- Index
- Preface
- Product Overview
- Virtual Switching Systems (VSS)
- Layer 2 LAN Port Configuration
- Flex Links
- EtherChannels
- IEEE 802.1ak MVRP and MRP
- VLAN Trunking Protocol (VTP)
- VLANs
- Private VLANs (PVLANs)
- Private Hosts
- IEEE 802.1Q Tunneling
- Layer 2 Protocol Tunneling
- Spanning Tree Protocols (STP, MST)
- Optional STP Features
- IP Unicast Layer 3 Switching
- Multiprotocol Label Switching (MPLS)
- MPLS VPN Support
- Ethernet over MPLS (EoMPLS)
- Virtual Private LAN Services (VPLS)
- Ethernet Virtual Connections (EVC)
- Layer 2 over Multipoint GRE (L2omGRE)
- IPv4 Multicast Layer 3 Features
- IPv4 Multicast IGMP Snooping
- IPv4 PIM Snooping
- IPv4 Multicast VLAN Registration (MVR)
- IPv4 IGMP Filtering
- IPv4 Router Guard
- IPv4 Multicast VPN Support
- IPv6 Multicast Layer 3 Features
- IPv6 MLD Snooping
- NetFlow Hardware Support
- Call Home
- System Event Archive (SEA)
- Backplane Platform Monitoring
- Local SPAN, RSPAN, and ERSPAN
- SNMP IfIndex Persistence
- Top-N Reports
- Layer 2 Traceroute Utility
- Mini Protocol Analyzer
- PFC QoS Overview
- PFC QoS Guidelines and Restrictions
- PFC QoS Classification, Marking, and Policing
- PFC QoS Policy Based Queueing
- PFC QoS Global and Interface Options
- AutoQoS
- MPLS QoS
- PFC QoS Statistics Data Export
- Cisco IOS ACL Support
- Cisco TrustSec (CTS)
- AutoSecure
- MAC Address-Based Traffic Blocking
- Port ACLs (PACLs)
- VLAN ACLs (VACLs)
- Policy-Based Forwarding (PBF)
- Denial of Service (DoS) Protection
- Control Plane Policing (CoPP)
- Dynamic Host Configuration Protocol (DHCP) Snooping
- IP Source Guard
- Dynamic ARP Inspection (DAI)
- Traffic Storm Control
- Unknown Unicast and Multicast Flood Control
- IEEE 802.1X Port-Based Authentication
- Configuring Web-Based Authentication
- Port Security
- Lawful Intercept
- Online Diagnostic Tests
- Migrating From a 12.2SX QoS Configuration
Catalyst 6500 Release 15.0SY Software Configuration Guide
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- February 24, 2012
Chapter: Cisco IOS ACL Support
Cisco IOS ACL Support
- Restrictions for Cisco IOS ACLs
- Restrictions for Layer 4 Operators in ACLs
- Information About ACL Support
- Policy-Based ACLs (PBACLs)
- MAC ACLs
- ARP ACLs
- Optimized ACL Logging
- Dry Run Support for ACLs
- Hardware ACL Statistics
Note ●
For complete information about configuring Cisco IOS ACLs, see this publication:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-sy/sec-data-acl-15-sy-book.html
- For complete syntax and usage information for the commands used in this chapter, see these publications:
http://www.cisco.com/en/US/products/ps11845/prod_command_reference_list.html
- Cisco IOS Release 15.0SY supports only Ethernet interfaces. Cisco IOS Release 15.0SY does not support any WAN features or commands.
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Restrictions for Cisco IOS ACLs
- You can apply Cisco IOS ACLs directly to Layer 3 ports and to VLAN interfaces.
- You can apply VLAN ACLs and port ACLs to Layer 2 interfaces and VLANs (see Chapter 1, “Port ACLs (PACLs)” and Chapter 1, “VLAN ACLs (VACLs)”).
- Each type of ACL (IP, IPX, and MAC) filters only traffic of the corresponding type. A Cisco IOS MAC ACL never matches IP or IPX traffic unless the mac packet-classify configuration command is enabled. By default, the mac packet-classify configuration command is disabled.
- When you enter the mac packet-classify configuration command, MAC ACLs will be applied to all protocol traffic.
- The PFC does not provide hardware support for Cisco IOS IPX ACLs. Cisco IOS IPX ACLs are supported in software on the route processor (RP).
