How Acl Processing Impacts Cpu - Cisco Catalyst 4500 Series Configuration Manual
Release ios xe 3.3.0sg and ios 15.1(1)sg
Hide thumbs
Also See for Catalyst 4500 Series:
- Software configuration manual (2086 pages) ,
- Administration manual (1814 pages) ,
- Configuration manual (1254 pages)
Table of Contents
Advertisement
Layer 4 Operators in ACLs
•
•
•
•
How ACL Processing Impacts CPU
ACL processing can impact the CPU in two ways:
•
Examples
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
51-12
Access list 101 Layer 4 operations: 5
gt 10 permit and gt 10 deny both use the same operation because they are identical and both
–
operate on the destination port.
Access list 102 Layer 4 operations: 4
Total Layer 4 operations: 8 (due to sharing between the two access lists)
neq6 permit is shared between the two ACLs because they are identical and both operate on the
–
same destination port.
A description of the Layer 4 operations usage is as follows:
Layer 4 operation 1 stores gt 10 permit and gt 10 deny from ACL 101
–
Layer 4 operation 2 stores lt 9 deny from ACL 101
–
Layer 4 operation 3 stores gt 11 deny from ACL 101
–
Layer 4 operation 4 stores neg 6 permit from ACL 101 and 102
–
Layer 4 operation 5 stores neg 6 deny from ACL 101
–
Layer 4 operation 6 stores gt 20 deny from ACL 102
–
Layer 4 operation 7 stores lt 9 deny from ACL 102
–
Layer 4 operation 8 stores range 11 13 deny from ACL 102
–
For some packets, when the hardware runs out of resources, the software must perform the ACL
matches:
–
The TCP flag combinations rst ack, syn fin rst, urg and psh are processed in hardware. rst ack
is equivalent to the keyword established. Other TCP flag combinations are supported in
software.
–
If the total number of Layer 4 operations in an ACL is less than six, you can distribute the
operations in any way you choose.
The following access lists are processed completely in hardware:
access-list 104 permit tcp any any established
access-list 105 permit tcp any any rst ack
access-list 107 permit tcp any synfin rst
Access lists 104 and 105 are identical; established is shorthand for rst and ack.
Access list 101, is processed completely in software:
access-list 101 permit tcp any any syn
Because four source and two destination operations exist, access list 106 is processed in
hardware:
access-list 106 permit tcp any range 100 120 any range 120 140
access-list 106 permit tcp any range 140 160 any range 180 200
access-list 106 permit tcp any range 200 220
access-list 106 deny tcp any range 220 240
Chapter 51
Configuring Network Security with ACLs
OL-25340-01
- Quick Links:
- Resetting a Switch to Factory Default...
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
