Hardware And Software Acl Support - Cisco 7604 Configuration Manual

Hardware and Software ACL Support

•
•
Hardware and Software ACL Support
Access control lists (ACLs) can be processed in hardware by the Policy Feature Card (PFC), a
Distributed Forwarding Card (DFC), or in software by the Multilayer Switch Feature Card (MSFC). The
following behavior describes software and hardware handling of ACLs:
•
•
•
•
•
•
•
•
•
•
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
34-2
With the ip unreachables command enabled (which is the default), the supervisor engine drops
most of the denied packets in hardware and sends only a small number of packets to the MSFC to
be dropped (10 packets per second, maximum), which generates ICMP-unreachable messages.
To eliminate the load imposed on the MSFC CPU by the task of dropping denied packets and
generating ICMP-unreachable messages, you can enter the no ip unreachables interface
configuration command to disable ICMP unreachable messages, which allows all access
group-denied packets to be dropped in hardware.
ICMP unreachable messages are not sent if a packet is denied by a VACL.
We strongly recommend that you use named ACLs (rather than numbered ACLs) as this conserves
CPU usage when creating or modifying ACL configurations and during system restarts. When you
create ACL entries (or modify existing ACL entries), the software performs a CPU-intensive
operation called an ACL merge to load the ACL configurations into the PFC hardware. An ACL
merge also occurs when the startup configuration is applied during a system restart.
With named ACLs, the ACL Merge is triggered only when the user exits the named-acl
configuration mode. However with numbered ACLs, the ACL Merge is triggered for every ACE
definition and results in a number of intermediate merges during ACL configuration.
ACL flows that match a "deny" statement in standard and extended ACLs (input and output) are
dropped in hardware if "ip unreachables" is disabled.
ACL flows that match a "permit" statement in standard and extended ACLs (input and output) are
processed in hardware.
VLAN ACL (VACL) flows are processed in hardware. If a field specified in the VACL match clause
statement is not supported by hardware processing the field is ignored (for example the log keyword
in and ACL used for the match clause statement), or the whole configuration is rejected (for
example, a VACL containing IPX ACL parameters). VACL logging is processed in software, using
the action clause.
VACL logging is processed in software.
Dynamic ACL flows are processed in hardware.
Idle timeout is processed in software.
Note Idle timeout is not configurable. Cisco 7600 series routers do not support the access-enable
host timeout command.
Except on MPLS interfaces, reflexive ACL flows are processed in hardware after the first packet in
a session is processed in software on the RP.
IP accounting for an ACL access violation on a given port is supported by forwarding all denied
packets for that port to the MSFC for software processing without impacting other flows.
The PFC does not provide hardware support for Cisco IOS IPX ACLs. Cisco IOS IPX ACLs are
supported in software on the MSFC.
Extended name-based MAC address ACLs are supported in hardware.
Chapter 34 Understanding Cisco IOS ACL Support
OL-4266-08