16-20
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
78-13315-02
Chapter 16 Configuring Access Control
Using VACLs with Cisco IOS ACLs
******** IOS ACL *********
1 permit ip 147.150.213.64 0.0.0.31 194.72.6.64 0.0.0.15
2 permit ip 147.150.213.64 0.0.0.31 194.72.6.160 0.0.0.15
3 permit ip 147.150.213.64 0.0.0.31 host 194.72.6.205
4 permit ip 147.151.77.0 0.0.0.255 194.72.6.64 0.0.0.15
5 permit ip 147.151.77.0 0.0.0.255 194.72.6.160 0.0.0.15
6 permit ip 147.151.77.0 0.0.0.255 194.72.6.208 0.0.0.15
7 permit ip 147.151.77.0 0.0.0.255 host 194.72.6.205
8 permit ip host 193.37.169.121 194.72.6.64 0.0.0.15
[...] total 62 entries without L4 information
******* MERGE ********
has 1259 ACEs.
Guidelines for Using Layer 4 Operations
Follow these guidelines for configurations where you need to specify Layer 4 port operations.
These sections provide guidelines for specifying Layer 4 port operations:
•
Determining Layer 4 Operation Usage, page 16-20
•
Determining Logical Operation Unit Usage, page 16-21
Determining Layer 4 Operation Usage
The switch hardware allows you to specify these types of operations:
•
gt (greater than)
•
lt (less than)
•
neq (not equal)
•
eq (equal)
•
range (inclusive range)
We recommend that you do not specify more than nine
different
operations on the same ACL. If you
exceed this number, each new operation might cause the affected ACE to be translated into more than
one ACE.
Note
If you have a Cisco IOS ACL and a VACL on the same VLAN interface, the recommended total
number of Layer 4 operations is still nine or less.
Use the following two guidelines to determine Layer 4 operation usage:
1.
Layer 4 operations are considered different if the operator or the operand differ. For example, in this
ACL there are four different Layer 4 operations (“gt 10” and “gt 11” are considered two different
Layer 4 operations):
... gt 10 permit
... lt 9 deny
... gt 11 deny
... neq 6 redirect