Software Features Supported in Hardware by the PFC3, DFC3, and DFC
The PFC3, DFC3, and DFC provide hardware support for these Cisco IOS software features:
- Access Control Lists (ACLs) for Layer 3 ports and VLAN interfaces
– Permit and deny actions of input and output standard and extended ACLs
Note Flows that require ACL logging are processed in software on the MSFC.
– Except on MPLS interfaces, reflexive ACL flows after the first packet in a session is processed in software on the MSFC
– Dynamic ACL flows
Note Idle timeout is processed in software on the MSFC.
For more information about PFC and DFC support for ACLs, see Chapter36, “Understanding Cisco IOS ACL Support” For complete information about configuring ACLs, refer to the Cisco IOS Security Configuration Guide, Release 12.2, “Traffic Filtering and Firewalls,” at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html
- VLAN ACLs (VACLs)—To configure VACLs, see Chapter38, “Configuring VLAN ACLs”
- Policy-based routing (PBR) for route-map sequences that use the match ip address, set ip next-hop, and ip default next-hop PBR keywords.
To configure PBR, refer to the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2, “Classification” and “Configuring Policy-Based Routing,” at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Note If the MSFC3 or MSFC4 address falls within the range of a PBR ACL, traffic addressed to the MSFC is policy routed in hardware instead of being forwarded to the MSFC. To prevent policy routing of traffic addressed to a MSFC3 or MSFC4, configure PBR ACLs to deny traffic addressed to the MSFC.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/nde.html
Software Features Supported in Hardware by the PFC3 and DFC3
The PFC3 and DFC3 provide hardware support for these Cisco IOS software features:
- IPv4 Multicast over Point-to-Point generic route encapsulation (GRE) Tunnels—Refer to the publication at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html
Note the following information about hardware-assisted NAT:
– NAT of UDP traffic is not supported in PFC3A mode.
– The PFC3 does not support NAT of multicast traffic.
– The PFC3 does not support NAT configured with a route-map that specifies length.
– When you configure NAT and NDE on an interface, the PFC3 sends all traffic in fragmented packets to the MSFC3 or MSFC4 to be processed in software. (CSCdz51590)
To configure NAT, see the Cisco IOS IP Configuration Guide, Release 12.2, “IP Addressing and Services,” “Configuring IP Addressing,” and “Configuring Network Address Translation,” at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/fipr_c.html
To prevent a significant volume of NAT traffic from being sent to the MSFC3, due to either a DoS attack or a misconfiguration, enter the mls rate-limit unicast acl { ingress | egress } command described at this URL:
http://www.cisco.com/en/US/products/hw/switches/ps700/prod_command_reference_list.html
- The PFC3 and DFC3 support IPv4 multicast over point-to-point GRE tunnels in hardware.
- GRE Tunneling and IP in IP Tunneling—The PFC3 and DFC3 support the following tunnel commands:
– tunnel destination
– tunnel mode gre
– tunnel mode ipip
– tunnel source
– tunnel ttl
– tunnel tos
The MSFC3 and MSFC4 support tunneling configured with any other tunnel commands.
The tunnel ttl command (default 255) sets the TTL of encapsulated packets.
The tunnel tos command sets the ToS byte of a packet when it is encapsulated. If the tunnel tos command is not present and QoS is not enabled, the ToS byte of a packet sets the ToS byte of the packet when it is encapsulated. If the tunnel tos command is not present and QoS is enabled, the ToS byte of a packet as modified by PFC QoS sets the ToS byte of the packet when it is encapsulated.
To configure GRE Tunneling and IP in IP Tunneling, refer to these publications:
http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html
http://www.cisco.com/en/US/docs/ios/12_2/interface/command/reference/irfshoip.html
To configure the tunnel tos and tunnel ttl commands, refer to this publication:
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html
Note the following information about tunnels:
– Each hardware-assisted tunnel must have a unique source. Hardware-assisted tunnels cannot share a source even if the destinations are different. Use secondary addresses on loopback interfaces or create multiple loopback interfaces. Failure to use unique source addresses may result in control plane failures during software path congestion.
– Each tunnel interface uses one internal VLAN.
– Each tunnel interface uses one additional router MAC address entry per router MAC address.
– The PFC3A does not support any PFC QoS features on tunnel interfaces. All other PFCs do.
– The MSFC3 and MSFC4 support tunnels configured with egress features on the tunnel interface. Examples of egress features are output Cisco IOS ACLs, NAT (for inside to outside translation), TCP intercept, CBAC, and encryption.