- By default, the RP sends Internet Control Message Protocol (ICMP) unreachable messages when a packet is denied by an access group.
With the ip unreachables command enabled (which is the default), the switch drops most of the denied packets in hardware and sends only a small number of packets to the RP to be dropped in software, which generates ICMP-unreachable messages.
The ip unreachables command does not impact the hardware behavior for ACL drop packets and the leaking of ACL deny packets is enabled by default. You can enter the no ip unreachables interface configuration command to disable ICMP unreachable messages.
- ICMP unreachable messages are not sent if a packet is denied by a VACL or a PACL.
- Use named ACLs (instead of numbered ACLs) because this causes less CPU usage when creating or modifying ACL configurations and during system restarts. When you create ACL entries (or modify existing ACL entries), the software performs a CPU-intensive operation called an ACL merge to load the ACL configurations into the PFC hardware. An ACL merge also occurs when the startup configuration is applied during a system restart.
With named ACLs, the ACL merge is triggered only when the user exits the named-acl configuration mode. However, with numbered ACLs, the ACL merge is triggered for every ACE definition and results in a number of intermediate merges during ACL configuration.
Restrictions for Layer 4 Operators in ACLs
Determining Layer 4 Operation Usage
You can specify these types of operations:
We recommend that you do not specify more than ten different operations on the same ACL. If you exceed this number, each new operation might cause the affected ACE to be translated into more than one ACE.
Use the following two guidelines to determine Layer 4 operation usage:
- Layer 4 operations are considered different if the operator or the operand differ. For example, in this ACL there are three different Layer 4 operations (“gt 10” and “gt 11” are considered two different Layer 4 operations):
Note There is no limit to the use of “eq” operators as the “eq” operator does not use a logical operator unit (LOU) or a Layer 4 operation bit. See the “Determining Logical Operation Unit Usage” section for a description of LOUs.
- Layer 4 operations are considered different if the same operator/operand couple applies once to a source port and once to a destination port. For example, in this ACL there are two different Layer 4 operations because one ACE applies to the source port and one applies to the destination port.
Determining Logical Operation Unit Usage
Logical operation units (LOUs) are registers that store operator-operand couples. All ACLs use LOUs. There can be up to 104 LOUs and each LOU can store two different operator-operand couples, making the total number of LOU registers to be 208. LOU usage per Layer 4 operation is as follows:
For example, this ACL would use a single LOU to store two different operator-operand couples:
A more detailed example follows:
Information About ACL Support
ACLs can be processed in hardware by the Policy Feature Card (PFC), any Distributed Forwarding Cards (DFCs), or in software by the route processor (RP):
- ACL flows that match a “deny” statement in standard and extended ACLs (input and output) are dropped in hardware if “ip unreachables” is disabled.
- ACL flows that match a “permit” statement in standard and extended ACLs (input and output) are processed in hardware.
- VLAN ACL (VACL) and port ACL (PACL) flows are processed in hardware. If a field that is specified in a VACL or PACL is not supported by hardware processing, then that field is ignored (for example, the log keyword in an ACL), or the whole configuration is rejected (for example, a VACL containing IPX ACL parameters).
- IPv6 ACLs use 32 bit encoding.
- VACL logging is processed in software.
- VACL is not supported for IPX access lists.
- VACL supports only deny packet logging.
- Dynamic ACL flows are processed in hardware.
- Idle timeout is processed in software.
Note Idle timeout is not configurable. Cisco IOS Release 15.0SY does not support the access-enable host timeout command.
- Except on MPLS interfaces, reflexive ACL flows are processed in hardware after the first packet in a session is processed in software on the RP.
- Reflexive ACL flows are not accelerated in hardware for traffic from IP to various tags and traffic from various tags to IP. Reflexive ACL flows are also not accelerated in hardware for any traffic coming in and going out of all tunnel interfaces.
- IP accounting for an ACL access violation on a given port is supported only for the ACL packets that are deny leaked, by forwarding all denied packets for that port to the RP for software processing without impacting other flows.
- MAC ACLs are supported in hardware on switch ports (MAC PACLs) or on VLANs as part of VACLs.
- The PFC does not provide hardware support for Cisco IOS IPX ACLs. Cisco IOS IPX ACLs are supported in software on the RP.
- Extended name-based MAC address ACLs are supported in hardware.
