Acl Logging; Hardware And Software Treatment Of Ip Acls - Cisco Catalyst 2960-XR Security Configuration Manual
Ios release 15.0 2 ex1
Hide thumbs
Also See for Catalyst 2960-XR:
- Configuration manual (196 pages) ,
- Configuration manuals (120 pages) ,
- Reference (52 pages)
Table of Contents
Advertisement
Hardware and Software Treatment of IP ACLs
• You can use standard or extended ACLs (named or numbered) in VLAN maps.
ACL Logging
The switch software can provide logging messages about packets permitted or denied by a standard IP access
list. That is, any packet that matches the ACL causes an informational logging message about the packet to
be sent to the console. The level of messages logged to the console is controlled by the logging console
commands controlling the syslog messages.
Because routing is done in hardware and logging is done in software, if a large number of packets match
Note
a permit or deny ACE containing a log keyword, the software might not be able to match the hardware
processing rate, and not all packets will be logged.
The first packet that triggers the ACL causes a logging message right away, and subsequent packets are
collected over 5-minute intervals before they appear or logged. The logging message includes the access list
number, whether the packet was permitted or denied, the source IP address of the packet, and the number of
packets from that source permitted or denied in the prior 5-minute interval.
Hardware and Software Treatment of IP ACLs
ACL processing is performed in hardware. If the hardware reaches its capacity to store ACL configurations,
all packets on that interface are dropped.
Note
If an ACL configuration cannot be implemented in hardware due to an out-of-resource condition on a
switch or stack member, then only the traffic in that VLAN arriving on that switch is affected.
For router ACLs, other factors can cause packets to be sent to the CPU:
• Using the log keyword
• Generating ICMP unreachable messages
When traffic flows are both logged and forwarded, forwarding is done by hardware, but logging must be done
by software. Because of the difference in packet handling capacity between hardware and software, if the sum
of all flows being logged (both permitted flows and denied flows) is of great enough bandwidth, not all of the
packets that are forwarded can be logged.
When you enter the show ip access-lists privileged EXEC command, the match count displayed does not
account for packets that are access controlled in hardware. Use the show platform acl counters hardware
privileged EXEC command to obtain some basic hardware ACL statistics for switched and routed packets.
Router ACLs function as follows:
• The hardware controls permit and deny actions of standard and extended ACLs (input and output) for
• If log has not been specified, the flows that match a deny statement in a security ACL are dropped by
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
116
security access control.
the hardware if ip unreachables is disabled. The flows matching a permit statement are switched in
hardware.
Configuring IPv4 ACLs
OL-29434-01
Advertisement
Table of Contents
