Determining If The Acl Configuration Fits In Hardware - Cisco WS-C3550-12G Software Configuration Manual

Chapter 19 Configuring Network Security with ACLs
•

Determining if the ACL Configuration Fits in Hardware

As previously stated, ACL processing in the Catalyst 3550 switch is mostly accomplished in hardware.
However, if the hardware reaches its capacity to store ACL configurations, the switch software attempts
to fit a simpler configuration into the hardware. This simpler configuration does not do all the filtering
that has been configured, but instead sends some or all packets to the CPU to be filtered by software. In
this way, all configured filtering will be accomplished, but performance is greatly decreased when the
filtering is done in software.
For example, if the combination of an input router ACL applied to a VLAN interface and a VLAN map
applied to the same VLAN does not fit into the hardware, these results might occur:
•
•
Any problem in fitting the configuration into hardware is logged, but it is possible that not everyone who
configures the switch can see the log messages as they occur. You can use the show fm privileged EXEC
commands to determine if any interface configuration or VLAN configuration did not fit into hardware.
Beginning in privileged EXEC mode, follow these steps to see if a configuration fits into hardware:
Command
Step 1
show fm vlan vlan-id
or
show fm interface interface-id
Step 2 show fm label name
This example shows how to display detailed feature manager information on a specified interface:
Switch# show fm interface gigabitethernet0/12
Input Label: 0 (default)
Output Label: 0 (default)
Priority: normal
78-11194-03
Avoid including Layer 4 information in an ACL; adding this information complicates the merging
process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source
and destination) and not on the full flow (source IP address, destination IP address, protocol, and
protocol ports). It is also helpful to use don't care bits in the IP address, whenever possible.
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP
ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. This gives priority to
the filtering of traffic based on IP addresses.
If the VLAN map alone fits in hardware, the software sets up the hardware to send to the CPU all
packets that need to be routed for filtering and possible routing (if the packet passes the filter).
Packets that only require bridging within the input VLAN are still handled entirely by hardware and
not sent to the CPU.
If the VLAN map does not fit in the hardware, all packets on that VLAN must be both filtered and
forwarded by software.
Purpose
Display feature manager information for the interface or the VLAN.
Determine what label was used in the hardware for the interface or
VLAN configuration.
Display which of the configured ACL features fit into hardware.
Catalyst 3550 Multilayer Switch Software Configuration Guide
Using VLAN Maps with Router ACLs
19-37