Cisco WS-C6506 Software Manual page 410

Using Cisco IOS ACLs in your Network
Security Cisco IOS ACLs
The IP and IPX security Cisco IOS ACLs in the switches that are configured with the PFC2 or
PFC3A/PFC3B/PFC3BXL are as follows:
•
•
•
•
•
•
•
Rate Limiting for Cisco IOS ACL Logging
Rate limiting for Cisco IOS ACL logging limits the number of packets that are sent to the MSFC CPU
for the bridged ACEs. An ACE is bridged when the result for the Cisco IOS ACL is a deny or permit
with the log option specified. The bridge action can result in Cisco IOS ACL logging overloading the
MSFC CPU. When you configure rate limiting for Cisco IOS ACL logging, the bridged ACEs are
redirected to the MSFC with rate limiting.
Configuring Rate Limiting for Cisco IOS ACL Logging Guidelines
This section describes the guidelines for configuring rate limiting for Cisco IOS ACL logging:
•
•
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
15-14
If either the "ip unreachables" or "ip redirect" options are enabled, most of the packets of the flows
that match a "deny" statement in an ACL are dropped by the hardware. Only a few packets are
processed in the software in order for the router to send the appropriate ICMP-unreachable message.
The permit and deny actions of the standard and extended ACLs (input and output) for security
access control are handled in the hardware.
The IP accounting for an ACL access violation on a given interface is supported by forwarding all
denied packets for that interface to the software without impacting other flows.
The dynamic (lock and key) ACL flows are supported in the hardware; however, idle timeout is not
supported.
The IPX standard input and output ACLs are supported in the hardware when the ACL parameters
are IPX source network, destination network, and/or destination node. If the ACL contains any other
parameters, it is handled in the software.
The IPX extended input and output ACLs are supported in the hardware when the ACL parameters
are IPX source network, destination network, destination node, and/or protocol type.
The ACL flows that require logging are handled in the software without impacting non-log flow
forwarding in the hardware.
After entering the set acllog ratelimit rate command or the clear acllog command, you must either
reset the MSFC or perform a shutdown/no shutdown on the MSFC interface(s) that have the ACEs
with the log keyword applied.
After entering the set acllog ratelimit rate command, performing a reset or shutdown/no shutdown
causes the bridged ACEs to be redirected to the MSFC with rate limiting.
After entering the clear acllog command, performing a reset or shutdown/no shutdown causes the
switch to return to its previous behavior; the bridge action remains unchanged.
The rate that is specified by entering the set acllog ratelimit rate command can be from 500 to
2000. The rate is the number of packets per second that hit a redirect ACE and are sent to the MSFC.
If the actual number of packets per second is greater than the rate that you specify, the packets that
exceed the specified rate are dropped. We recommend that you specify a rate of 500 packets per
second.
Chapter 15 Configuring Access Control
OL-8978-04