It is possible to filter traffic based
on the direction of the traffic by combining VACLs and Private VLAN features.
VACLs are processed in hardware, so there is no performance penalty in processing them. Therefore, they are
also referred to as wire-speed ACLs. The forwarding rate remains unchanged regardless of the size of the access
list because the lookup of VACLs is performed in hardware.
VACL on a Bridged Port
Figure 4-2 illustrates where the VACL is processed when VACL is applied on a bridged port for traffic from Host
A in VLAN 5 that is communicating to Host B in VLAN 10 through the switch.
Figure 4-2. VACL on a Bridged Port
VACL on a Routed Port
Figure 4-3 illustrates how IOS ACL and VACL are applied on routed packets and Layer 3 switched packets.
Following is the order of processing:
1. VACL for input VLAN
2. Input IOS ACL
3. Output IOS ACL
4. VACL for output VLAN
Figure 4-3. VACL on a Routed Port
[View full size image]
Configuring VACL
Perform the following steps to configure and apply a VACL (VLAN access map) on the switch:
1. Define the standard or extended access list to be used in VACL.
2. Define a VLAN access map.
3. Configure a match clause in a VLAN access map sequence.
Pages:
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183