diff --git a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
index e93da41ccbe..737f9d398c9 100644
--- a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
+++ b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
@@ -1709,6 +1709,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
         return new Answer(cmd);
     }
 
+
     protected void assignPublicIpAddress(Connection conn, String vmName, String privateIpAddress, String publicIpAddress, boolean add, boolean firstIP,
             boolean sourceNat, String vlanId, String vlanGateway, String vlanNetmask, String vifMacAddress, String guestIp, Integer networkRate, TrafficType trafficType, String name) throws InternalErrorException {
 
@@ -1820,55 +1821,39 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
         }
     }
 
-    protected void assignVPCPublicIpAddress(Connection conn, String vmName, String privateIpAddress, String publicIpAddress, boolean add,
-            String vlanId, String vlanGateway, String vlanNetmask, String vifMacAddress, String guestIp,TrafficType trafficType, String name) throws InternalErrorException {
+    protected void assignVPCPublicIpAddress(Connection conn, String vmName, String routerIp, IpAddressTO ip) throws Exception {
 
         try {
             VM router = getVM(conn, vmName);
-
-            NicTO nic = new NicTO();
-            nic.setMac(vifMacAddress);
-            nic.setType(trafficType);
-            if (vlanId == null) {
-                nic.setBroadcastType(BroadcastDomainType.Native);
-            } else {
-                nic.setBroadcastType(BroadcastDomainType.Vlan);
-                nic.setBroadcastUri(BroadcastDomainType.Vlan.toUri(vlanId));
-            }
-            nic.setName(name);
-            Network network = getNetwork(conn, nic);
-            // Determine the correct VIF on DomR to associate/disassociate the
-            // IP address with
-            VIF correctVif = getCorrectVif(conn, router, network);
-
-
+            
+            VIF correctVif = getCorrectVif(conn, router, ip);
             if (correctVif == null) {
                 throw new InternalErrorException("Failed to find DomR VIF to associate/disassociate IP with.");
-            }
+            }           
+           
+            String args = "vpc_ipassoc.sh " + routerIp;
 
-            String args = "vpc_ipassoc.sh " + privateIpAddress;
-
-            if (add) {
+            if (ip.isAdd()) {
                 args += " -A ";
             } else {
                 args += " -D ";
             }
 
             args += " -l ";
-            args += publicIpAddress;
+            args += ip.getPublicIp();
 
             args += " -c ";
             args += "eth" + correctVif.getDevice(conn);
             
             args += " -g ";
-            args += vlanGateway;
+            args += ip.getVlanGateway();
             
             args += " -m ";
-            args += Long.toString(NetUtils.getCidrSize(vlanNetmask));
+            args += Long.toString(NetUtils.getCidrSize(ip.getVlanNetmask()));
             
             
             args += " -n ";
-            args += NetUtils.getSubNet(publicIpAddress, vlanNetmask);
+            args += NetUtils.getSubNet(ip.getPublicIp(), ip.getVlanNetmask());
 
             String result = callHostPlugin(conn, "vmops", "routerProxy", "args", args);
             if (result == null || result.isEmpty()) {
@@ -1877,7 +1862,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
         } catch (Exception e) {
             String msg = "Unable to assign public IP address due to " + e.toString();
             s_logger.warn(msg, e);
-            throw new InternalErrorException(msg);
+            throw new Exception(msg);
         }
     }
     
@@ -3701,6 +3686,41 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
 
         return null;
     }
+    
+    protected VIF getCorrectVif(Connection conn, VM router, IpAddressTO ip) throws XmlRpcException, XenAPIException {
+        NicTO nic = new NicTO();
+        nic.setType(ip.getTrafficType());
+        nic.setName(ip.getNetworkName());
+        if (ip.getVlanId() == null) {
+            nic.setBroadcastType(BroadcastDomainType.Native);
+        } else {
+            nic.setBroadcastType(BroadcastDomainType.Vlan);
+            nic.setBroadcastUri(BroadcastDomainType.Vlan.toUri(ip.getVlanId()));
+        }
+        Network network = getNetwork(conn, nic);
+        // Determine the correct VIF on DomR to associate/disassociate the
+        // IP address with
+        Set<VIF> routerVIFs = router.getVIFs(conn);
+        for (VIF vif : routerVIFs) {
+            Network vifNetwork = vif.getNetwork(conn);
+            if (vifNetwork.getUuid(conn).equals(network.getUuid(conn))) {
+                return vif;
+            }
+        }
+        return null;
+    }
+    
+    protected VIF getVifByMac(Connection conn, VM router, String mac) throws XmlRpcException, XenAPIException {
+        Set<VIF> routerVIFs = router.getVIFs(conn);
+        mac = mac.trim();
+        for (VIF vif : routerVIFs) {
+            String lmac = vif.getMAC(conn);
+            if (lmac.trim().equals(mac)) {
+                return vif;
+            }
+        }
+        return null;
+    }
 
