Cisco Systems 7600 SERIES manual Configuring the Cisco IOS Firewall Feature Set, 23-4

Page 4

Chapter 23 Configuring Network Security

Configuring the Cisco IOS Firewall Feature Set

Determining Logical Operation Unit Usage

Logical operation units (LOUs) are registers that store operator-operand couples. All ACLs use LOUs. There can be up to 32 LOUs; each LOU can store two different operator-operand couples with the exception of the range operator. LOU usage per Layer 4 operation is as follows:

gt uses 1/2 LOU

lt uses 1/2 LOU

neq uses 1/2 LOU

range uses 1 LOU

eq does not require a LOU

For example, this ACL would use a single LOU to store two different operator-operand couples:

... Src gt 10 ...

... Dst gt 10

A more detailed example follows:

ACL1

... (dst port) gt 10 permit

... (dst port) lt 9 deny

... (dst port) gt 11 deny

... (dst port) neq 6 permit

... (src port) neq 6 deny

... (dst port) gt 10 deny

ACL2

... (dst port) gt 20 deny

... (src port) lt 9 deny

... (src port) range 11 13 deny

... (dst port) neq 6 permit

The Layer 4 operations and LOU usage is as follows:

ACL1 Layer 4 operations: 5

ACL2 Layer 4 operations: 4

LOUs: 4

An explanation of the LOU usage follows:

LOU 1 stores “gt 10” and “lt 9”

LOU 2 stores “gt 11” and “neq 6”

LOU 3 stores “gt 20” (with space for one more)

LOU 4 stores “range 11 13” (range needs the entire LOU)

Configuring the Cisco IOS Firewall Feature Set

Note Release 12.1(11b)E and later releases include firewall feature set images.

These sections describe configuring the Cisco IOS firewall feature set on the Cisco 7600 series routers:

Cisco IOS Firewall Feature Set Support Overview, page 23-5

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

23-4

78-14064-04

 

 

Page 3 Page 5
Image 4
Page 3 Page 5
Contents This chapter consists of these sections ACL Configuration Guidelines23-1 Hardware and Software ACL Support 23-2Determining Layer 4 Operation Usage 23-3Configuring the Cisco IOS Firewall Feature Set Determining Logical Operation Unit UsageMore detailed example follows 23-4Cisco IOS Firewall Feature Set Support Overview 23-5Firewall Configuration Guidelines and Restrictions Configuring Cbac on Cisco 7600 Series RoutersRestrictions GuidelinesConfiguring MAC Address-Based Traffic Blocking 23-7Configuring Vlan ACLs Understanding VACLsVacl Overview 23-8VACLs and Cbac cannot be configured on the same interface Bridged PacketsSame interface Igmp packets are not checked against VACLsRouted Packets 23-10Configuring VACLs These sections describe configuring VACLsMulticast Packets 23-11Vacl Configuration Overview Defining a Vlan Access MapTo define a Vlan access map, perform this task 23-12Configuring a Match Clause in a Vlan Access Map Sequence Configures the match clause in a Vlan access map sequenceDeletes the match clause in a Vlan access map sequence 23-13Applying a Vlan Access Map Configuring an Action Clause in a Vlan Access Map Sequence23-14 Vlan Access Map Configuration and Verification Examples Verifying Vlan Access Map Configuration23-15 Configuring a Capture Port 23-16Configuring Vacl Logging 23-17Configuring TCP Intercept 23-18Configuring Unicast Reverse Path Forwarding Configuring Unicast RPFUnderstanding Unicast RPF Support Enabling Self-PingingConfiguring the Unicast RPF Checking Mode 23-20This example shows how to verify the configuration Configuring Unicast Flood Protection23-21 Configuring MAC Move Notification 23-2223-23 23-24
Related manuals
Manual 74 pages 38.06 Kb
Top Page Image Contents