Hardware And Software Acl Support - Cisco WS-SUP32-GE-3B - Supervisor Engine 32 Software Configuration Manual

Hardware and Software ACL Support

•
Hardware and Software ACL Support
Access control lists (ACLs) can be processed in hardware by the PFC3B or in software by the PISA. The
following behavior describes software and hardware handling of ACLs:
•
•
•
•
•
•
•
•
•
•
•
•
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
31-2
We strongly recommend that you use named ACLs (rather than numbered ACLs) as this conserves
CPU usage when creating or modifying ACL configurations and during system restarts. When you
create ACL entries (or modify existing ACL entries), the software performs a CPU-intensive
operation called an ACL merge to load the ACL configurations into the PFC hardware. An ACL
merge also occurs when the startup configuration is applied during a system restart.
With named ACLs, the ACL Merge is triggered only when the user exits the named-acl
configuration mode. However with numbered ACLs, the ACL Merge is triggered for every ACE
definition and results in a number of intermediate merges during ACL configuration.
The PFC3B provides more efficient hardware support for named ACLs than it can for numbered
ACLs.
ACL flows that match a "deny" statement in standard and extended ACLs (input and output) are
dropped in hardware if "ip unreachables" is disabled.
ACL flows that match a "permit" statement in standard and extended ACLs (input and output) are
processed in hardware.
VLAN ACL (VACL) flows are processed in hardware. If a field specified in a VACL is not supported
by hardware processing that field is ignored (for example, the log keyword in an ACL) or the whole
configuration is rejected (for example, a VACL containing IPX ACL parameters).
VACL logging is processed in software.
Dynamic ACL flows are processed in hardware.
Idle timeout is processed in software.
Note Idle timeout is not configurable. Catalyst 6500 series switches do not support the
access-enable host timeout command.
Except on MPLS interfaces, reflexive ACL flows are processed in hardware after the first packet in
a session is processed in software on the RP.
IP accounting for an ACL access violation on a given port is supported by forwarding all denied
packets for that port to the PISA for software processing without impacting other flows.
The PFC3B does not provide hardware support for Cisco IOS IPX ACLs. Cisco IOS IPX ACLs are
supported in software on the PISA.
Extended name-based MAC address ACLs are supported in hardware.
The following ACL types are processed in software:
Internetwork Packet Exchange (IPX) access lists
–
Standard XNS access list
–
Extended XNS access list
–
DECnet access list
–
– Extended MAC address access list
– Protocol type-code access list
Chapter 31 Understanding Cisco IOS ACL Support
OL-11439-03