Cisco Systems 7600 SERIES manual Hardware and Software ACL Support, 23-2

Page 2

Chapter 23 Configuring Network Security

Hardware and Software ACL Support

With the ip unreachables command enabled (which is the default), a Supervisor Engine 2 drops most of the denied packets in hardware and sends only a small number of packets to the MSFC2 to be dropped (10 packets per second, maximum) , which generates ICMP-unreachable messages.

With the ip unreachables command enabled, a Supervisor Engine 1 sends all the denied packets to the MSFC to be dropped, which generates ICMP-unreachable messages. With a Supervisor Engine 1, to drop access list-denied packets in hardware, you must disable ICMP-unreachable messages using the no ip unreachables interface configuration command.

To eliminate the load imposed on the MSFC CPU by the task of dropping denied packets and generating ICMP-unreachable messages, do the following:

With Supervisor Engine 1, enter the no ip unreachables interface configuration command.

With Supervisor Engine 2, enter the no ip unreachables and the no ip redirects interface configuration commands. (CSCdr33918)

ICMP unreachable messages are not sent if a packet is denied by a VACL.

Hardware and Software ACL Support

Access control lists (ACLs) can be processed in hardware by the Policy Feature Card (PFC or PFC2), the Distributed Forwarding Card (DFC), or in software by the Multilayer Switch Feature Card (MSFC or MSFC2). The following behavior describes software and hardware handling of ACLs:

ACL flows that match a “deny” statement in standard and extended ACLs (input and output) are dropped in hardware if “ip unreachables” is disabled.

ACL flows that match a “permit” statement in standard and extended ACLs (input and output) are processed in hardware.

VLAN ACL (VACL) flows are processed in hardware. If a field specified in a VACL is not supported by hardware processing that field is ignored (for example, the log keyword in an ACL) or the whole configuration is rejected (for example, a VACL containing unsupported IPX ACL parameters).

VACL logging is processed in software.

Dynamic ACL flows are processed in the hardware; however, idle timeout is processed in software.

IP accounting for an ACL access violation on a given port is supported by forwarding all denied packets for that port to the MSFC for software processing without impacting other flows.

Extended name-based MAC address ACLs are supported in hardware.

The following ACL types are processed in software:

Standard XNS access list

Extended XNS access list

DECnet access list

Internetwork Packet Exchange (IPX) access lists

Extended MAC address access list

Protocol type-code access list

Note IP packets with a header length of less than five will not be access controlled.

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

23-2

78-14064-04

 

 

Page 1 Page 3
Image 2
Page 1 Page 3
Contents 23-1 ACL Configuration GuidelinesThis chapter consists of these sections Hardware and Software ACL Support 23-2Determining Layer 4 Operation Usage 23-3More detailed example follows Configuring the Cisco IOS Firewall Feature SetDetermining Logical Operation Unit Usage 23-4Cisco IOS Firewall Feature Set Support Overview 23-5Restrictions Firewall Configuration Guidelines and RestrictionsConfiguring Cbac on Cisco 7600 Series Routers GuidelinesConfiguring MAC Address-Based Traffic Blocking 23-7Vacl Overview Configuring Vlan ACLsUnderstanding VACLs 23-8Same interface VACLs and Cbac cannot be configured on the same interfaceBridged Packets Igmp packets are not checked against VACLsRouted Packets 23-10Multicast Packets Configuring VACLsThese sections describe configuring VACLs 23-11To define a Vlan access map, perform this task Vacl Configuration OverviewDefining a Vlan Access Map 23-12Deletes the match clause in a Vlan access map sequence Configuring a Match Clause in a Vlan Access Map SequenceConfigures the match clause in a Vlan access map sequence 23-1323-14 Configuring an Action Clause in a Vlan Access Map SequenceApplying a Vlan Access Map 23-15 Verifying Vlan Access Map ConfigurationVlan Access Map Configuration and Verification Examples Configuring a Capture Port 23-16Configuring Vacl Logging 23-17Configuring TCP Intercept 23-18Understanding Unicast RPF Support Configuring Unicast Reverse Path ForwardingConfiguring Unicast RPF Enabling Self-PingingConfiguring the Unicast RPF Checking Mode 23-2023-21 Configuring Unicast Flood ProtectionThis example shows how to verify the configuration Configuring MAC Move Notification 23-2223-23 23-24
Related manuals
Manual 74 pages 38.06 Kb
Top Page Image Contents