Hardware And Software Treatment Of Ip Acls; Ipv4 Acl Configuration Examples; Numbered Acls; Extended Acls - Cisco 3020 - Catalyst Blade Switch Configuration Manual

Chapter 26 Configuring Network Security with ACLs

Hardware and Software Treatment of IP ACLs

ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to
the CPU for software processing. If the hardware reaches its capacity to store ACL configurations,
packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is
substantially less than for hardware-forwarded traffic.
If ACLs cause large numbers of packets to be sent to the CPU, the switch performance can be negatively
affected.
When you enter the show ip access-lists privileged EXEC command, the match count displayed does
not account for packets that are access controlled in hardware. Use the show access-lists hardware
counters privileged EXEC command to obtain some basic hardware ACL statistics for switched packets.

IPv4 ACL Configuration Examples

This section provides examples of configuring and applying IPv4 ACLs. For detailed information about
compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring
IP Services" section in the "IP Addressing and Services" chapter of the Cisco IOS IP Configuration
Guide, Release 12.2.
This example uses a standard ACL to allow a port access to a specific Internet host with the address
172.20.128.64.
Switch(config)# access-list 6 permit 172.20.128.64 0.0.0
Switch(config)# end
Switch# show access-lists
Standard IP access list 6
10 permit 172.20.128.64 wildcard bits 0.0.0.0
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 6 in
This example uses an extended ACL to deny to a port traffic coming from port 80 (HTTP). It permits all
other types of traffic.
Switch(config)# access-list 106 deny tcp any any eq 80
Switch(config)# access-list 106 permit ip any any
Switch(config)# end
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 106 in

Numbered ACLs

This ACL accepts addresses on network 36.0.0.0 subnets and denies all packets coming from 56.0.0.0
subnets. The ACL is applied to packets entering a port.
Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255
Switch(config)# access-list 2 deny 56.0.0.0 0.255.255.255
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 2 in

Extended ACLs

In this example, suppose that you have a network connected to the Internet, and you want any host on
the network to be able to form TCP connections to any host on the Internet. However, you do not want
IP hosts to be able to form TCP connections to hosts on your network, except to the mail (SMTP) port
of a dedicated mail host.
OL-8915-01
Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide
Configuring IPv4 ACLs
26-19