- The following ACL types are processed in software:
– Internetwork Packet Exchange (IPX) access lists
– Protocol type-code access list
Note IP packets with a header length of less than five will not be access controlled.
- Unless you configure optimized ACL logging (OAL), flows that require logging are processed in software without impacting nonlogged flow processing in hardware (see the “Optimized ACL Logging” section).
- The forwarding rate for software-processed flows is substantially less than for hardware-processed flows.
- With the hardware statistics feature enabled, when you enter the show ip access-list command, the match count displayed includes packets processed in hardware.
- When you enter the ip unreachables config command on the PFC interface, the hardware behavior remains unaltered.
- The Hitless TCAM update for IPv4 and IPv6 provides the capability to apply existing features to the incoming traffic while updating new features in the TCAM. The Hitless feature update is mandatory for IPv6 traffic where any changes in the IPv6 ACL on a given interface would trigger a reprogramming of all the IPv6 features on all the interfaces.
- Hitless update is enabled by default. To disable the Hitless update, enter the no platform hardware acl update-mode hitless command.
Note See the “Restrictions for eFSU” section for information about some release-specific restrictions.
- With the Hitless update enabled, when the FM (Feature Manager) or the switch is making updates to the recently modified ACL, a copy of each TCAM entry will be programmed in hardware. If the ACLs are not modified, the TCAM space reserved for hitless update will equal the number of TCAM entries used by the largest ACL.
Policy-Based ACLs (PBACLs)
Restrictions for PBACLs
- PBACLs are supported on Layer 3 interfaces (such as routed interfaces and VLAN interfaces).
- The PBACL feature only supports IPv4 ACEs.
- The PBACL feature supports only Cisco IOS ACLs. It is not supported with any other features. The keywords reflexive and evaluate are not supported.
- The PBACL feature supports only named Cisco IOS ACLs. It does not support numbered ACLs.
- Feature interactions for policy-based ACLs are the same as for Cisco IOS ACLs.
Information about PBACLs
PBACLs provide the capability to apply access control policies across object groups. An object group is a group of users or servers.
You define an object group as a group of IP addresses or as a group of protocol ports. You then create access control entries (ACEs) that apply a policy (such as permit or deny) to the object group. For example, a policy-based ACE can permit a group of users to access a group of servers.
An ACE defined using a group name is equivalent to multiple ACEs (one applied to each entry in the object group). The system expands the PBACL ACE into multiple Cisco IOS ACEs (one ACE for each entry in the group) and populates the ACEs in the TCAM. Therefore, the PBACL feature reduces the number of entries you need to configure but does not reduce TCAM usage.
If you make changes in group membership, or change the contents of an ACE that uses an access group, the system updates the ACEs in the TCAM. The following types of changes trigger the update:
- Adding a member to a group
- Deleting a member from a group
- Modifying the policy statements in an ACE that uses an access group
You configure a PBACL using extended Cisco IOS ACL configuration commands. As with regular ACEs, you can associate the same access policy with one or more interfaces.
When you configure an ACE, you can use an object group to define the source, the destination, or both.
How to Configure PBACLs
Configuring a PBACL IP Address Object Group
To create or modify a PBACL IP address object group, perform this task:
The following example creates an object group with three hosts and a network address:
Configuring a PBACL Protocol Port Object Group
To create or modify a PBACL protocol port object group, perform this task:
The following example creates a port object group that matches protocol port 100 and any port greater than 200, except 300:
Configuring ACLs with PBACL Object Groups
To configure an ACL to use a PBACL object group, perform this task:
The following example creates an access list that permits packets from the users in myAG if the protocol ports match the ports specified in myPG:
Configuring PBACL on an Interface
To configure a PBACL on an interface, use the ip access-group command. The command syntax and usage is the same as for Cisco IOS ACLs. For additional information, see the “Restrictions for Cisco IOS ACLs” section.
The following example shows how to associate access list my-pbacl-policy with VLAN 100:
MAC ACLs
- How to Configure Protocol-Independent MAC ACL Filtering
- How to Enable VLAN-Based MAC QoS Filtering
- Configuring MAC ACLs
Note You can use MAC ACLs with VLAN ACLs (VACLs). For more information, see Chapter1, “VLAN ACLs (VACLs)”
How to Configure Protocol-Independent MAC ACL Filtering
Protocol-independent MAC ACL filtering applies MAC ACLs to all ingress traffic types (for example, IPv4 traffic, IPv6 traffic, and MPLS traffic, in addition to MAC-layer traffic).
