Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Best Way of Implementing ACL's on 6500

Hi, could someone please tell me the best (most efficient way) of implementing ACL's to filter IP by L3/L4 on the 6500 Platform.

Specifically we are using 6509/720-3b's and have a requirement to filter traffic upto Layer 4, logging exception entries to a syslog server for security purposes.

I have been reading on the relative merits of RACL/VACL/PACL. It sounds like VACL will do a job for me - but will there be any performance benefit over using standard RACL ??

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Best Way of Implementing ACL's on 6500

ACL's are processed in hardware on the 6500 with exceptions (there are always exceptions). See the attached link for details on how the 6500 handles ACL's and when ACL processing is done in software as opposed to hardware.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html

If you are logging exceptions you should also consider OAL (Optimised ACL logging) which is also covered in the attached link.

Jon

3 REPLIES

Re: Best Way of Implementing ACL's on 6500

If u hv a standard acl that needs to be applied across multiple vlans on switch then VACL is a good option. It helps in easy management in terms of adding new entries & enabling or disabling acl on vlan. With vlan acl if u want to add an entry, u jst do it 1ce unlike editing separate acl's for each vlan when applied to physical interfaces.

Refer this link for further clarity:

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/vacl.html#wp1039754

New Member

Re: Best Way of Implementing ACL's on 6500

Thanks for the reply.

Do we know if VACL's offer any performance benefit compared to standard RACL's ?

How are these actioned on the switch - in hardware or software ?

Hall of Fame Super Blue

Re: Best Way of Implementing ACL's on 6500

ACL's are processed in hardware on the 6500 with exceptions (there are always exceptions). See the attached link for details on how the 6500 handles ACL's and when ACL processing is done in software as opposed to hardware.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html

If you are logging exceptions you should also consider OAL (Optimised ACL logging) which is also covered in the attached link.

Jon

298
Views
8
Helpful
3
Replies