Using Vacls With Cisco Ios Acls; Configuring Cisco Ios Acls And Vacls On The Same Vlan Interface Guidelines - Cisco WS-C6506 Software Manual

Chapter 15 Configuring Access Control
With ACL-based unicast RPF, the packets that are denied by the ACL are sent to the CPU for RPF
Caution
validation. In the event of DoS attacks, these packets will most likely match the deny ACE and be
forwarded to the CPU. Under heavy traffic conditions, this process could cause high CPU utilization.
The drop-suppress statistics for the ACL-based RPF check is not supported.
Note
Bridge-Groups
Cisco IOS bridge-group ACLs are handled in the software.

Using VACLs with Cisco IOS ACLs

To access control both the bridged and routed traffic, you can use the VACLs only or a combination of
Cisco IOS ACLs and VACLs. You can define Cisco IOS ACLs on both the input and output
routed-VLAN interfaces, and you can define a VACL to access control the bridged traffic.
If a flow matches a VACL deny or redirect clause in the ACL, irrespective of the Cisco IOS ACL
configuration, the flow is denied or redirected. The following caveats apply to Cisco IOS ACLs when
they are used with VACLs:
•
•
The VACLs have an implicit deny at the end of the list; a packet is denied if it does not match any VACL
Note
ACE.
These sections describe the Cisco IOS ACL and VACL configuration guidelines and guidelines for
Layer 4 operations:
•
•

Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface Guidelines

This section describes the guidelines for configuring a Cisco IOS ACL and a VACL on the same VLAN.
These guidelines do not apply to the configurations where you are mapping Cisco IOS ACLs and VACLs
on different VLANs.
The Catalyst 6500 series switch hardware provides one lookup for the security ACLs for each direction
(input and output); you must merge a Cisco IOS ACL and a VACL when they are configured on the same
VLAN. Merging the Cisco IOS ACL with the VACL might significantly increase the number of ACEs.
If you must configure a Cisco IOS ACL and a VACL on the same VLAN, use the following guidelines
for both Cisco IOS ACL and VACL configurations.
OL-8978-04
Packets that require logging on the outbound ACLs are not logged if they are denied by a VACL.
NAT—VACLs are applied on the packets before NAT translation. If the translated flow should not
be access controlled, the flow might get access controlled after the translation because of the VACL
configuration.
Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface Guidelines, page 15-17
Layer 4 Operations Configuration Guidelines, page 15-23
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Using VACLs with Cisco IOS ACLs
15-17