Best Way of Implementing ACL's on 6500

Answered Question

Hi, could someone please tell me the best (most efficient way) of implementing ACL's to filter IP by L3/L4 on the 6500 Platform.

Specifically we are using 6509/720-3b's and have a requirement to filter traffic upto Layer 4, logging exception entries to a syslog server for security purposes.

I have been reading on the relative merits of RACL/VACL/PACL. It sounds like VACL will do a job for me - but will there be any performance benefit over using standard RACL ??

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 7 months ago

ACL's are processed in hardware on the 6500 with exceptions (there are always exceptions). See the attached link for details on how the 6500 handles ACL's and when ACL processing is done in software as opposed to hardware.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html

If you are logging exceptions you should also consider OAL (Optimised ACL logging) which is also covered in the attached link.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Loading.
bvsnarayana03 Mon, 04/21/2008 - 22:07

If u hv a standard acl that needs to be applied across multiple vlans on switch then VACL is a good option. It helps in easy management in terms of adding new entries & enabling or disabling acl on vlan. With vlan acl if u want to add an entry, u jst do it 1ce unlike editing separate acl's for each vlan when applied to physical interfaces.

Refer this link for further clarity:

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/vacl.html#wp1039754

Correct Answer
Jon Marshall Tue, 04/22/2008 - 00:41

ACL's are processed in hardware on the 6500 with exceptions (there are always exceptions). See the attached link for details on how the 6500 handles ACL's and when ACL processing is done in software as opposed to hardware.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html

If you are logging exceptions you should also consider OAL (Optimised ACL logging) which is also covered in the attached link.

Jon

Actions

This Discussion