific subscriber or for any
subscriber facilitated by the context) is applied. The packet is then forwarded to the Source
Context.
A context ACL (policy ACL) configured in the Source Context is applied prior to forwarding.
An outbound ACL configured on the interface in the Source Context through which the
packet is being forwarded, is applied to the tunneled data (such as the outer IP header).

ASR 5500 System Administration Guide, StarOS Release 21.5

Applying IP ACLs
189