33-20
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter33 Configuring Network Security with ACLs
Using VLAN Maps with Router ACLs
Guidelines for Using Router ACLs and VLAN Maps
Use these guidelines when you need to use a ro uter ACL and a VLAN map on the same VLAN.
Because the switch hardware performs one lookup for each direct ion (input and output), you must merge
a router ACL and a VLAN map when they are configured on the same VL AN. Merging the router ACL
with the VLAN map can significantly increase the number of ACEs.
When possible, try to write the ACL so that all entries have a single action except for the final, default
action. You should write the ACL using one of these two forms:
permit...
permit...
permit...
deny ip any any
or
deny...
deny...
deny...
permit ip any any
To define multiple permit or deny actions in an ACL, group each action type together to reduce the
number of entries.
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/IC MP
ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. Doing this gives priority to
the filtering of traffic based on IP addresses.
Examples of Router ACLs and VLAN Maps Applied to VLANs
These examples show how router ACLs and VLAN maps are applied on a VLAN to control the access
of switched, bridged, routed, and multicast packets. Although the following illustrations show packets
being forwarded to their destination, each time a packet crosses a line indicating a VLAN map or an
ACL, the packet could be dropped rather than forwarded.

ACLs and Switched Packets

Figure 33-5 shows how an ACL processes packets that are switched within a VLAN. Packets switched
within the VLAN are not processed by router ACLs.