Guest

Cisco IOS Software Releases 12.0 S

128-Line Input Access Control Lists on Cisco 12000 Series 8-Port OC-3 STM-1 ATM Line Cards

  • Viewing Options

  • PDF (178.6 KB)
  • Feedback
128-Line Input Access Control Lists on Cisco 12000 Series 8-Port OC-3 STM-1 ATM Line Cards

Table Of Contents

128-Line Input Access Control Lists on Cisco 12000 Series 8-Port OC-3 STM-1 ATM Line Cards

Feature Overview

Restrictions

Related Features and Technologies

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuring Per-Subinterface Input ACLs

Verifying Input ACL Configuration

Monitoring Input ACL Status

Configuration Example

Command Reference

ip access-group


128-Line Input Access Control Lists on Cisco 12000 Series 8-Port OC-3 STM-1 ATM Line Cards


Feature History

Release
Modification

12.0(23)S

This feature was made available on the 8-Port OC-3 STM-1 ATM line card for Cisco 12000 Series Internet Routers.


This feature module describes the 128-line input access control list (ACL) feature for the 8-Port OC-3 STM-1 ATM line card on Cisco 12000 Series Internet Routers.

This document includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Monitoring Input ACL Status

Configuration Example

Command Reference

Feature Overview

Prior to the 12.0(23)S Cisco IOS software release, no input ACL support was provided for the 8-Port OC-3 STM-1 ATM line card on Cisco 12000 Series Internet Routers. With this release, you can now configure input ACLs on a per-subinterface basis on the 8-Port OC-3 STM-1 ATM line card.

Restrictions

The use of input ACLs on the 8-Port OC-3 STM-1 ATM line card is subject to the following restrictions:

Only input ACLs are supported.

A maximum of 16 distinct input ACLs per line card and 128 ACL entries per ACL are supported in PSA microcode due to memory limitations. Additional ACLs are processed by the line card CPU rather than the PSA microcode. This situation remains true even when one of the ACLs processing in the PSA microcode is removed and the total number of distinct ACLs drops to 16.

Input ACL configuration on a subinterface is supported only on the 8-Port OC-3 STM-1 ATM line card.

Only LLC/SNAP encapsulation is supported in the PSA microcode. VCMux or NLPID encapsulation is processed by the line card CPU.

Basic IP and MPLS forwarding are supported together with input ACLs in the same 8-Port OC-3 STM-1 ATM line card microcode bundle. Any other features are either not supported, are processed by the line card CPU, or are processed in another PSA microcode bundle.

Related Features and Technologies

This feature allows you to configure input ACLs on a per-subinterface basis on the 8-Port OC-3 STM-1 ATM line card. For information on access control lists, see "Access Control Lists: Overview and Guidelines," a chapter in the Cisco IOS Release 12.0 Security Configuration Guide:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt3/scacls.htm

Related Documents

The following documents provide additional information about installing and configuring the 8-Port OC-3 STM-1 ATM line card:

8-Port OC-3 STM-1 ATM Line Card Installation and Configuration

Release Notes for Cisco 12000 Series Routers for Cisco IOS Release 12.0 S

Release Notes for Cisco IOS Release 12.0 S

Access Control Lists: Overview and Guidelines. This is a chapter in the Cisco IOS Release 12.0 Security Configuration Guide.

Configuring IP Services. This is a chapter in the Cisco IOS Release 12.0 Network Protocols Configuration Guide, Part I. See the section "Filter IP Packets."

You can also find additional information in the installation and configuration guide for your Cisco 12000 Series Internet Router and in the Cisco IOS Release 12.0 documentation set.

Supported Platforms

This feature is supported on all Cisco 12000 series Internet Routers equipped with one or more 8-Port OC-3 STM-1 ATM line cards.

Determining Platform Support Through Cisco Feature Navigator

Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.

Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.

To access Cisco  Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:

http://www.cisco.com/go/fn

Availability of Cisco IOS Software Images

Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.

Supported Standards, MIBs, and RFCs

Standards

No new or modified standards apply to this feature.

MIBs

No new or modified MIBs apply to this feature.

RFCs

No new or modified RFCs apply to this feature.

Prerequisites

The Cisco 12000 Series Internet Router must be equipped with an 8-Port OC-3 STM-1 ATM line card and must running Cisco IOS software Release 12.0(23)S or a later version of Cisco IOS software Release 12.0S.

Configuration Tasks

See the following sections for configuration tasks for the 128-line input access control list (ACL) feature. Each task in the list is identified as either required or optional.

Configuring Per-Subinterface Input ACLs (Required)

Verifying Input ACL Configuration (Optional)

Configuring Per-Subinterface Input ACLs

To configure per-subinterface input ACLs on a 8-Port OC-3 STM-1 ATM line card, use the following command in subinterface configuration mode:

Command
Purpose

Router (config-subif)# ip access-group access-list-number in

Configures controlled access to an inbound subinterface on the 8-Port OC-3 STM-1 ATM line card.


Verifying Input ACL Configuration

To verify that the input ACL has been configured for an 8-Port OC-3 STM-1 ATM line card, use the following command in privileged EXEC mode:

Command
Purpose

Router# exec on slot slot show access-list psa summary

Displays the ACL state and additional details about the line card.


Monitoring Input ACL Status

To display the ACL state and additional information for an 8-Port OC-3 STM-1 ATM line card, use the following command in privileged EXEC mode:

Command
Purpose

Router# exec on slot slot show access-list psa summary

Displays the ACL state and additional details.


Configuration Example

This example applies access list 101 on packets inbound to the specified ATM subinterface.

interface atm 5/0.1
  ip access-group 101 in

Command Reference

This section documents modified commands associated with the use of this feature. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.

ip access-group

ip access-group

To control access to an interface or to a subinterface, use the ip access-group command in the appropriate configuration mode. To remove the specified access group, use the no form of this command.

ip access-group access-list-number in

no ip access-group access-list-number in

Syntax Description

access-list-number

Number of an access list. This is a decimal number from 1 to 199 or from 1300 to 2699.

in

Filters on inbound packets.


Defaults

No access list is applied.

Command Modes

Interface configuration

Subinterface configuration

Command History

Release
Modification

10.0

This command was introduced.

12.0(23)S

This command was made available in subinterface configuration mode on the 8-Port OC-3 STM-1 ATM line card.


Usage Guidelines

For the 8-Port OC-3 STM-1 ATM line card, access lists are applied on inbound interfaces only. For standard inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.

If the specified access list does not exist, all packets are passed.

Examples

The following example applies access list 101 on packets inbound to the specified ATM subinterface:

interface atm 5/0.1
  ip access-group 101 in

Related Commands

Command
Description

access-list (IP extended)

Defines an extended IP access list.

access-list (IP standard)

Defines a standard IP access list.

ip access-list

Defines an IP access list by name.

show access-lists

Displays the contents of current IP and rate-limit access lists.