23-4
Cisco7600 Series Router Cisco IOS Software Configuration Guide—12.1E
78-14064-04
Chapter23 Con figuring Network Security
Configuring the Cisco IOS Firewall Feature Set
Determining Logical Operation Unit Usage
Logical operation units (LOUs) are registers that store operator-operand couples. All ACLs use LOUs.
There can be up to 32 LOUs; each LOU can store two different operator-operand couples with the
exception of the range operator. LOU usage per Layer4 operation is as follows:
•gt uses 1/2 LOU
•lt uses 1/2 LOU
•neq uses 1/2 LOU
•range uses 1 LOU
•eq does not require a LOU
For example, this ACL would use a single LOU to store two different operator-operand couples:
... Src gt 10 ...
... Dst gt 10
A more detailed example follows:
ACL1
... (dst port) gt 10 permit
... (dst port) lt 9 deny
... (dst port) gt 11 deny
... (dst port) neq 6 permit
... (src port) neq 6 deny
... (dst port) gt 10 deny
ACL2
... (dst port) gt 20 deny
... (src port) lt 9 deny
... (src port) range 11 13 deny
... (dst port) neq 6 permit
The Layer 4 operations and LOU usage is as follows:
•ACL1 Layer 4 operations: 5
•ACL2 Layer 4 operations: 4
•LOUs: 4
An explanation of the LOU usage follows:
•LOU 1 stores “gt 10” and “lt 9”
•LOU 2 stores “gt 11” and “neq 6”
•LOU 3 stores “gt 20” (with space for one more)
•LOU 4 stores “range 11 13” (range needs the entire LOU)
Configuring the Cisco IOS Firewall Feature SetNote Release 12.1(11b)E and later releases include firewall feature set images.
These sections describe configuring the Cisco IOS firewall feature set on the Cisco7600 series routers:
•Cisco IOS Firewall Feature Set Support Overview, page 23-5