Cisco Systems 7600 SERIES manual Hardware and Software ACL Support, 23-2

Chapter 23 Configuring Network Security

Hardware and Software ACL Support

With the ip unreachables command enabled (which is the default), a Supervisor Engine 2 drops most of the denied packets in hardware and sends only a small number of packets to the MSFC2 to be dropped (10 packets per second, maximum) , which generates ICMP-unreachable messages.

With the ip unreachables command enabled, a Supervisor Engine 1 sends all the denied packets to the MSFC to be dropped, which generates ICMP-unreachable messages. With a Supervisor Engine 1, to drop access list-denied packets in hardware, you must disable ICMP-unreachable messages using the no ip unreachables interface configuration command.

To eliminate the load imposed on the MSFC CPU by the task of dropping denied packets and generating ICMP-unreachable messages, do the following:

–With Supervisor Engine 1, enter the no ip unreachables interface configuration command.

–With Supervisor Engine 2, enter the no ip unreachables and the no ip redirects interface configuration commands. (CSCdr33918)

•ICMP unreachable messages are not sent if a packet is denied by a VACL.

Hardware and Software ACL Support

Access control lists (ACLs) can be processed in hardware by the Policy Feature Card (PFC or PFC2), the Distributed Forwarding Card (DFC), or in software by the Multilayer Switch Feature Card (MSFC or MSFC2). The following behavior describes software and hardware handling of ACLs:

•ACL flows that match a “deny” statement in standard and extended ACLs (input and output) are dropped in hardware if “ip unreachables” is disabled.

•ACL flows that match a “permit” statement in standard and extended ACLs (input and output) are processed in hardware.

•VLAN ACL (VACL) flows are processed in hardware. If a field specified in a VACL is not supported by hardware processing that field is ignored (for example, the log keyword in an ACL) or the whole configuration is rejected (for example, a VACL containing unsupported IPX ACL parameters).

•VACL logging is processed in software.

•Dynamic ACL flows are processed in the hardware; however, idle timeout is processed in software.

•IP accounting for an ACL access violation on a given port is supported by forwarding all denied packets for that port to the MSFC for software processing without impacting other flows.

•Extended name-based MAC address ACLs are supported in hardware.

•The following ACL types are processed in software:

–Standard XNS access list

–Extended XNS access list

–DECnet access list

–Internetwork Packet Exchange (IPX) access lists

–Extended MAC address access list

–Protocol type-code access list

Note IP packets with a header length of less than five will not be access controlled.

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E