Cisco WS-X6066-SLB-APC - Content Switching Module Software Manual page 313

Chapter 16 Configuring Access Control
To specify a redirect and deny ACL, do not use any permit ACEs. To specify a redirect and permit ACL,
use permit ACEs, redirect ACEs, and for the last ACE, specify permit ip any any. If you specify permit
ip any any, you will override the implicit deny ip any at the end of the list (see
Avoiding Layer 4 Port Information
Avoid including Layer 4 information in an ACL; adding this information will complicate the merging
process. You will obtain the best merge results if the ACLs are filtered based on IP addresses (source
and destination) and not on the full flow (source IP address, destination IP address, protocol, and
protocol ports).
If you need to specify the full flow, see the recommendations in the
section on page
If you cannot follow the recommendations because the ACL has both IP and TCP/UDP/ICMP ACEs with
Layer 4 information, put the Layer 4 ACEs at the end of the list to prioritize the traffic filtering based on
IP addresses.
Estimating Merge Results
If you follow the ACL guidelines when configuring ACLs, you can get a rough estimate of the merge
results for ACLs.
The following example uses ACL A, ACL B, and ACL C. If ACL C is the result of merging ACL A and
ACL B, and you know the size of ACL A and ACL B, you can estimate the upper limit of the size of
ACL C when no Layer 4 port information has been specified on ACL A and ACL B, as follows:
size of ACL C = (size of ACL A) x (size of ACL B) x (2)
If Layer 4 port information was specified, the upper limit could be higher.
Examples
These examples show the merge results for various Cisco IOS ACL and VACL configurations. Note that
in these examples, one VACL and one Cisco IOS ACL are configured on the same VLAN.
Example 1
This example shows that the VACL does not follow the recommended guidelines (see line 9) and the
resultant merge increases the number of ACEs:
******** VACL
1 permit udp host 194.72.72.33 194.72.6.160 0.0.0.15
2 permit udp host 147.150.213.94 194.72.6.64 0.0.0.15 eq bootps
3 permit udp 194.73.74.0 0.0.0.255 host 194.72.6.205 eq syslog
4 permit udp host 167.221.23.1 host 194.72.6.198 eq tacacs
5 permit udp 194.72.136.1 0.0.3.128 194.72.6.64 0.0.0.15 eq tftp
6 permit udp host 193.6.65.17 host 194.72.6.205 gt 1023
7 permit tcp any host 194.72.6.52
8 permit tcp any host 194.72.6.52 eq 113
9 deny tcp any host 194.72.6.51 eq ftp
10 permit tcp any host 194.72.6.51 eq ftp-data
11 permit tcp any host 194.72.6.51
12 permit tcp any eq domain host 194.72.6.51
13 permit tcp any host 194.72.6.51 gt 1023
14 permit ip
78-13315-02
16-16, "Grouping Actions Together" section on page
***********
any host 1.1.1.1
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
Using VACLs with Cisco IOS ACLs
Example 4, page
"Using the Implicit Deny Action"
16-16, and Example 6, page
16-18).
16-19.
16-17