62-29
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Using VLAN Maps with Router ACLs
Guidelines for Using Router ACLs and VLAN Maps on the Same VLAN
Because the switch hardware performs one lookup for each direction (input and output), you must merge
a router ACL and a VLAN map when they are configured on the same VLAN. Merging the router ACL
with the VLAN map can significantly increase the number of ACEs.
When possible, try to write the ACL so that all entries have a single action except for the final, default
action. You should write the ACL using one of these two forms:
permit...
permit...
permit...
deny ip any any
or
deny...
deny...
deny...
permit ip any any
To define multiple permit or deny actions in an ACL, group each action type together to reduce the
number of entries.
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP
ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. Doing this gives priority to
the filtering of traffic based on IP addresses.
Examples of Router ACLs and VLAN Maps Applied to VLANs
These examples show how router ACLs and VLAN maps are applied on a VLAN to control the access
of switched, bridged, routed, and multicast packets. Although the following illustrations show packets
being forwarded to their destination, each time a packet crosses a line indicating a VLAN map or an
ACL, the packet could be dropped rather than forwarded.
ACLs and Switched Packets
shows how an ACL processes packets that are switched within a VLAN. Packets switched
within the VLAN are not processed by router ACLs.
Summary of Contents for Catalyst 4500 Series
Page 2: ......
Page 4: ......
Page 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...