Configuring Ip Acls - Cisco Catalyst 3550 series Software Configuration Manual

Configuring IP ACLs

•
Configuring IP ACLs
Configuring IP ACLs on Layer 2 or Layer 3 switch or VLAN interfaces is the same as configuring ACLs
on other Cisco routers. The process is briefly described here. For more detailed information on
configuring router ACLs, refer to the "Configuring IP Services" chapter in the Cisco IP and IP Routing
Configuration Guide for IOS Release 12.1. For detailed information about the commands, refer to Cisco
IOS IP and IP Routing Command Reference for IOS Release 12.1. For a list of IOS features not supported
on the Catalyst 3550 switch, see the
Caution By default, the router sends Internet Control Message Protocol (ICMP) unreachable messages when a
packet is denied by an access group; these access-group denied packets are not dropped in hardware but
are bridged to the switch CPU so that it can generate the ICMP-unreachable message. To drop
access-group denied packets in hardware, you must disable ICMP unreachables by using the no ip
unreachables interface configuration command. Note that the ip unreachables command is enabled by
default.
This section includes the following information:
•
•
•
•
•
Hardware and Software Handling of Router ACLs
ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to
the CPU for software processing. The forwarding rate for software-forwarded traffic is substantially less
than for hardware-forwarded traffic. When traffic flows are both logged and forwarded, forwarding is
done by hardware, but logging must be done by software. Because of the difference in packet handling
capacity between hardware and software, if the sum of all flows being logged (both permitted flows and
denied flows) is of great enough bandwidth, not all of the packets that are forwarded can be logged.
These factors can cause packets to be sent to the CPU:
•
•
•
Catalyst 3550 Multilayer Switch Software Configuration Guide
28-6
Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet
B is effectively denied. However, the later fragments that are permitted will consume bandwidth on
the network and resources of host 10.1.1.2 as it tries to reassemble the packet.
Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet
is fragmented, the first fragment matches the fourth ACE (a deny). All other fragments also match
the fourth ACE because that ACE does not check any Layer 4 information and because Layer 3
information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit
ACEs were checking different hosts.
Hardware and Software Handling of Router ACLs, page 28-6
Unsupported Features, page 28-7
Creating Standard and Extended IP ACLs, page 28-8
Applying an IP ACL to an Interface or Terminal Line, page 28-19
IP ACL Configuration Examples, page 28-21
Using the log keyword
Enabling ICMP unreachables
Hardware reaching its capacity to store ACL configurations
Chapter 28
"Unsupported Features" section on page
Configuring Network Security with ACLs
28-7.
78-11194-09