     protected String getLowestAvailableVIFDeviceNum(Connection conn, VM vm) {
         try {
@@ -7221,13 +7241,11 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
             IpAddressTO[] ips = cmd.getIpAddresses();
             for (IpAddressTO ip : ips) {
 
-                assignVPCPublicIpAddress(conn, routerName, routerIp, ip.getPublicIp(), ip.isAdd(), ip.getVlanId(),
-                        ip.getVlanGateway(), ip.getVlanNetmask(), ip.getVifMacAddress(), ip.getGuestIp(), ip.getTrafficType(), ip.getNetworkName());
+                assignVPCPublicIpAddress(conn, routerName, routerIp, ip);
                 results[i++] = ip.getPublicIp() + " - success";
             }
-        } catch (InternalErrorException e) {
-            s_logger.error(
-                    "Ip Assoc failure on applying one ip due to exception:  ", e);
+        } catch (Exception e) {
+            s_logger.error("Ip Assoc failure on applying one ip due to exception:  ", e);
             results[i++] = IpAssocAnswer.errorResult;
         }
 
@@ -7243,21 +7261,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
         try {
             VM router = getVM(conn, routerName);
 
-            NicTO nic = new NicTO();
-            nic.setMac(pubIp.getVifMacAddress());
-            nic.setType(pubIp.getTrafficType());
-            String vlanId = pubIp.getVlanId();
-            if (vlanId == null) {
-                nic.setBroadcastType(BroadcastDomainType.Native);
-            } else {
-                nic.setBroadcastType(BroadcastDomainType.Vlan);
-                nic.setBroadcastUri(BroadcastDomainType.Vlan.toUri(vlanId));
-            }
-            nic.setName(pubIp.getNetworkName());
-            Network network = getNetwork(conn, nic);
-            // Determine the correct VIF on DomR to SNAT the
-            // IP address with
-            VIF correctVif = getCorrectVif(conn, router, network);
+            VIF correctVif = getCorrectVif(conn, router, pubIp);
             
             String args = "vpc_snat.sh " + routerIp;
 
@@ -7284,37 +7288,42 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
         String[] results = new String[cmd.getRules().length];
         String callResult;
         Connection conn = getConnection();
+        String routerName = cmd.getAccessDetail(NetworkElementCommand.ROUTER_NAME);
         String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP);
-
-        if (routerIp == null) {
-            return new SetNetworkACLAnswer(cmd, false, results);
-        }
-
-        String [][] rules = cmd.generateFwRules();
-        StringBuilder sb = new StringBuilder();
-        String[] aclRules = rules[0];
-        if (aclRules.length == 0) {
-            return new SetNetworkACLAnswer(cmd, true, results);
-        }
-        
-        for (int i = 0; i < aclRules.length; i++) {
-            sb.append(aclRules[i]).append(',');
-        }
-        
-        String args = "vpc_acl.sh " + routerIp;
-        args += routerIp + " -F ";
-        args += " -a " + sb.toString();
-
-        callResult = callHostPlugin(conn, "vmops", "routerProxy", "args", args);
-
-        if (callResult == null || callResult.isEmpty()) {
-            //FIXME - in the future we have to process each rule separately; now we temporarily set every rule to be false if single rule fails
-            for (int i=0; i < results.length; i++) {
-                results[i] = "Failed";
+        try {
+            VM router = getVM(conn, routerName);
+            String [][] rules = cmd.generateFwRules();
+            StringBuilder sb = new StringBuilder();
+            String[] aclRules = rules[0];
+            if (aclRules.length == 0) {
+                return new SetNetworkACLAnswer(cmd, true, results);
             }
+            
+            for (int i = 0; i < aclRules.length; i++) {
+                sb.append(aclRules[i]).append(',');
+            }
+            
+            NicTO nic = cmd.getNic();
+            VIF vif = getVifByMac(conn, router, nic.getMac());
+            String args = "vpc_acl.sh " + routerIp;
+            args += " -d " + "eth" + vif.getDevice(conn);
+            args += " -i " + nic.getIp();
+            args += " -m " + Long.toString(NetUtils.getCidrSize(nic.getNetmask()));
+            args += " -a " + sb.toString();
+            callResult = callHostPlugin(conn, "vmops", "routerProxy", "args", args);
+            if (callResult == null || callResult.isEmpty()) {
+                //FIXME - in the future we have to process each rule separately; now we temporarily set every rule to be false if single rule fails
+                for (int i=0; i < results.length; i++) {
+                    results[i] = "Failed";
+                }
+                return new SetNetworkACLAnswer(cmd, false, results);
+            }
+            return new SetNetworkACLAnswer(cmd, true, results);
+        } catch (Exception e) {
+            String msg = "SetNetworkACLC failed due to " + e.toString();
+            s_logger.error(msg, e);
             return new SetNetworkACLAnswer(cmd, false, results);
         }
-        return new SetNetworkACLAnswer(cmd, true, results);
     }
 
