19-5
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter19 Configuring Network Securi ty with ACLs Configuring Router ACLs
Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If th is packe t
is fragmented, the first fragment matches the second ACE (a deny) becaus e all Layer 3 and Layer 4
information is present. The remaining fragments in the packet do not match the second ACE because
they are missing Layer 4 information. Instead, they match the third ACE (a permit).
Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete pa cket, so packet
B is effectively denied. However, the later fragments that are permitted will consume bandwidth on
the network and resources of host 10.1.1.2 as it tries to reassemble the packet.
Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet
is fragmented, the first fragment matches the fourth ACE (a deny). All other fragments also match
the fourth ACE because that ACE does not check any Layer 4 information and because Layer 3
information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit
ACEs were checking different hosts.
Configuring Router ACLs
Configuring router ACLs on Layer 3 switch-routed VLAN inte rfac es i s the s am e as conf ig urin g ACL s
on other Cisco routers. The process is briefly described here. For more detailed information on
configuring router ACLs, refer to the Configuring IP Services chapter in the Cisco IP and I P Routing
Configuration Guide for IOS Release 12.1. For detailed information about the commands, refer to Cisco
IOS IP and IP Routing Command Reference for IOS Release 12.1. For a list of IOS features not
supported on the Catalyst 3550 switch, see the Unsupported Features sect ion on page 19-6.
Caution By default, the router sends Internet Control Message Protocol (ICMP) unreachable messages when
a packet is denied by an access group; these access-group denied packets are not dropped in hardware
but are bridged to the switch CPU so that it can generate the ICMP-unreachable message. To drop
access-group denied packets in hardware, you must disable ICMP unreachables by using the no ip
unreachables interface configuration command. Note that the ip unreachables command is enabled
by default.
This section includes the following information:
Hardware and Software Handling of Router ACLs, page 19-5
Unsupported Features, page 19-6
Creating Standard and Extended IP ACLs, page 19-6
Applying the ACL to an Interface or Terminal Line, page 19-18
Displaying ACLs and Access Groups, page 19-20
ACL Configuration Examples, page 19-22

Hardware and Software Handling of Router ACLs

ACL processing is primarily accomplished in hardware, but requires forwar ding of some traffic flows to
the CPU for software processing. The forwarding rate for software-fo rwarded traffic is substantially less
than for hardware-forwarded traffic. When traffic flows are both logged and forwarded, forwarding is
done by hardware, but logging must be done by software. Because of the difference in packet handling
capacity between hardware and software, if the sum of all flows being logged (bot h permitted flows and
denied flows) is of great enough bandwidth, not all of the pa cke ts th at a re f orw ard ed can be l o gged.