16-3
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
78-13315-02
Chapter 16 Configuring Access Control
Supported ACLs
Cisco IOS ACLs
Cisco IOS ACLs are configured on the MSFC VLAN interfaces. An ACL provides access control and
consists of an ordered set of access control entries (ACEs). Many other features in Cisco IOS software
also use ACLs for specifying flows. For example, Web Cache Redirect (through the Web Cache
Coordination Protocol [WCCP]) uses ACLs to specify HTTP flows that can be redirected to a Web cache
engine.
Most Cisco IOS features are applied on interfaces for specific directions (inbound versus outbound).
However, some features use ACLs globally. For such features, ACLs are applied on all interfaces for a
given direction. As an example, TCP intercept uses a global ACL that is applied on all interfaces for
outbound direction.
One Cisco IOS ACL can be used with multiple features for a given interface, and one feature can use
multiple ACLs. When a single ACL is used by multiple features, Cisco IOS software examines it
multiple times.
Cisco IOS software examines ACLs that are associated with features that are configured on a given
interface and a direction. As packets enter the router on a given interface, Cisco IOS software examines
ACLs that are associated with all inbound features that are configured on that interface for the following:
•
Inbound access control ACLs (standard, extended, and/or reflexive)
•
Encryption ACLs (not supported on the MSFC)
•
Policy routing ACLs
•
Network Address Translation (NAT) for outside-to-inside translation
After packets are routed and before they are forwarded out to the next hop, Cisco IOS examines all ACLs
that are associated with the outbound features that are configured on the egress interface for the
following:
•
Outbound access control ACLs (standard, extended, and/or reflexive)
•
Encryption ACLs (not supported on the MSFC)
•
NAT ACLs (for inside-to-outside translation)
•
WCCP ACL
•
TCP intercept ACL
VACLs
The following sections describe VACLs:
•
VACL Overview, page 16-3
•
ACEs Supported in VACLs, page 16-4
•
Handling Fragmented and Unfragmented Traffic, page 16-5
VACL Overview
VACLs can access control
all
traffic. You can configure VACLs on the switch to apply to all packets
that are routed into or out of a VLAN or are bridged within a VLAN. VACLs are strictly for security
packet filtering and redirecting traffic to specific physical switch ports. Unlike Cisco IOS ACLs, VACLs
are not defined by direction (input or output).