Hardware And Software Treatment Of Ip Acls; Troubleshooting Acls - Cisco IE-3000-8TC Software Configuration Manual

Chapter 34 Configuring Network Security with ACLs
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
Command
Step 1
configure terminal
Step 2
interface interface-id
Step 3
ip access-group {access-list-number |
name} {in}
Step 4 end
Step 5 show running-config
Step 6 copy running-config startup-config
To remove the specified access group, use the no ip access-group {access-list-number | name} {in}
interface configuration command.
This example shows how to apply access list 2 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# ip access-group 2 in
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL
permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch
discards the packet.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to
the interface and permits all packets. Remember this behavior if you use undefined ACLs for network
security.

Hardware and Software Treatment of IP ACLs

ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to
the CPU for software processing. If the hardware reaches its capacity to store ACL configurations,
packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is
substantially less than for hardware-forwarded traffic.
If ACLs cause large numbers of packets to be sent to the CPU, the switch performance can be negatively
affected.
When you enter the show ip access-lists privileged EXEC command, the match count displayed does
not account for packets that are access controlled in hardware. Use the show access-lists hardware
counters privileged EXEC command to obtain some basic hardware ACL statistics for switched packets.

Troubleshooting ACLs

If this ACL manager message appears and [chars] is the access-list name,
ACLMGR-2-NOVMR: Cannot generate hardware representation of access list [chars]
The switch has insufficient resources to create a hardware representation of the ACL. The resources
include hardware memory and label space but not CPU memory. A lack of available logical operation
units or specialized hardware resources causes this problem. Logical operation units are needed for a
TCP flag match or a test other than eq (ne, gt, lt, or range) on TCP, UDP, or SCTP port numbers.
OL-13018-03
Purpose
Enter global configuration mode.
Identify a specific interface for configuration, and enter interface
configuration mode.
Control access to the specified interface.
Return to privileged EXEC mode.
Display the access list configuration.
(Optional) Save your entries in the configuration file.
Cisco IE 3000 Switch Software Configuration Guide
Configuring IPv4 ACLs
34-17