Restrictions For Layer 4 Operations; Configuration Guidelines For Layer 4 Operations - Cisco 4500M Software Manual

Layer 4 Operators in ACLs

Restrictions for Layer 4 Operations

You can specify these operator types, each of which uses one Layer 4 operation in the hardware:
•
•
•
•
We recommend that you not specify more than six different operations on the same ACL. If you exceed
this number, each new operation might cause the affected ACE (access control entry) to be translated
into multiple ACEs in hardware. If you exceed this number, the affected ACE might be processed in
software.

Configuration Guidelines for Layer 4 Operations

Keep the following guidelines in mind when using Layer 4 operators:
•
The eq operator can be used an unlimited number of times because eq does not use a Layer 4 operation
Note
in hardware.
•
Software Configuration Guide—Release 12.2(25)EW
35-8
gt (greater than)
lt (less than)
neq (not equal)
range (inclusive range)
Layer 4 operations are considered different if the operator or operand differ. For example, the
following ACL contains three different Layer 4 operations because gt 10 and gt 11 are considered
two different Layer 4 operations:
... gt 10 permit
... lt 9 deny
... gt 11 deny
Layer 4 operations are considered different if the same operator/operand couple applies once to a
source port and once to a destination port, as in the following example:
... Src gt 10....
... Dst gt 10
A more detailed example follows:
access-list 101
... (dst port) gt 10 permit
... (dst port) lt 9 deny
... (dst port) gt 11 deny
... (dst port) neq 6 permit
... (src port) neq 6 deny
... (dst port) gt 10 deny
access-list 102
... (dst port) gt 20 deny
... (src port) lt 9 deny
... (src port) range 11 13 deny
... (dst port) neq 6 permit
Chapter 35 Configuring Network Security with ACLs
OL-6696-01