Best Way of Implementing ACL's on 6500

Answered Question

Hi, could someone please tell me the best (most efficient way) of implementing ACL's to filter IP by L3/L4 on the 6500 Platform.


Specifically we are using 6509/720-3b's and have a requirement to filter traffic upto Layer 4, logging exception entries to a syslog server for security purposes.


I have been reading on the relative merits of RACL/VACL/PACL. It sounds like VACL will do a job for me - but will there be any performance benefit over using standard RACL ??

Correct Answer by Jon Marshall about 9 years 1 month ago

ACL's are processed in hardware on the 6500 with exceptions (there are always exceptions). See the attached link for details on how the 6500 handles ACL's and when ACL processing is done in software as opposed to hardware.


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html


If you are logging exceptions you should also consider OAL (Optimised ACL logging) which is also covered in the attached link.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Loading.
bvsnarayana03 Mon, 04/21/2008 - 22:07
User Badges:
  • Silver, 250 points or more

If u hv a standard acl that needs to be applied across multiple vlans on switch then VACL is a good option. It helps in easy management in terms of adding new entries & enabling or disabling acl on vlan. With vlan acl if u want to add an entry, u jst do it 1ce unlike editing separate acl's for each vlan when applied to physical interfaces.


Refer this link for further clarity:


http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/vacl.html#wp1039754

Correct Answer
Jon Marshall Tue, 04/22/2008 - 00:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ACL's are processed in hardware on the 6500 with exceptions (there are always exceptions). See the attached link for details on how the 6500 handles ACL's and when ACL processing is done in software as opposed to hardware.


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html


If you are logging exceptions you should also consider OAL (Optimised ACL logging) which is also covered in the attached link.


Jon

Actions

This Discussion