Chapter 23 Configuring Network Security

Configuring the Cisco IOS Firewall Feature Set

Determining Logical Operation Unit Usage

Logical operation units (LOUs) are registers that store operator-operand couples. All ACLs use LOUs. There can be up to 32 LOUs; each LOU can store two different operator-operand couples with the exception of the range operator. LOU usage per Layer 4 operation is as follows:

gt uses 1/2 LOU

lt uses 1/2 LOU

neq uses 1/2 LOU

range uses 1 LOU

eq does not require a LOU

For example, this ACL would use a single LOU to store two different operator-operand couples:

... Src gt 10 ...

... Dst gt 10

A more detailed example follows:

ACL1

... (dst port) gt 10 permit

... (dst port) lt 9 deny

... (dst port) gt 11 deny

... (dst port) neq 6 permit

... (src port) neq 6 deny

... (dst port) gt 10 deny

ACL2

... (dst port) gt 20 deny

... (src port) lt 9 deny

... (src port) range 11 13 deny

... (dst port) neq 6 permit

The Layer 4 operations and LOU usage is as follows:

ACL1 Layer 4 operations: 5

ACL2 Layer 4 operations: 4

LOUs: 4

An explanation of the LOU usage follows:

LOU 1 stores “gt 10” and “lt 9”

LOU 2 stores “gt 11” and “neq 6”

LOU 3 stores “gt 20” (with space for one more)

LOU 4 stores “range 11 13” (range needs the entire LOU)

Configuring the Cisco IOS Firewall Feature Set

Note Release 12.1(11b)E and later releases include firewall feature set images.

These sections describe configuring the Cisco IOS firewall feature set on the Cisco 7600 series routers:

Cisco IOS Firewall Feature Set Support Overview, page 23-5

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

23-4

78-14064-04

 

 

Page 3 Page 5
Page 4
Image 4
Cisco Systems 7600 SERIES Configuring the Cisco IOS Firewall Feature Set, Determining Logical Operation Unit Usage, 23-4
Page 3 Page 5
Top Page Image Contents