37-10
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 37 Configuring Network Security with ACLs
Information About Network Security with ACLs
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not be en applied to
the interface and permits all packets. Remember this behavior if you use undefined ACLs for network
security.
Hardware and Software Handling of IP ACLs
ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to
the CPU for software processing. If the hardware reaches its capacity to store ACL configurations,
packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is
substantially less than for hardware-forwarded traffic.
Note If an ACL configuration cannot be implemented in hardware due to an out-of-resource condition on a
switch, then only the traffic in that VLAN arriving on that switch is affected (forwarded in software).
Software forwarding of packets might adversely impact the performance of the switch, depending on the
number of CPU cycles that this consumes.
For router ACLs, other factors can cause packets to be sent to the CPU:
Using the log keyword
Generating ICMP unreachable messages
When traffic flows are both logged and forwarded, forwarding is done by hardware, but logging must be
done by software. Because of the difference in packet handling capacity between hardware and software,
if the sum of all flows being logged (both permitted flows and denied flows) is of significant bandwidth,
not all of the packets that are forwarded can be logged.
If router ACL configuration cannot be applied in hardware, packets arriving i n a VLAN that must be
routed are routed in software, but are bridged in hardware. If ACLs cause large numbers of packets to be
sent to the CPU, the switch performance can be negatively affected.
When you enter the show ip access-lists privileged EXEC command, the match count displayed does
not account for packets that are access controlled in hardware. Use the show access-lists hardware
counters privileged EXEC command to obtain some basic hardware ACL statistics for switched and
routed packets.
Troubleshooting ACLs
If this ACL manager message appears, where [chars] is the access-list name, the switch then has
insufficient resources to create a hardware representation of the ACL.
ACLMGR-2-NOVMR: Cannot generate hardware representation of access list [chars]
The resources include hardware memory and label space but not CPU memory. A lack of available
logical operation units or specialized hardware resources causes this problem. Logical operation units
are needed for a TCP flag match or a test other than eq (ne, gt, lt, or range) on TCP, UDP, or SCTP port
numbers.
Use one of these workarounds:
Modify the ACL configuration to use fewer resources.
Rename the ACL with a name or number that alphanumerically precedes the ACL names or
numbers.