Cisco Systems 3130 Hardware and Software Treatment of IP ACLs, IPv4 ACL Configuration Examples

34-22

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter34 Configuring Network Security with ACLs

Configuring IPv4 ACLs

Hardware and Software Treatment of IP ACLs

ACL processing is primarily accomplished in hardware, but requires forwarding of some traf f ic flo ws to

the CPU for software processing. If the hardware reaches its ca pac ity to stor e ACL configurati ons,

packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is

substantially less than for hardware-forwarded traffic.

Note If an ACL configuration cannot be implemented in hardware due to an out-of-resource condition on a

switch or stack member, then only the traff ic i n that VLAN arr iv ing on th at swi tch is af fected ( forwar ded

in software). Software forwarding of packets might adversely impact the p erfo rma nce of th e switc h or

switch stack, depending on the number of CPU cycles that this co nsumes.

For router ACLs, other factors can cause packets to be sent to the CPU:

•Using the log keyword

•Generating ICMP unreachable messages

When traffic flows are both logged and forwarded, forwarding is done by hardware, but logging must be

done by software. Because of the difference in pack et handling c apacity be tween hardw are and sof tware,

if the sum of all flows being logged (both permitted flows and denied flows) is of great enough

bandwidth, not all of the packets that are forwarded can be logged.

If router ACL configuration cannot be applied in hardware, packets arriving i n a V LAN th at must be

routed are routed in software, but are bridged in hardware. If A CLs cau se lar ge numbers of packe ts to be

sent to the CPU, the switch performance can be negatively affected.

When you enter the show ip access-lists privileged EXEC command, the match count displayed does

not account for packets that are access controlled in hardware. Use the show access-lists hardware

counters privileged EXEC command to obtain some basic hardware ACL statistics for switched and

routed packets.

Router ACLs function as follows:

•The hardware controls permit and deny actions of standard and extended ACLs (input and output)

for security access control.

•If log has not been specified, the flows that match a deny statement in a security ACL are dropped

by the hardware if ip unreachables is disabled. The flows matching a permit statement are switched

in hardware.

•Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the

CPU for logging only. If the ACE is a permit statement, the packet is still switched and routed

in hardware.

IPv4 ACL Configuration Examples

This section provides examples of configuring and applying IPv4 ACLs. For detailed information about

compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to th e Configuring

IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration

Guide, Release 12.2.

Figure 34-3 shows a small networked office environment with routed Port 2 connected to blade server A,

containing benefits and other information that all employees can access, and routed Port 1 connected to

blade server B, containing confidential payroll data. All users can access blade server A, but blade

serverB has restricted access.