33-6
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter33 Configuring Network Security with ACLs
TCAM Programming and ACLs
Note Packets that require logging are processed in software. A copy of the packets is sent to the CPU for
logging while the actual packets are forwarded in hardware so that non-logge d packet processing is not
impacted.
By default, the Catalyst 4500 series switch sends ICMP unreacha ble messages when a packet is denied
by an access list; these packets are not dropped in hardware but are forwarded to the switch so that it can
generate the ICMP unreachable message.
To drop access-list denied packets in hardware on the input interface, you must disable ICMP
unreachable messages using the no ip unreachables interface configuration command. The ip
unreachables command is enabled by default.
Packets denied by an output access list are always forwarded to the CPU .
TCAM Programming and ACLs
Two types of hardware resources are consumed when you program ACLs: entries and masks. If one of
these resources is exhausted, no additional ACLs can be programmed in to hardware. If the masks on a
system are exhausted, but entries are available, changing the programming scheme from packed to
scattered might free up masks, allowing additional ACLs to be programmed into hardware.
The goal is to use TCAM resources more efficiently by minimizing the number of masks per ACL
entries. To compare TCAM utilization when employing the scattered or packed algorithms, use the
show platform hardware acl statistics utilization brief command. To change the algorithm from
packed to scattered, use the access-list hardware entries command. To disable an algorithm, use the no
access-list hardware entries command.
Note To determine whether the packed algorithm is configured, use the show running config command. If
packed is configured, the line access-list hardware entries packed will appear.
Note The default TCAM programming algorithm is packed.
The following output was collected from a switch running in packed mode. Observe that 89 percent of
the masks are required to program only 49 percent of the ACL entries.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# access-list hardware entries packed
Switch(config)# end
Switch#
01:15:34: %SYS-5-CONFIG_I: Configured from console by console
Switch#