I have a need to block access to a few specific devices on a vlan within my Data Center ServerFarm. I am going to create an access-list and apply it to the gateway interface for that vlan or vlan interface, which resides on the ServerFarm Distribution switches. Note: the ServerFarm Distribution switches consist of (2) 6509 switches.
The question that I have is this. Do I need to turn off CEF and fast switches for this vlan interface so the all packets are forced to the Processor? If not, traffic will be express forwarded by a table instead of proccessed.
Does this sound right?
Thanks in advance for your help,
"So if I understand this correctly, the ip unreachables is strictly to permit ICMP unreachable traffic to be returned. Is that right?"
Yes and if you disable "ip unreachables" on the vlan interface then all your denies will be preformed in hardware.