Chapter 23 Configuring Network Security
Guidelines and Restrictions for Using Layer 4 Operators in ACLs
•Flows that require logging are processed in software without impacting nonlogged flow processing in hardware.
•The forwarding rate for
•When you enter the show ip
Guidelines and Restrictions for Using Layer 4 Operators in ACLs
These sections describe guidelines and restrictions when configuring ACLs that include Layer 4 port operations:
•Determining Layer 4 Operation Usage, page
•Determining Logical Operation Unit Usage, page
Determining Layer 4 Operation Usage
You can specify these types of operations:
•gt (greater than)
•lt (less than)
•neq (not equal)
•eq (equal)
•range (inclusive range)
We recommend that you do not specify more than nine different operations on the same ACL. If you exceed this number, each new operation might cause the affected ACE to be translated into more than one ACE.
Use the following two guidelines to determine Layer 4 operation usage:
•Layer 4 operations are considered different if the operator or the operand differ. For example, in this ACL there are three different Layer 4 operations (“gt 10” and “gt 11” are considered two different Layer 4 operations):
... gt 10 permit
... lt 9 deny
... gt 11 deny
Note There is no limit to the use of “eq” operators as the “eq” operator does not use a logical operator unit (LOU) or a Layer 4 operation bit. See the “Determining Logical Operation Unit Usage” section on page
•Layer 4 operations are considered different if the same operator/operand couple applies once to a source port and once to a destination port. For example, in this ACL there are two different Layer 4 operations because one ACE applies to the source port and one applies to the destination port.
... Src gt 10 ...
... Dst gt 10
Cisco 7600 Series Router Cisco IOS Software Configuration
|
|
| |
|
|
