Unsupported Features - Cisco Catalyst 3550 series Software Configuration Manual
Multilayer switch
Hide thumbs
Also See for Catalyst 3550 series:
- Reference manual (58 pages) ,
- Datasheet (21 pages) ,
- Manual (19 pages)
Table of Contents
Advertisement
Chapter 28
Configuring Network Security with ACLs
If ACLs cause large numbers of packets to be sent to the CPU, the switch performance can be negatively
affected.
Note
After the ACL configuration is stable for a specified interval, the system loads the configuration into
hardware. Forwarding is blocked on any affected interfaces while the hardware is being updated. To
change this behavior, you can use the mls aclmerge delay and the access-list hardware program
nonblocking global configuration commands. Refer to the command reference for this release for
descriptions of these commands.
When you enter the show ip access-lists privileged EXEC command, the match count displayed does
not account for packets that are access controlled in hardware. Use the show access-lists hardware
counters privileged EXEC command to obtain some basic hardware ACL statistics for switched and
routed packets.
IP ACLs are handled as follows:
•
•
•
Note
Logging is not supported on Layer 2 interfaces (port ACLs).
Unsupported Features
The Catalyst 3550 switch does not support these Cisco IOS router ACL-related features:
•
•
•
•
•
•
•
•
78-11194-09
The hardware controls permit and deny actions of standard and extended ACLs (input and output)
for security access control.
If log has not been specified, the flows that match a deny statement in a security ACL are dropped
by the hardware if ip unreachables is disabled. The flows matching a permit statement are switched
in hardware. Logging is not supported for port ACLs.
Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the
CPU only for logging. If the ACE is a permit statement, the packet is still switched and routed
in hardware.
Non-IP protocol ACLs (see
Bridge-group ACLs.
IP accounting.
Inbound and outbound rate limiting (except with QoS ACLs).
IP packets with a header length of less than five are not access controlled (results in an ICMP
parameter error).
Reflexive ACLs.
Dynamic ACLs (except for certain specialized dynamic ACLs used by the switch clustering feature).
For Layer 2 port ACLs, the switch does not support logging or outbound ACLs.
Table 28-1 on page
28-8).
Catalyst 3550 Multilayer Switch Software Configuration Guide
Configuring IP ACLs
28-7
Advertisement
Table of Contents
Troubleshooting
