- Preface
- Product Overview
- Configuring the Router for the First Time
- Configuring a Supervisor Engine 720
- Configuring a Route Switch Processor 720
- Configuring NSF with SSO Supervisor Engine Redundancy
- ISSU and eFSU on Cisco 7600 Series Routers
- Configuring RPR and RPR+ Supervisor Engine Redundancy
- Configuring Interfaces
- Configuring a Supervisor Engine 32
- Configuring LAN Ports for Layer 2 Switching
- Configuring Flex Links
- Configuring EtherChannels
- Configuring VTP
- Configuring VLANs
- Configuring Private VLANs
- Configuring Cisco IP Phone Support
- Configuring IEEE 802.1Q Tunneling
- Configuring Layer 2 Protocol Tunneling
- Configuring L2TPv3
- Configuring STP and MST
- Configuring Optional STP Features
- Configuring Layer 3 Interfaces
- Configuring GTP-SLB IPV6 Support
- IP Subscriber Awareness over Ethernet
- Configuring UDE and UDLR
- Configuring Multiprotocol Label Switching on the PFC
- Configuring IPv4 Multicast VPN Support
- Configuring Multicast VPN Extranet Support
- Configuring IP Unicast Layer 3 Switching
- Configuring IPv6 Multicast PFC3 and DFC3 Layer 3 Switching
- Configuring IPv4 Multicast Layer 3 Switching
- Configuring MLDv2 Snooping for IPv6 Multicast Traffic
- Configuring IGMP Snooping for IPv4 Multicast Traffic
- Configuring PIM Snooping
- Configuring Network Security
- Understanding Cisco IOS ACL Support
- Configuring VRF aware 6RD Tunnels
- Configuring VLAN ACLs
- Private Hosts (Using PACLs)
- Configuring IPv6 PACL
- IPv6 First-Hop Security Features
- Configuring Online Diagnostics
- Configuring Denial of Service Protection
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring Traffic Storm Control
- Unknown Unicast Flood Blocking
- Configuring PFC QoS
- Configuring PFC QoS Statistics Data Export
- Configuring MPLS QoS on the PFC
- Configuring LSM MLDP based MVPN Support
- Configuring IEEE 802.1X Port-Based Authentication
- Configuring IEEE 802.1ad
- Configuring Port Security
- Configuring UDLD
- Configuring NetFlow and NDE
- Configuring Local SPAN, RSPAN, and ERSPAN
- Configuring SNMP IfIndex Persistence
- Power Management and Environmental Monitoring
- Configuring Web Cache Services Using WCCP
- Using the Top N Utility
- Using the Layer 2 Traceroute Utility
- Configuring Bidirectional Forwarding and Detection over Switched Virtual Interface
- Configuring Call Home
- Configuring IPv6 Policy Based Routing
- Using the Mini Protocol Analyzer
- Configuring Resilient Ethernet Protocol
- Configuring Synchronous Ethernet
- Configuring Link State Tracking
- Configuring BGP PIC Edge and Core for IP and MPLS
- Configuring VRF aware IPv6 tunnels over IPv4 transport
- ISIS IPv4 Loop Free Alternate Fast Reroute (LFA FRR)
- Multicast Service Reflection
- Y.1731 Performance Monitoring
- Online Diagnostic Tests
- Acronyms
- Cisco IOS Release 15S Software Images
- Index
Understanding Cisco IOS ACL Support
This chapter describes Cisco IOS ACL support on the Cisco 7600 series routers:
- Cisco IOS ACL Configuration Guidelines and Restrictions
- Hardware and Software ACL Support
- Optimized ACL Logging with a PFC3
- Guidelines and Restrictions for Using Layer 4 Operators in ACLs
For complete information about configuring Cisco IOS ACLs, refer to the Cisco IOS Security Configuration Guide, Release 12.2 at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrpf.html
Cisco IOS ACL Configuration Guidelines and Restrictions
The following guidelines and restrictions apply to Cisco IOS ACL configurations:
- You can apply Cisco IOS ACLs directly to Layer 3 ports and to VLAN interfaces.
- You can apply VLAN ACLs (VACLs) to VLANs (refer to Chapter 38, “Configuring VLAN ACLs”).
- Each type of ACL (IP, IPX, and MAC) filters only traffic of the corresponding type. A Cisco IOS MAC ACL never matches IP or IPX traffic.
- The PFC does not provide hardware support for Cisco IOS IPX ACLs. Cisco IOS IPX ACLs are supported in software on the MSFC.
- By default, the MSFC sends Internet Control Message Protocol (ICMP) unreachable messages when a packet is denied by an access group.
With the ip unreachables command enabled (which is the default), the supervisor engine drops most of the denied packets in hardware and sends only a small number of packets to the MSFC to be dropped (10 packets per second, maximum), which generates ICMP-unreachable messages.
To eliminate the load imposed on the MSFC CPU by the task of dropping denied packets and generating ICMP-unreachable messages, you can enter the no ip unreachables interface configuration command to disable ICMP unreachable messages, which allows all access group-denied packets to be dropped in hardware.
Hardware and Software ACL Support
Access control lists (ACLs) can be processed in hardware by the Policy Feature Card (PFC), a Distributed Forwarding Card (DFC), or in software by the Multilayer Switch Feature Card (MSFC). The following behavior describes software and hardware handling of ACLs:
- The PFC provides more efficient hardware support for named ACLs than it can for numbered ACLs.
- ACL flows that match a “deny” statement in standard and extended ACLs (input and output) are dropped in hardware if “ip unreachables” is disabled.
