Cisco WS-X6066-SLB-APC - Content Switching Module Software Manual page 315

Chapter 16 Configuring Access Control
*******
1 deny ip any host 239.255.255.255
2 permit ip any any
*******
has 142 entries
Example 5
This example shows the VACL has two different actions specified and the merge results are significantly
improved:
******** VACL
1 redirect 4/25 tcp host 192.168.1.67 host 255.255.255.255
2 redirect 4/25 udp host 192.168.1.67 host 255.255.255.255
3 permit ip any any
*******
1 deny ip any host 239.255.255.255
2 permit ip any any
*******
has 4 entries
Example 6
This example shows that applying the merging guidelines on a large Cisco IOS ACL (no Layer 4 port
information is specified on the Cisco IOS ACL), produces a merge result of 801 entries:
******** VACL **********
1 redirect 4/25 tcp host 192.168.1.67 255.255.255.255 0.0.0.0
2 redirect 4/25 udp host 192.168.1.67 255.255.255.255 0.0.0.0
3 redirect 4/25 icmp host 192.168.1.67 host 255.255.255.255
4 redirect 4/25 ip host 192.168.1.67 host 255.255.255.255
5 deny tcp any any lt 30
6 deny udp any any lt 30
7 permit ip any any
******** IOS ACL ***********
1 permit ip 147.150.213.64 0.0.0.31 194.72.6.64 0.0.0.15
2 permit ip 147.150.213.64 0.0.0.31 194.72.6.160 0.0.0.15
3 permit ip 147.150.213.64 0.0.0.31 host 194.72.6.205
4 permit ip 147.151.77.0 0.0.0.255 194.72.6.64 0.0.0.15
5 permit ip 147.151.77.0 0.0.0.255 194.72.6.160 0.0.0.15
6 permit ip 147.151.77.0 0.0.0.255 194.72.6.208 0.0.0.15
7 permit ip 147.151.77.0 0.0.0.255 host 194.72.6.205
8 permit ip host 193.37.169.121 194.72.6.64 0.0.0.15
[...] total 62 entries without L4 information
******** MERGE **********
has 801 ACEs
Example 7
This example shows that the same Cisco IOS ACL that was used in
with Layer 4 port information. Following the guidelines in the
on page
******** VACL
1 permit tcp host 193.131.248.24 194.73.73.0 0.0.0.15 gt 1023
2 permit tcp host 158.43.128.8 194.72.6.224 0.0.0.7 gt 1023
3 permit udp any 194.72.6.224 0.0.0.7 eq time
4 permit udp any 194.73.73.0 0.0.0.15 eq time
5 permit udp 194.72.7.128 0.0.0.7 194.72.6.224 0.0.0.7 eq 1645
6 permit udp 194.72.7.128 0.0.0.7 194.73.73.0 0.0.0.15 eq 1645
7 permit udp host 158.152.1.65 194.72.6.224 0.0.0.7 gt 1023
8 permit udp host 158.152.1.65 194.73.73.0 0.0.0.15 gt 1023
[...] total 168 entries
78-13315-02
IOS ACL ***********
MERGE **********
***********
IOS ACL ***********
MERGE **********
16-16, the merge results are good.
*********
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
Using VACLs with Cisco IOS ACLs
Example 6 is merged with a VACL
"Using the Implicit Deny Action" section
16-19