Cisco WS-C6506 Software Manual page 415

Chapter 15 Configuring Access Control
Avoiding Layer 4 Port Information
Avoid including Layer 4 information in an ACL because it will complicate the merging process. You will
obtain the best merge results if the ACLs are filtered based on the IP addresses (source and destination)
and not on the full flow (source IP address, destination IP address, protocol, and protocol ports).
If you need to specify the full flow, follow the recommendations in the
section on page 15-18
recommendation because the ACL has both the IP and TCP/UDP/ICMP ACEs with Layer 4 information,
put the Layer 4 ACEs at the end of the list to prioritize the traffic filtering based on the IP addresses.
Estimating Merge Results with Supervisor Engine Software Releases Prior to Release 7.1(1)
To see a comparison of the merge results when using supervisor engine software releases before software
Note
release 7.1(1) versus software release 7.1(1) or later releases, see the
Supervisor Engine Software Releases 7.1(1) or Later Releases" section on page
If you follow the ACL guidelines when configuring the ACLs, you can get a rough estimate of the merge
results for the ACLs.
The following formula uses ACL A, ACL B, and ACL C. If ACL C is the result of merging ACL A and
ACL B, and you know the size of ACL A and ACL B, you can estimate the upper limit of the size of
ACL C when no Layer 4 port information has been specified on ACL A and ACL B, as follows:
size of ACL C = (size of ACL A) x (size of ACL B) x (2)
In software releases prior to release 7.1(1), the formula is used as a guideline but the number of entries
Note
could go beyond the predicted range. In software release 7.1(1) and later releases, with the new ACL
merge algorithm, the formula is accurate for all cases. If Layer 4 port information is specified, the upper
limit could be higher even with the new algorithm. See the
Guidelines" section on page 15-23
Two ACL-merge algorithms are available — the binary decision diagram (BDD) and the order-dependent
merge (ODM). ODM is the enhanced algorithm that was introduced in software release 7.1(1). The BDD
algorithm was used in releases prior to software release 7.1(1). See the
Algorithm" section on page 15-47
With software release 8.1(1) and later releases, the BDD algorithm is no longer supported on any
Note
platform (PFC, PFC2, or PFC3A/PFC3B/PFC3BXL). The default ACL-merge algorithm is ODM. In
software release 8.1(1) and later releases, the following command changes appear: The set aclmerge
algo and set aclmerge bdd commands have been removed. The show aclmerge {bdd | algo} command
has been reduced to show aclmerge algo.
These examples show the merge results for the various Cisco IOS ACL and VACL configurations. One
VACL and one Cisco IOS ACL are configured on the same VLAN.
OL-8978-04
and "Grouping Actions Together" section on page
for detailed information.
for detailed configuration information.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Using VACLs with Cisco IOS ACLs
"Using the Implicit Deny Action"
15-18. If you cannot follow the
"Estimating Merge Results with
15-21.
"Layer 4 Operations Configuration
"Specifying the ACL-Merge
15-19