You can configure these interface types for protocol-independent MAC ACL filtering:
Ingress traffic permitted or denied by a MAC ACL on an interface configured for protocol-independent MAC ACL filtering is processed by egress interfaces as MAC-layer traffic. You cannot apply egress IP ACLs to traffic that was permitted or denied by a MAC ACL on an interface configured for protocol-independent MAC ACL filtering.
To configure protocol-independent MAC ACL filtering, perform this task:
- When the mac acl filtering is enabled, all other protocol features such as RACL, microflow policing will be ignored in the hardware.
This example shows how to configure VLAN interface 4018 for protocol-independent MAC ACL filtering and how to verify the configuration:
This example shows how to configure Gigabit Ethernet interface 6/1 for protocol-independent MAC ACL filtering and how to verify the configuration:
This example shows how to configure Gigabit Ethernet interface 3/24, subinterface 4000, for protocol-independent MAC ACL filtering and how to verify the configuration:
How to Enable VLAN-Based MAC QoS Filtering
You can globally enable or disable VLAN-based QoS filtering in MAC ACLs. VLAN-based QoS filtering in MAC ACLs is disabled by default.
To enable VLAN-based QoS filtering in MAC ACLs, perform this task:
To disable VLAN-based QoS filtering in MAC ACLs, perform this task:
|
|
|
|---|---|
Configuring MAC ACLs
You can configure named ACLs that filter IP, IPX, DECnet, AppleTalk, VINES, or XNS traffic based on MAC addresses.
You can configure MAC ACLs that do VLAN-based filtering or CoS-based filtering or both.
You can globally enable or disable VLAN-based QoS filtering in MAC ACLs (disabled by default).
To configure a MAC ACL, perform this task:
- Cisco IOS Release 15.0SY supports the vlan and cos keywords.
- The vlan keyword for VLAN-based QoS filtering in MAC ACLs can be globally enabled or disabled and is disabled by default.
- You can enter MAC addresses as three 2-byte values in dotted hexadecimal format. For example, 0030.9629.9f84.
- You can enter MAC address masks as three 2-byte values in dotted hexadecimal format. Use 1 bits as wildcards. For example, to match an address exactly, use 0000.0000.0000 (can be entered as 0.0.0).
- You can enter an EtherType and an EtherType mask as hexadecimal values.
- Entries without a protocol parameter match any protocol.
- ACL entries are scanned in the order you enter them. The first matching entry is used. To improve performance, place the most commonly used entries near the beginning of the ACL.
- An implicit deny any any entry exists at the end of an ACL unless you include an explicit permit any any entry at the end of the list.
- All new entries to an existing list are placed at the end of the list. You cannot add entries to the middle of a list.
- This list shows the EtherType values and their corresponding protocol keywords:
– 0x0600—xns-idp—Xerox XNS IDP
– 0x0BAD—vines-ip—Banyan VINES IP
– 0x0baf—vines-echo—Banyan VINES Echo
– 0x6000—etype-6000—DEC unassigned, experimental
– 0x6001—mop-dump—DEC Maintenance Operation Protocol (MOP) Dump/Load Assistance
– 0x6002—mop-console—DEC MOP Remote Console
– 0x6003—decnet-iv—DEC DECnet Phase IV Route
– 0x6004—lat—DEC Local Area Transport (LAT)
– 0x6005—diagnostic—DEC DECnet Diagnostics
– 0x6007—lavc-sca—DEC Local-Area VAX Cluster (LAVC), SCA
– 0x0800—ip—Malformed, invalid, or deliberately corrupt IP frames
– 0x8038—dec-spanning—DEC LANBridge Management
– 0x8040—netbios—DEC PATHWORKS DECnet NETBIOS Emulation
– 0x8041—msdos—DEC Local Area System Transport
– 0x8042—etype-8042—DEC unassigned
– 0x809B—appletalk—Kinetics EtherTalk (AppleTalk over Ethernet)
– 0x80F3—aarp—Kinetics AppleTalk Address Resolution Protocol (AARP)
This example shows how to create a MAC-Layer ACL named mac_layer that denies dec-phase-iv traffic with source address 0000.4700.0001 and destination address 0000.4700.0009, but permits all other traffic:
ARP ACLs
This section describes how to configure ARP ACLs. You can configure named ACLs that filter ARP traffic (EtherType 0x0806). To configure an ARP ACL, perform this task:
|
|
|
|
|---|---|---|
Router(config-arp-nacl)# { permit | deny } { ip { any | host sender_ip | sender_ip sender_ip_wildcardmask } mac any |
- This publication describes the ARP ACL syntax that is supported in hardware by the PFC. Any other ARP ACL syntax displayed by the CLI help when you enter a question mark (“?”) is not supported and cannot be used to filter ARP traffic for QoS.
