15-19
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 15 Configuring Access Control
Using VACLs with Cisco IOS ACLs
Avoiding Layer 4 Port Information
Avoid including Layer 4 information in an ACL because it will complicate the merging process. You will
obtain the best merge results if the ACLs are filtered based on the IP addresses (source and destination)
and not on the full flow (source IP address, destination IP address, protocol, and protocol ports).
If you need to specify the full flow, follow the recommendations in the “Using the Implicit Deny Action”
section on page 15-18 and “Grouping Actions Together” section on page 15-18. If you cannot follow the
recommendation because the ACL has both the IP and TCP/UDP/ICMP ACEs with Layer 4 information,
put the Layer 4 ACEs at the end of the list to prioritize the traffic filtering based on the IP addresses.
Estimating Merge Results with Supervisor Engine Software Releases Prior to Release 7.1(1)
Note To see a comparison of the merge results when using supervisor engine software releases before software
release 7.1(1) versus software release 7.1(1) or later releases, see the “Estimating Merge Results with
Supervisor Engine Software Releases 7.1(1) or Later Releases” section on page 15-21.
If you follow the ACL guidelines when configuring the ACLs, you can get a rough estimate of the merge
results for the ACLs.
The following formula uses ACL A, ACL B, and ACL C. If ACL C is the result of merging ACL A and
ACL B, and you know the size of ACL A and ACL B, you can estimate the upper limit of the size of
ACL C when no Layer 4 port information has been specified on ACL A and ACL B, as follows:
size of ACL C = (size of ACL A) x (size of ACL B) x (2)
Note In software releases prior to release 7.1(1), the formula is used as a guideline but the number of entries
could go beyond the predicted range. In software release 7.1(1) and later releases, with the new ACL
merge algorithm, the formula is accurate for all cases. If Layer 4 port information is specified, the upper
limit could be higher even with the new algorithm. See the “Layer 4 Operations Configuration
Guidelines” section on page 15-23 for detailed information.
Two ACL-merge algorithms are available
—the binary decision diagram (BDD) and the order-dependent
merge (ODM). ODM is the enhanced algorithm that was introduced in software release 7.1(1). The BDD
algorithm was used in releases prior to software release 7.1(1). See the “Specifying the ACL-Merge
Algorithm” section on page 15-47 for detailed configuration information.
Note With software release 8.1(1) and later releases, the BDD algorithm is no longer supported on any
platform (PFC, PFC2, or PFC3A/PFC3B/PFC3BXL). The default ACL-merge algorithm is ODM. In
software release 8.1(1) and later releases, the following command changes appear: The set aclmerge
algo and set aclmerge bdd commands have been removed. The show aclmerge {bdd | algo} command
has been reduced to show aclmerge algo.
These examples show the merge results for the various Cisco IOS ACL and VACL configurations. One
VACL and one Cisco IOS ACL are configured on the same VLAN.
To Next Page
Loading...
Need help?
General