Cisco WS-C6506 Software Manual page 407

Catalyst 6500 series switch

Hide thumbs Also See for WS-C6506:

Manual (110 pages)

Installation manual (336 pages)

Table of Contents

Configuring Access Control

These sections describe how the different types of ACLs and traffic flows are handled by the hardware

and the software:

Security Cisco IOS ACLs

The IP and IPX security Cisco IOS ACLs with PFC are as follows:

Reflexive ACLs

Up to 512 simultaneous reflexive sessions are supported in the hardware. When the reflexive ACLs are

applied, the flow mask is changed to VLAN-full flow.

TCP Intercept

TCP intercept implements the software to protect the TCP servers from the TCP SYN-flooding attacks,

which are denial-of-service attacks. TCP intercept helps prevent the SYN-flooding attacks by

intercepting and validating the TCP connection requests. In intercept mode, the TCP intercept software

intercepts the TCP synchronization (SYN) packets from the clients to the servers that match an extended

access list. The software establishes a connection with the client on behalf of the destination server, and

if successful, establishes the connection with the server on behalf of the client and binds the two

Security Cisco IOS ACLs, page 15-11

Reflexive ACLs, page 15-11

TCP Intercept, page 15-11

Policy Routing, page 15-12

WCCP, page 15-12

NAT, page 15-12

Unicast RPF Check, page 15-12

Bridge-Groups, page 15-12

The flows that match a "deny" statement in a security ACL are dropped by the hardware if

"ip unreachables" is disabled. The flows matching a "permit" statement are switched in the

Permit and deny actions of the standard and extended ACLs (input and output) for security access

control are handled in the hardware.

IP accounting for an ACL access violation on a given interface is supported by forwarding all denied

packets for that interface to the software without impacting other flows.

Dynamic (lock and key) ACL flows are supported in the hardware; however, idle timeout is not

IPX standard input and output ACLs are supported in the hardware when the ACL parameters are

IPX source network, destination network, and/or destination node. If the ACL contains any other

parameters, it is handled in the software.

IPX extended input and output ACLs are supported in the hardware when the ACL parameters are

IPX source network, destination network, destination node, and/or protocol type.

ACL flows requiring logging are handled in the software without impacting non-log flow forwarding

in the hardware.

Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7

Using Cisco IOS ACLs in your Network

Show Quick Links

Table of Contents

Troubleshooting

Catalyst 6506 Catalyst 6509 Catalyst 6513

Cisco WS-C6506 Software Manual page 407

Hide quick links:

Troubleshooting

Related Manuals for Cisco WS-C6506

Related Products for Cisco WS-C6506

This manual is also suitable for:

Table of Contents