Vacl Configuration Guidelines - Cisco WS-C6506 Software Manual

Chapter 15 Configuring Access Control

VACL Configuration Guidelines

This section describes the guidelines for configuring the VACLs:
All changes to the ACLs are stored temporarily in an edit buffer. You must enter the commit command
Caution
to commit all the ACEs to NVRAM. The committed ACLs with no ACEs are deleted. We recommend
that you enter the ACEs in batches and enter the commit command to save all the changes to NVRAM.
You can configure Cisco IOS ACLs and VACLs from flash memory instead of NVRAM. See the
Note
"Configuring and Storing VACLs and QoS ACLs in Flash Memory" section on page 15-64
information.
With Supervisor Engine 720 (PFC3A/PFC3B/PFC3BXL) and Supervisor Engine 32
Note
(PFC3B/PFC3BXL), the IPX routing is done through the software and IPX Cisco IOS ACLs and IPX
VACLs are not supported. You can match the IPX packets using the MAC VACLs. You can enter the
ipx-arpa keyword to match the IPX ARPA frames. Use 0xffff EtherType to match on the IPX
non-ARPA frames and frames with an EtherType of 0xffff. For information on configuring the MAC
VACLs, see the
on page
•
•
•
•
•
•
•
•
•
•
•
•
OL-8978-04
"Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs" section
15-52.
See the "Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface Guidelines" section
on page 15-17.
See the "Using VACLs in Your Network" section on page 15-25
See the "Unsupported Features" section on page
See the "Specifying the ACL-Merge Algorithm" section on page
You must commit a VACL before you can map it to a VLAN. There are no default VACLs and no
default VACL-to-VLAN mappings.
If no Cisco IOS ACL is configured to deny the traffic on a routed VLAN interface (input or output),
and no VACL is configured, all traffic is permitted.
The order of ACEs in an ACL is important. A packet that comes into the switch is applied against
the first ACE in the ACL. If there is no match, the packet is applied against the next ACE in the list.
If no ACEs match, the packet is denied (dropped).
Always enter the show security acl info acl_name editbuffer command to see the current list of
ACEs before making any changes to the edit buffer.
In systems with redundant MSFCs, the ACL configurations for Cisco IOS ACLs and VACLs must
be the same on both MSFCs.
The system might incorrectly calculate the maximum number of ACLs in the system if an ACL is
deleted but not committed.
The show security acl resource-usage and show qos acl resource-usage commands might not
show 100 percent usage even if there is no space in the hardware to store more ACLs. This situation
occurs because some ACL space is reserved in the hardware for the ACL manager to perform
cleanup and mapping if necessary.
The system might take longer to boot if you configure a very large number of ACLs.
15-44.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring VACLs
for detailed
for configuration examples.
15-47.
15-45