Policy Routing - Cisco WS-C6506 Software Manual

Catalyst 6500 series switch

Hide thumbs Also See for WS-C6506:

Table of Contents

Using Cisco IOS ACLs in your Network

half-connections together transparently. This process ensures that the connection attempts from the

unreachable hosts never reach the server. The software continues to intercept and forward the packets

throughout the duration of the connection.

Policy Routing

The policy routing-required flows are handled in the software without impacting the non-policy routed

flow forwarding in the hardware. When a route map contains multiple "match" clauses, all conditions

that are imposed by these match clauses must be met before a packet is policy routed. However, for the

route maps that contain both "match ip address" and "match length," all traffic matching the ACL in the

"match ip address" clause is forwarded to the software regardless of the match length criteria. For the

route maps that contain only the match length clauses, all packets that are received on the interface are

forwarded to the software.

When you enable hardware policy routing using the mls ip pbr global command, all policy routing

occurs in the hardware.

If you use the mls ip pbr command to enable policy routing, policy routing is applied in the hardware

for all interfaces regardless of which interface was configured for the policy routing.

The HTTP requests that are subject to Web Cache Coordination Protocol (WCCP) redirection are

handled in the software; the HTTP replies from the server and the Cache Engine are handled in the

The NAT-required flows are handled in the software without impacting non-NAT flow forwarding in the

Unicast RPF Check

The unicast RPF feature is supported in the hardware on the PFC. For ACL-based RPF checks, the traffic

that is denied by the unicast RPF ACL is forwarded to the MSFC for RPF validation.

With ACL-based unicast RPF, the packets that are denied by the ACL are sent to the CPU for RPF

validation. In the event of DoS attacks, these packets will most likely match the deny ACE and be

forwarded to the CPU. Under heavy traffic conditions, this process could cause high CPU utilization.

The drop-suppress statistics for the ACL-based RPF check is not supported.

Bridge-Groups

Cisco IOS bridge-group ACLs are handled in the software.

Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7

Configuring Access Control

Show Quick Links

Table of Contents

Catalyst 6506 Catalyst 6509 Catalyst 6513