33-8
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter33 Configuring Network Security with ACLs
Layer 4 Operators in ACLs
Restrictions for Layer 4 Operations
You can specify these operator types, each of which uses one Layer 4 operation in the hardware:
gt (greater than)
lt (less than)
neq (not equal)
range (inclusive range)
We recommend that you not specify more than six different operations on the same ACL. If you exceed
this number, each new operation might cause the affected ACE (access control entry) to be translated
into multiple ACEs in hardware. If you exceed this number, the affected ACE might be processed in
software.
Configuration Guidelines for Layer 4 Operations
Keep the following guidelines in mind when using Layer 4 operators:
Layer 4 operations are considered different if the operator or operand differ. For example, the
following ACL contains three different Layer 4 operations because gt 10 and gt 11 are considered
two different Layer 4 operations:
... gt 10 permit
... lt 9 deny
... gt 11 deny
Note The eq operator can be used an unlimited number of times because eq does not use a Layer 4 operation
in hardware.
Layer 4 operations are considered different if the same operator/operand couple applies on ce to a
source port and once to a destination port, as in the following example:
... Src gt 10....
... Dst gt 10
A more detailed example follows:
access-list 101
... (dst port) gt 10 permit
... (dst port) lt 9 deny
... (dst port) gt 11 deny
... (dst port) neq 6 permit
... (src port) neq 6 deny
... (dst port) gt 10 deny
access-list 102
... (dst port) gt 20 deny
... (src port) lt 9 deny
... (src port) range 11 13 deny
... (dst port) neq 6 permit