Guidelines For Using Router Acls And Vlan Maps; Examples Of Router Acls And Vlan Maps Applied To Vlans - Cisco 4500M Software Manual

Using VLAN Maps with Router ACLs

Guidelines for Using Router ACLs and VLAN Maps

Use these guidelines when you need to use a router ACL and a VLAN map on the same VLAN.
Because the switch hardware performs one lookup for each direction (input and output), you must merge
a router ACL and a VLAN map when they are configured on the same VLAN. Merging the router ACL
with the VLAN map can significantly increase the number of ACEs.
When possible, try to write the ACL so that all entries have a single action except for the final, default
action. You should write the ACL using one of these two forms:
or
To define multiple permit or deny actions in an ACL, group each action type together to reduce the
number of entries.
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP
ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. Doing this gives priority to
the filtering of traffic based on IP addresses.

Examples of Router ACLs and VLAN Maps Applied to VLANs

These examples show how router ACLs and VLAN maps are applied on a VLAN to control the access
of switched, bridged, routed, and multicast packets. Although the following illustrations show packets
being forwarded to their destination, each time a packet crosses a line indicating a VLAN map or an
ACL, the packet could be dropped rather than forwarded.
ACLs and Switched Packets
Figure 35-5
within the VLAN are not processed by router ACLs.
Software Configuration Guide—Release 12.2(25)EW
35-20
permit...
permit...
permit...
deny ip any any
deny...
deny...
deny...
permit ip any any
shows how an ACL processes packets that are switched within a VLAN. Packets switched
Chapter 35 Configuring Network Security with ACLs
OL-6696-01