28-37
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter28 Configuring Network Securi ty with ACLs Using VLAN Maps with Router ACLs
Whenever possible, try to write the ACL with all entries having a single action except for the final,
default action of the other type. That is, write the ACL using one of these two forms:
permit...
permit...
permit...
deny ip any any
or
deny...
deny...
deny...
permit ip any any
To define multiple actions in an ACL (permit, deny), group each action type together to reduce the
number of entries.
Avoid including Layer 4 information in an ACL; adding this information complicates the merging
process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source
and destination) and not on the full flow (source IP address, de stin ati on IP ad dre ss, p rotoc ol, and
protocol ports). It is also helpful to use don’t care bits in the IP address, whenever possible.
If you need to specify the full-flow mode and the ACL contains both IP ACEs and T CP/UDP/ICMP
ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. This gives priority to
the filtering of traffic based on IP addresses.
Examples of Router ACLs and VLAN Maps Applied to VLANs
This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched, routed,
and multicast packets. Although the following illustrations show packets being forwarded to their
destination, each time the packet’s path crosses a line indicating a VLAN map or an ACL, it is also
possible that the packet might be dropped, rather than for warde d.

ACLs and Switched Packets

Figure 28-6 shows how an ACL is applied on packets that are switched within a VLAN. Packets switched
within the VLAN without being routed or forwarded are on ly su bjec t t o t he VL AN map of the inp ut
VLAN.