     protected SetPortForwardingRulesAnswer execute(SetPortForwardingRulesVpcCommand cmd) {
diff --git a/core/src/com/cloud/hypervisor/xen/resource/XenServer56Resource.java b/core/src/com/cloud/hypervisor/xen/resource/XenServer56Resource.java
index d76b5bc0b9e..e16e1083118 100644
--- a/core/src/com/cloud/hypervisor/xen/resource/XenServer56Resource.java
+++ b/core/src/com/cloud/hypervisor/xen/resource/XenServer56Resource.java
@@ -161,10 +161,10 @@ public class XenServer56Resource extends CitrixResourceBase {
     }
 
     protected NetworkUsageAnswer execute(NetworkUsageCommand cmd) {
+        // disable it for VPC
+        return new NetworkUsageAnswer(cmd, "seccess", 0L, 0L);
+        /*
         try {
-            if ( cmd.isForVpc() ) {
-                return new NetworkUsageAnswer(cmd, "seccess", 0L, 0L);
-            }
             Connection conn = getConnection();
             if(cmd.getOption()!=null && cmd.getOption().equals("create") ){
                 String result = networkUsage(conn, cmd.getPrivateIP(), "create", null);
@@ -178,6 +178,7 @@ public class XenServer56Resource extends CitrixResourceBase {
             s_logger.warn("Failed to get network usage stats due to ", ex);
             return new NetworkUsageAnswer(cmd, ex); 
         }
+        */
     }
 
     @Override
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
index 1ded5e37454..a57ed3da161 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
@@ -124,22 +124,25 @@ acl_entry_for_guest_network() {
 }
 
 
-shift 
 dflag=0
 gflag=0
 aflag=0
 rules=""
 rules_list=""
-gcidr=""
 ip=""
 dev=""
-while getopts 'd:g:a:' OPTION
+while getopts 'd:i:m:a:' OPTION
 do
   case $OPTION in
   d)    dflag=1
-                dev="$OPTAGR"
-  g)    gflag=1
-                gcidr="$OPTAGR"
+                dev="$OPTARG"
+                ;;
+  i)    iflag=1
+                ip="$OPTARG"
+                ;;
+  m)    mflag=1
+                mask="$OPTARG"
+                ;;
   a)	aflag=1
 		rules="$OPTARG"
 		;;
@@ -149,13 +152,14 @@ do
   esac
 done
 
-if [ "$dflag$gflag$aflag" != "!11" ]
+if [ "$dflag$iflag$mflag$aflag" != "1111" ]
 then
-  usage()
+  usage
+  unlock_exit 2 $lock $locked
 fi
 
-
-if [ -n "$rules" == "" ]
+gcidr="$ip/$mask"
+if [ -n "$rules" ]
 then
   rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
 fi
@@ -167,7 +171,6 @@ fi
 # example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0 
 
 success=0
-ip=$(echo $gcidr | awk -F'/' '{print $1}')
 
 acl_chain_for_guest_network