Cisco WS-C6506 Software Manual page 414

Catalyst 6500 series switch

Hide thumbs Also See for WS-C6506:

Manual (110 pages)

Installation manual (336 pages)

Table of Contents

Using VACLs with Cisco IOS ACLs

To display the percentage of ACL storage that is being used, enter the show security acl resource-usage

These sections provide the Cisco IOS ACL and VACL configuration guidelines and examples:

Using the Implicit Deny Action

If possible, use the implicit deny action at the end of an ACL (deny any any) and define the ACEs to

permit only allowed traffic. You can achieve this same effect by defining all the deny entries and

specifying permit ip any any at the end of the list (see

Grouping Actions Together

To define multiple actions in an ACL (permit, deny, redirect), group each action type.

in line 6 was grouped with the permit actions. If this deny action is removed, the result of merging would

be 53 entries, instead of 329 entries.

Limiting the Number of Actions

An ACL with only the permit ACEs has two actions: permit and deny (because of the implicit deny at

the end of the list). An ACL with permit and redirect has three actions: permit, redirect, and deny

(because of the implicit deny at the end of the list).

When configuring an ACL, the best merge results are obtained when you specify only two different

actions: permit and deny, redirect and permit, or redirect and deny.

With supervisor engine software release 7.1(1) or later releases, due to an improved algorithm for

merging ACLs, you do not need to limit the number of actions when configuring an ACL.

To specify a redirect and deny ACL, do not use any permit ACEs. To specify a redirect and permit ACL,

use permit ACEs, redirect ACEs, and for the last ACE, specify permit ip any any. If you specify permit

ip any any, you will override the implicit deny ip any at the end of the list (see

Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7

Using the Implicit Deny Action, page 15-18

Grouping Actions Together, page 15-18

Limiting the Number of Actions, page 15-18

Avoiding Layer 4 Port Information, page 15-19

Estimating Merge Results with Supervisor Engine Software Releases Prior to Release 7.1(1),

Estimating Merge Results with Supervisor Engine Software Releases 7.1(1) or Later Releases,

shows what can happen when you do not group each type. In the example, the deny action

Configuring Access Control

Example 1, page

Example 4, page

Show Quick Links

Table of Contents

Troubleshooting

Catalyst 6506 Catalyst 6509 Catalyst 6513

Cisco WS-C6506 Software Manual page 414

Hide quick links:

Troubleshooting

Related Manuals for Cisco WS-C6506

Related Products for Cisco WS-C6506

This manual is also suitable for:

Table of Contents