VACLs and QoS ACL Classification Order of Operation

Unanswered Question
Aug 2nd, 2007
User Badges:


Please see the attached jpeg diagram for the topology.

Question is: If you specify a VACL on a switch, lets say at ingress to your network for voice/data/video classification for QoS purposes, does your traffic get classfied once at ingress, ie, when coming into your switchport to the switch, and then again, when it reaches the far end access switch (lets just say RTP payload). So, a voice call would get classificed twice when sending an RTP packet from Phone 1 to phone 2?

This is just important to understand from a transit network design point of view?

There seems to be a bit of confusion, ie, when I look at the following documentation,

it shows that VALCs in a bridge environment, only hits the VACL on ingress, but other documentation, says that the VALCs (or VLAN maps) are directionless?

I am a little confused by that?

Also, I am assuming, when you come into another switch (ie frame A arrives at the far end access switch in my diagram), your packet will be coming in with an 802.1q header, that gets stripped, and then you will be in a particular VLAN, and the VACL applies to that?


The VACL gets applied before the 802.1q header is stripped? So, if you came in with a VLAN tag on a dot1q trunk and you had a tag of 100, your frame would get processed by a VACL mapped to VLAN 100 (if any) and then the 802.1q tag removed, and if it was VLAN 600, your frame would be subject to any VLAN 600 VACL and then 802.1q header removed?

Does anyone know exactly how this works?

Many thanks to all, and kind regards,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
andrew.burns Fri, 08/03/2007 - 00:07
User Badges:
  • Gold, 750 points or more


The following quote from the docs should help:

"After packets have been processed by ingress PFC QoS and any policing or marking changes have been made, the packets are processed again on the ingress interface by any configured Layer 2 features (for example, VACLs) before being processed by egress PFC QoS."

And the following doc has some very useful guidelines on optimising ACL's for the 6500 hardware:



kfarrington Fri, 08/03/2007 - 00:49
User Badges:

Hi Andrew, and thx for the replay.

I assume then that VACLs in a bridge environment, are only on ingress, but if routed out of a VLAN the VACL gets hit twice.

BTW, I found this document stating that VACLs are directionless:

But I am still a tad confused how this works if a frame comes in from a trunk? Does it look at the 802.1q tag, and then says, you have a VACL, hits the VACL and then strips off the 802.1q tag, or does it strip the 802.1q tag first and then hit the VACL?

Many thx to all,



This Discussion