23-3
Cisco7600 Series Router Cisco IOS Software Configuration Guide—12.1E
78-14064-04
Chapter23 Configuring Network Security
Guidelines and Restrictions for Using Layer 4 Operators in ACLs
•Flows that require logging are processed in software without impacting nonlogged flow processing
in hardware.
•The forwarding rate for software-processed flows is substantially less than for hardware-processed
flows.
•When you enter the show ip access-list command, the match count displayed does not include
packets processed in hardware.
Guidelines and Restrictions for Using Layer 4 Operators in ACLsThese sections describe guidelines and restrictions when configuring ACLs that include Layer4 port
operations:
•Determining Layer 4 Operation Usage, page 23-3
•Determining Logical Operation Unit Usage, page 23-4
Determining Layer 4 Operation Usage
You can specify these types of operations:
•gt (greater than)
•lt (less than)
•neq (not equal)
•eq (equal)
•range (inclusive range)
We recommend that you do not specify more than nine different operations on the same ACL. If you
exceed this number, each new operation might cause the affected ACE to be translated into more than
one ACE.
Use the following two guidelines to determine Layer4 operation usage:
•Layer 4 operations are considered different if the operator or the operand differ. For example, in this
ACL there are three different Layer 4 operations (“gt 10” and “gt 11” are considered two different
Layer 4 operations):
... gt 10 permit
... lt 9 deny
... gt 11 deny
Note There is no limit to the use of “eq” operators as the “eq” operator does not use a logical
operator unit (LOU) or a Layer 4 operation bit. See the “Determining Logical Operation
Unit Usage” section on page 23-4 for a description of LOUs.
•Layer 4 operations are considered different if the same operator/operand couple applies once to a
source port and once to a destination port. For example, in this ACL there are two different Layer 4
operations because one ACE applies to the source port and one applies to the destination port.
... Src gt 10 ...
... Dst gt 10