How does this ACL work ?

jibbajabba

Would anyone be so kind as to explain how this ACL works? For example, in what order the ACLs are processed?

access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 101

The router is 192.168.20.1 (single VLAN on all Ethernet ports), it has a VPN to 192.168.10.0/24 and 192.168.30.0/24.

My understanding...

Rule 100 allows traffic to 192.168.10.0/24 (VPN), rule 101 allows traffic to the Internet (but denies traffic which is intended for the two remote VPN networks), then rule 102 allows traffic to 192.168.30.0/24.

What do the "route-map permit 1" and "match ip address 101" lines mean? Is ACL 1 not redundant given ACL 101?

Everything works, I'm just trying to understand what order things happen in.

EdTheLad

Use the Cisco forums for Cisco questions!

Route-map SDM_RMAP_1 permit 1:
SDM_RMAP_1 is the name of the route-map
permit 1 means this is the first line of the route-map, the 1 is a variable which allows you to modify the command position after a the route-map is created.
match ip address 101, means match access-list 101.

I'm sure if you went to google "cisco route-map" you would have found this explanation.