Cisco Systems IE 2000 Hardware and Software Handling of IP ACLs, Troubleshooting ACLs

37-10

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 37 Configuring Network Security with ACLs

Information About Network Security with ACLs

When you apply an undefined ACL to an interface, the switch acts as if the ACL has not be en applied to

the interface and permits all packets. Remember this behavior if you use undefined ACLs for network

security.

Hardware and Software Handling of IP ACLs

ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to

the CPU for software processing. If the hardware reaches its capacity to store ACL configurations,

packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is

substantially less than for hardware-forwarded traffic.

Note If an ACL configuration cannot be implemented in hardware due to an out-of-resource condition on a

switch, then only the traffic in that VLAN arriving on that switch is affected (forwarded in software).

Software forwarding of packets might adversely impact the performance of the switch, depending on the

number of CPU cycles that this consumes.

For router ACLs, other factors can cause packets to be sent to the CPU:

• Using the log keyword

• Generating ICMP unreachable messages

When traffic flows are both logged and forwarded, forwarding is done by hardware, but logging must be

done by software. Because of the difference in packet handling capacity between hardware and software,

if the sum of all flows being logged (both permitted flows and denied flows) is of significant bandwidth,

not all of the packets that are forwarded can be logged.

If router ACL configuration cannot be applied in hardware, packets arriving i n a VLAN that must be

routed are routed in software, but are bridged in hardware. If ACLs cause large numbers of packets to be

sent to the CPU, the switch performance can be negatively affected.

When you enter the show ip access-lists privileged EXEC command, the match count displayed does

not account for packets that are access controlled in hardware. Use the show access-lists hardware

counters privileged EXEC command to obtain some basic hardware ACL statistics for switched and

routed packets.

Troubleshooting ACLs

If this ACL manager message appears, where [chars] is the access-list name, the switch then has

insufficient resources to create a hardware representation of the ACL.

ACLMGR-2-NOVMR: Cannot generate hardware representation of access list [chars]

The resources include hardware memory and label space but not CPU memory. A lack of available

logical operation units or specialized hardware resources causes this problem. Logical operation units

are needed for a TCP flag match or a test other than eq (ne, gt, lt, or range) on TCP, UDP, or SCTP port

numbers.

Use one of these workarounds:

• Modify the ACL configuration to use fewer resources.

• Rename the ACL with a name or number that alphanumerically precedes the ACL names or

numbers.