Cisco multilayer switches support three types of ACLs:
Router access control lists (RACLs) – Supported in the ternary
content addressable memory (TCAM) hardware on Cisco multilayer switches
Quality of service (QoS) access control lists – Supported in the
TCAM hardware on Cisco multilayer switches
VLAN access control lists (VACLs) – Supported in software on Cisco
multilayer switches
Catalyst switches support four ACL lookups per packet: input and output
security ACL and input and output QoS ACL.
Catalyst switches use two
methods of performing a merge: order independent and order dependent. With
order independent merge, ACLs are transformed from a series of order dependent
actions to a set of order independent masks and patterns. The resulting access
control entry can be very large. The merge is processor- and
memory-intensive.
Order dependent merge is a recent improvement on some
Catalyst switches in which ACLs retain their order dependent aspect. The
computation is much faster and is less processor-intensive.
RACLs are
supported in hardware through IP standard ACLs and IP extended ACLs, with
permit and deny actions. ACL processing is an intrinsic part of the
packet-forwarding process. ACL entries are programmed in hardware. Lookups
occur in the pipeline whether ACLs are configured or not. With RACLs, access
list statistics and logging are not supported.
VACLs (also called VLAN
access maps in IOS software) apply to all traffic on the VLAN. They filter
based on Ethertype and MAC address traffic.
VACLs follow route-map
conventions, where map sequences are checked in order.
When a matching
permit access control entry (ACE) is encountered, the switch takes the action.
When a matching deny ACE is encountered, the switch checks the next ACL in the
sequence or checks the next sequence.
Three VACL actions are
permitted:
Permit (with capture, Catalyst 6500 only)
Redirect (Catalyst 6500 only)
Deny (with logging, Catalyst 6500 only)
The VACL capture option copies traffic to specified capture ports. VACL
ACEs installed in hardware are merged with RACLs and other features.
Two
features are supported only on the Catalyst 6500:
VACL capture – Forwarded packets are captured on capture ports. The
capture option is only on permit ACEs. The capture port can be an IDS monitor
port or any Ethernet port. The capture port must be in an output VLAN for Layer
3-switched traffic.
VACL redirect – Matching packets are redirected to specified ports.
You can configure up to five redirect ports. Redirect ports must be in a VLAN
where VACL is applied.