Chapter 15
Configuring Access Control
6
7
8
9
10 permit ip any any
******** Cisco IOS ACL **********
1
2
******** MERGE **********
has 329 entries
Example 4
This example shows that the VACL does not follow the recommended guidelines (three different actions
are specified), and the resultant merge significantly increases the number of ACEs:
******** VACL
1 redirect 4/25 tcp host 192.168.1.67 host 255.255.255.255
2 redirect 4/25 udp host 192.168.1.67 host 255.255.255.255
3 deny tcp any any lt 30
4 deny udp any any lt 30
5 permit ip any any
*******
1
2
*******
has 142 entries
Example 5
This example shows that if you modify the VACL in
the merge results are significantly improved:
******** VACL
1 redirect 4/25 tcp host 192.168.1.67 host 255.255.255.255
2 redirect 4/25 udp host 192.168.1.67 host 255.255.255.255
3 permit ip any any
*******
1
2
*******
has 4 entries
Estimating Merge Results with Supervisor Engine Software Releases 7.1(1) or Later Releases
In supervisor engine software releases prior to software release 7.1(1), the following formula is true for
software release 7.1(1) and later releases: The size of ACL C = (size of ACL A) x (size of ACL B) x (2).
In software releases prior to release 7.1(1), the formula is used as a guideline but the number of entries
Note
could go beyond the predicted range. In software release 7.1(1) and later releases, with the new ACL
merge algorithm, the formula is accurate for all cases. If Layer 4 port information is specified, the upper
limit could be higher even with the new algorithm. See the
Guidelines" section on page 15-23
Two ACL-merge algorithms are available — the binary decision diagram (BDD) and the order dependent
merge (ODM). ODM is the enhanced algorithm that was introduced in software release 7.1(1). The BDD
algorithm was used in releases prior to software release 7.1(1). See the
Algorithm" section on page 15-47
OL-8978-04
deny ip any 0.0.0.255 255.255.255.0
permit tcp any range 0 65534 any range 0 65534
permit udp any range 0 65534 any range 0 65534
permit icmp any any
deny ip any host 239.255.255.255
permit ip any any
***********
Cisco IOS ACL ***********
deny ip any host 239.255.255.255
permit ip any any
MERGE **********
***********
Cisco IOS ACL ***********
deny ip any host 239.255.255.255
permit ip any any
MERGE **********
Example 4
for detailed information.
for detailed software configuration information.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Using VACLs with Cisco IOS ACLs
and specify only two different actions,
"Layer 4 Operations Configuration
"Specifying the ACL-Merge
15-21