33-10
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter33 Configuring Network Security with ACLs
Layer 4 Operators in ACLs
Access lists 104 and 105 are identical; established is shorthand for rst and ack.
Access list 101, below, will be processed completely in software:
access-list 101 permit tcp any any urg
Because four source and two destination operations exist, acce ss list 106, below, will be
processed in hardware:
access-list 106 permit tcp any range 100 120 any range 120 140
access-list 106 permit tcp any range 140 160 any range 180 200
access-list 106 permit tcp any range 200 220
access-list 106 deny tcp any range 220 240
In the following code, the Layer 4 operations for the third ACE will trigger an attempt to
translate dst lt 1023 into multiple ACEs in hardware, because three source and three destination
operations exist. If the translation attempt fails, the third ACE will be processed in software.
access-list 102 permit tcp any lt 80 any gt 100
access-list 102 permit tcp any range 100 120 any range 120 1024
access-list 102 permit tcp any gt 1024 any lt 1023
Similarly, for access list 103, below, the third ACE will trigger an attempt to translate dst gt
1023 into multiple ACEs in hardware. If the attempt fails, the third ACE will be processed in
software. Although the operations for source and destination ports look similar, they are
considered different Layer 4 operations.)
access-list 103 permit tcp any lt 80 any lt 80
access-list 103 permit tcp any range 100 120 any range 100 120
access-list 103 permit tcp any gt 1024 any gt 1023
Note Remember that source port lt 80 and destination port lt 80 are considered different
operations.
Some packets must be sent to the CPU for accounting purposes, but the action is still performed by
the hardware. For example, if a packet must be logged, a copy is sent t o the CPU for logging, but
the forwarding (or dropping) is performed in the hardware. Although logg ing slows the CPU, it does
not affect the forwarding rate. This sequence of events would happen under the following
conditions:
When a log keyword is used
When an output ACL denies a packet
When an input ACL denies a packet, and on the interface where the ACL is applied, ip
unreachable is enabled (ip unreachable is enabled by default on all the interfaces)