Cisco Systems 7600 SERIES manual Determining Layer 4 Operation Usage, 23-3

Page 3

Chapter 23 Configuring Network Security

Guidelines and Restrictions for Using Layer 4 Operators in ACLs

Flows that require logging are processed in software without impacting nonlogged flow processing in hardware.

The forwarding rate for software-processed flows is substantially less than for hardware-processed flows.

When you enter the show ip access-listcommand, the match count displayed does not include packets processed in hardware.

Guidelines and Restrictions for Using Layer 4 Operators in ACLs

These sections describe guidelines and restrictions when configuring ACLs that include Layer 4 port operations:

Determining Layer 4 Operation Usage, page 23-3

Determining Logical Operation Unit Usage, page 23-4

Determining Layer 4 Operation Usage

You can specify these types of operations:

gt (greater than)

lt (less than)

neq (not equal)

eq (equal)

range (inclusive range)

We recommend that you do not specify more than nine different operations on the same ACL. If you exceed this number, each new operation might cause the affected ACE to be translated into more than one ACE.

Use the following two guidelines to determine Layer 4 operation usage:

Layer 4 operations are considered different if the operator or the operand differ. For example, in this ACL there are three different Layer 4 operations (“gt 10” and “gt 11” are considered two different Layer 4 operations):

... gt 10 permit

... lt 9 deny

... gt 11 deny

Note There is no limit to the use of “eq” operators as the “eq” operator does not use a logical operator unit (LOU) or a Layer 4 operation bit. See the “Determining Logical Operation Unit Usage” section on page 23-4for a description of LOUs.

Layer 4 operations are considered different if the same operator/operand couple applies once to a source port and once to a destination port. For example, in this ACL there are two different Layer 4 operations because one ACE applies to the source port and one applies to the destination port.

... Src gt 10 ...

... Dst gt 10

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

 

78-14064-04

23-3

 

 

 

Image 3
Contents ACL Configuration Guidelines This chapter consists of these sections23-1 23-2 Hardware and Software ACL Support23-3 Determining Layer 4 Operation Usage23-4 Configuring the Cisco IOS Firewall Feature SetDetermining Logical Operation Unit Usage More detailed example follows23-5 Cisco IOS Firewall Feature Set Support OverviewGuidelines Firewall Configuration Guidelines and RestrictionsConfiguring Cbac on Cisco 7600 Series Routers Restrictions23-7 Configuring MAC Address-Based Traffic Blocking23-8 Configuring Vlan ACLsUnderstanding VACLs Vacl OverviewIgmp packets are not checked against VACLs VACLs and Cbac cannot be configured on the same interfaceBridged Packets Same interface23-10 Routed Packets23-11 Configuring VACLsThese sections describe configuring VACLs Multicast Packets23-12 Vacl Configuration OverviewDefining a Vlan Access Map To define a Vlan access map, perform this task23-13 Configuring a Match Clause in a Vlan Access Map SequenceConfigures the match clause in a Vlan access map sequence Deletes the match clause in a Vlan access map sequenceConfiguring an Action Clause in a Vlan Access Map Sequence Applying a Vlan Access Map23-14 Verifying Vlan Access Map Configuration Vlan Access Map Configuration and Verification Examples23-15 23-16 Configuring a Capture Port23-17 Configuring Vacl Logging23-18 Configuring TCP InterceptEnabling Self-Pinging Configuring Unicast Reverse Path ForwardingConfiguring Unicast RPF Understanding Unicast RPF Support23-20 Configuring the Unicast RPF Checking ModeConfiguring Unicast Flood Protection This example shows how to verify the configuration23-21 23-22 Configuring MAC Move Notification23-23 23-24
Related manuals
Manual 74 pages 38.06 Kb