Administrator Guide

each ACL has a mapping with the VLAN and increased CAM space utilization occurs. Attaching an ACL
individually to VLAN interfaces is similar to the behavior of ACL-VLAN mapping storage in CAM prior to the
implementation of the ACL VLAN group functionality.
The ACL manager application on router processor (RP1) contains all the state information about all the ACL
VLAN groups that are present. The ACL handler on control processor (CP) and the ACL agent on line cards do
not contain any stateful information about the group. The ACL manager application performs the validation
after you enter the acl-vlan-group command. If the command is valid, it is processed and sent to the
agent, if required. If a configuration error is found or if the maximum limit has exceeded for the ACL VLAN
groups present on the system, an appropriate error message is displayed. The ACL manager application
verifies the following parameters when you enter the acl-vlan-group command:
Whether the CAM profile is set in VFP
Whether the maximum number of groups in the system has exceeded
Whether the maximum number of VLAN numbers permitted per ACL group has exceeded
When a VLAN member that is being added is already a part of another ACL group
After these verification steps are performed, the ACL manager considers the command as valid and sends the
information to the ACL agent on the line card. The ACL manager notifies the ACL agent in the following
cases:
A VLAN member is added or removed from a group, and previously associated VLANs exist in the group.
The egress ACL is applied or removed from the group and the group contains VLAN members. VLAN
members are added or deleted from a VLAN, which itself is a group member.
A line card returns to the active state after going down, and this line card contains a VLAN that is a
member of an ACL group.
The ACL VLAN group is deleted and it contains VLAN members.
The ACL manager does not notify the ACL agent in the following cases:
The ACL VLAN group is created.
The ACL VLAN group is deleted and it does not contain any VLAN members.
The ACL is applied or removed from a group, and the ACL group does not contain a VLAN member.
The description of the ACL group is added or removed.
Guidelines for Configuring ACL VLAN
groups
Keep the following points in mind when you configure ACL VLAN groups:
The interfaces, to which the ACL VLAN group is applied, function as restricted interfaces. The ACL VLAN
group name is used to identify the group of VLANs that is used to perform hierarchical filtering.
You can add only one ACL to an interface at a time.
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) 120