Configuring Vacls; Vacl Configuration Guidelines - Cisco WS-X6066-SLB-APC - Content Switching Module Software Manual

Configuring VACLs

Configuring VACLs
This section describes how to configure VACLs. Prior to performing any configuration tasks, see the
"VACL Configuration Guidelines" section on page
These sections provide guidelines and a summary for configuring VACLs:
•
•

VACL Configuration Guidelines

Follow these guidelines when configuring VACLs:
All changes to ACLs are stored temporarily in an edit buffer. You must enter the commit command
Caution
to commit all ACEs to NVRAM. Committed ACLs with no ACEs are deleted. We recommend that
you enter ACEs in batches and enter the commit command to save all of them to NVRAM.
You can configure Cisco IOS ACLs and VACLs from Flash memory instead of NVRAM. See the
Note
"Configuring and Storing VACLs and QoS ACLs in Flash Memory" section on page 16-42
detailed information.
•
•
•
•
•
•
•
•
•
•
•
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
16-28
VACL Configuration Guidelines, page 16-28
VACL Configuration Summary, page 16-29
See the "Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface"
section on page 16-16.
See the "Using VACLs in your Network" section on page 16-22
See the "Unsupported Features" section on page
Note that a VACL has to be committed before you can map it to a VLAN. There are no default
VACLs and no default VACL-to-VLAN mappings.
Note that if there is no Cisco IOS ACL configured to deny traffic on a routed VLAN interface (input
or output), and no VACL configured, all traffic is permitted.
Note that the order of ACEs in an ACL is important. A packet that comes into the switch is applied
against the first ACE in the ACL. If there is no match, the packet is applied against the next ACE in
the list. If no ACEs match, the packet is denied (dropped).
Always enter the show security acl info acl_name editbuffer command to see the current list of
ACEs before making any changes to the edit buffer.
Note that in systems with redundant MSFCs, the ACL configurations for Cisco IOS ACLs and
VACLs must be the same on both MSFCs.
Note that the system might incorrectly calculate the maximum number of ACLs in the system if an
ACL is deleted but not committed.
Note that the show security acl resource-usage and show qos acl resource-usage commands might
not show 100 percent usage even if there is no space in the hardware to store more ACLs. This
situation occurs because some ACL space is reserved in hardware for the ACL manager to perform
cleanup and mapping if necessary.
Note that the system might take longer to boot if you configure a very large number of ACLs.
Chapter 16
16-28.
for configuration examples.
16-27.
Configuring Access Control
for
78-13315-02