Smart Logging; Hardware And Software Treatment Of Ip Acls; Vlan Map Configuration Guidelines - Cisco Catalyst 2960-X Security Configuration Manual
Cisco ios release 15.0(2)ex
Hide thumbs
Also See for Catalyst 2960-X:
- Command reference manual (135 pages) ,
- Hardware installation manual (34 pages) ,
- Getting started manual (25 pages)
Table of Contents
Advertisement
Configuring IPv4 ACLs
Smart Logging
When smart logging is enabled on the switch and an ACL configured with smart logging is attached to a Layer
2 interface (port ACL), the contents of packets denied or permitted because of the ACL are also sent to a
specified NetFlow collector.
Hardware and Software Treatment of IP ACLs
ACL processing is performed in hardware. If the hardware reaches its capacity to store ACL configurations,
all packets on that interface are dropped.
Note
If an ACL configuration cannot be implemented in hardware due to an out-of-resource condition on a
switch or stack member, then only the traffic in that VLAN arriving on that switch is affected.
For router ACLs, other factors can cause packets to be sent to the CPU:
• Using the log keyword
• Generating ICMP unreachable messages
When traffic flows are both logged and forwarded, forwarding is done by hardware, but logging must be done
by software. Because of the difference in packet handling capacity between hardware and software, if the sum
of all flows being logged (both permitted flows and denied flows) is of great enough bandwidth, not all of the
packets that are forwarded can be logged.
When you enter the show ip access-lists privileged EXEC command, the match count displayed does not
account for packets that are access controlled in hardware. Use the show platform acl counters hardware
privileged EXEC command to obtain some basic hardware ACL statistics for switched and routed packets.
Router ACLs function as follows:
• The hardware controls permit and deny actions of standard and extended ACLs (input and output) for
• If log has not been specified, the flows that match a deny statement in a security ACL are dropped by
• Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the CPU
VLAN Map Configuration Guidelines
VLAN maps are the only way to control filtering within a VLAN. VLAN maps have no direction. To filter
traffic in a specific direction by using a VLAN map, you need to include an ACL with specific source or
destination addresses. If there is a match clause for that type of packet (IP or MAC) in the VLAN map, the
default action is to drop the packet if the packet does not match any of the entries within the map. If there is
no match clause for that type of packet, the default is to forward the packet.
The following are the VLAN map configuration guidelines:
OL-29048-01
security access control.
the hardware if ip unreachables is disabled. The flows matching a permit statement are switched in
hardware.
for logging only. If the ACE is a permit statement, the packet is still switched and routed in hardware.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
Hardware and Software Treatment of IP ACLs
151
Hide quick links:
Advertisement
Table of Contents