- ACL flows that match a “permit” statement in standard and extended ACLs (input and output) are processed in hardware.
- VLAN ACL (VACL) flows are processed in hardware. If a field specified in a VACL is not supported by hardware processing that field is ignored (for example, the log keyword in an ACL) or the whole configuration is rejected (for example, a VACL containing IPX ACL parameters).
- VACL logging is processed in software.
- Dynamic ACL flows are processed in hardware.
- Idle timeout is processed in software.
Note
Idle timeout is not configurable. Cisco 7600 series routers do not support the access-enable host timeout command.
- IP accounting for an ACL access violation on a given port is supported by forwarding all denied packets for that port to the MSFC for software processing without impacting other flows.
- The PFC does not provide hardware support for Cisco IOS IPX ACLs. Cisco IOS IPX ACLs are supported in software on the MSFC.
- Extended name-based MAC address ACLs are supported in hardware.
- The following ACL types are processed in software:
– Internetwork Packet Exchange (IPX) access lists
– Extended MAC address access list
– Protocol type-code access list
Note IP packets with a header length of less than five will not be access controlled.
- Unless you configure optimized ACL logging (OAL), flows that require logging are processed in software without impacting nonlogged flow processing in hardware (see the “Optimized ACL Logging with a PFC3” section).
- The forwarding rate for software-processed flows is substantially less than for hardware-processed flows.
- When you enter the show ip access-list command, the match count displayed does not include packets processed in hardware.
Optimized ACL Logging with a PFC3
Understanding OAL
Optimized ACL Logging (OAL) provides hardware support for ACL logging. Unless you configure OAL, packets that require logging are processed completely in software on the MSFC. OAL permits or drops packets in hardware on the PFC3 and uses an optimized routine to send information to the MSFC3 to generate the logging messages.
OAL Guidelines and Restrictions
The following guidelines and restrictions apply to OAL:
- OAL and VACL capture are incompatible. Do not configure both features on the router. With OAL configured, use SPAN to capture traffic.
- OAL is supported only on the PFC3.
- OAL supports only IPv4 unicast packets.
- OAL supports VACL logging of permitted ingress traffic
- OAL does not provide hardware support for the following:
– ACLs used to filter traffic for other features (for example, QoS)
– Exception packets (for example, TTL failure and MTU failure)
– Packets addressed at Layer 3 to the router
– Packets sent to the MSFC3 to generate ICMP unreachable messages
– Packets being processed by features not accelerated in hardware
Configuring OAL
These sections describe how to configure OAL:
- Configuring OAL Global Parameters
- Configuring OAL on an Interface
- Displaying OAL Information
- Clearing Cached OAL Entries
Note ● For complete syntax and usage information for the commands used in this section, refer to the Cisco 7600 Series Router Cisco IOS Command Reference.
- To provide OAL support for denied packets, enter the mls rate-limit unicast ip icmp unreachable acl-drop 0 command.
Configuring OAL Global Parameters
To configure global OAL parameters, perform this task:
When configuring OAL global parameters, note the following information:
– Sets the maximum number of entries cached.
– Range: 0–1,048,576 (entered without commas).
– Sets the maximum time interval before an entry is sent to be logged. Also if the entry is inactive for this duration it is removed from the cache.
– Range: 5–86,400 (1440 minutes or 24 hours, entered without commas).
– Default: 300 seconds (5 minutes).
– Sets the number of packets logged per second in software.
– Range: 10–1,000,000 (entered without commas).
– Default: 0 (rate limiting is off and all packets are logged).
– Sets the number of packet matches before an entry is logged.
– Range: 1–1,000,000 (entered without commas).
– Default: 0 (logging is not triggered by the number of packet matches).
Configuring OAL on an Interface
To configure OAL on an interface, perform this task:
|
|
|
|
|---|---|---|
Router(config)# interface {{ type 1 slot/port } |
||
|
|
Displaying OAL Information
To display OAL information, perform this task:
|
|
|
|---|---|
|
|
Clearing Cached OAL Entries
To clear cached OAL entries, perform this task:
|
|
|
|---|---|
|
|
Guidelines and Restrictions for Using Layer 4 Operators in ACLs
These sections describe guidelines and restrictions when configuring ACLs that include Layer 4 port operations:
Determining Layer 4 Operation Usage
You can specify these types of operations:
We recommend that you do not specify more than nine different operations on the same ACL. If you exceed this number, each new operation might cause the affected ACE to be translated into more than one ACE.
Use the following two guidelines to determine Layer 4 operation usage:
- Layer 4 operations are considered different if the operator or the operand differ. For example, in this ACL there are three different Layer 4 operations (“gt 10” and “gt 11” are considered two different Layer 4 operations):
Note There is no limit to the use of “eq” operators as the “eq” operator does not use a logical operator unit (LOU) or a Layer 4 operation bit. See the “Determining Logical Operation Unit Usage” section for a description of LOUs.
- Layer 4 operations are considered different if the same operator/operand couple applies once to a source port and once to a destination port. For example, in this ACL there are two different Layer 4 operations because one ACE applies to the source port and one applies to the destination port.
Determining Logical Operation Unit Usage
Logical operation units (LOUs) are registers that store operator-operand couples. All ACLs use LOUs. There can be up to 32 LOUs; each LOU can store two different operator-operand couples with the exception of the range operator. LOU usage per Layer 4 operation is as follows:
For example, this ACL would use a single LOU to store two different operator-operand couples:
A more detailed example follows:
Feedback