- ACLs entries are scanned in the order you enter them. The first matching entry is used. To improve performance, place the most commonly used entries near the beginning of the ACL.
- An implicit deny ip any mac any entry exists at the end of an ACL unless you include an explicit permit ip any mac any entry at the end of the list.
- All new entries to an existing list are placed at the end of the list. You cannot add entries to the middle of a list.
- The PFC does not apply IP ACLs to ARP traffic.
- You cannot apply microflow policing to ARP traffic.
This example shows how to create an ARP ACL named arp_filtering that only permits ARP traffic from IP address 1.1.1.1:
Optimized ACL Logging
Restrictions for OAL
- OAL and VACL capture are incompatible. Do not configure both features on the switch. With OAL configured, use SPAN to capture traffic.
- OAL checks for conflicts with other features using capture like VACL capture, Lawful Intercept (LI), and IPv6 learning.
- OAL supports only IPv4 unicast packets.
- OAL is not supported with port ACLs (PACLs).
- OAL does not provide hardware support for the following:
– ACLs used to filter traffic for other features (for example, QoS)
– ACLs for unicast reverse path forwarding (uRPF) check exceptions
– Exception packets (for example, TTL failure and MTU failure)
– Packets addressed at Layer 3 to the router
– Packets sent to the RP to generate ICMP unreachable messages
– Packets being processed by features not accelerated in hardware
Information about OAL
OAL provides hardware support for ACL logging. Unless you configure OAL, packets that require logging are processed completely in software on the RP. OAL permits or drops packets in hardware on the PFC or DFC and uses an optimized routine to send information to the RP to generate the logging messages.
How to Configure OAL
Configuring OAL Global Parameters
To configure global OAL parameters, perform this task:
|
|
|
|---|---|
Router(config)# logging ip access-list cache {{ entries number_of_entries } | { interval seconds } | { rate-limit number_of_packets } | { threshold number_of_packets }} |
– Sets the maximum number of entries cached.
– Range: 0–1,048,576 (entered without commas).
– Sets the maximum time interval before an entry is sent to be logged. Also if the entry is inactive for this duration it is removed from the cache.
– Range: 5–86,400 (1440 minutes or 24 hours, entered without commas).
– Default: 300 seconds (5 minutes).
– Sets the number of packets logged per second in software.
– Range: 10–1,000,000 (entered without commas).
– Default: 0 (rate limiting is off and all packets are logged).
– Sets the number of packet matches before an entry is logged.
– Range: 1–1,000,000 (entered without commas).
– Default: 0 (logging is not triggered by the number of packet matches).
Configuring OAL on an Interface
To configure OAL on an interface, perform this task:
|
|
|
|
|---|---|---|
Displaying OAL Information
To display OAL information, perform this task:
|
|
|
|---|---|
|
|
Clearing Cached OAL Entries
To clear cached OAL entries, perform this task:
|
|
|
|---|---|
|
|
Dry Run Support for ACLs
- Restrictions for Dry Run Support
- Information About Dry Run Support
- How to Configure Dry Run Support for ACLs
Restrictions for Dry Run Support
- Dry Run is supported only for IPv4 RACLs and can only be applied on interfaces.
- Dry Run is supported only with named ACLs (Standard or Extended) and not with numbered ACLs.
- Only one Dry Run session is allowed at a time with a single ACL or multiple ACLs in the Dry Run session.
- The Dry Run session ACL or ACLs are removed when an ACL or ACLs are changed under configuration mode.
- Exiting the Dry Run session does not clear the existing configuration. Clear the existing session before starting a new configuration.
- The validation process may abort if there are configuration or hardware changes made during the validation process.
- Dry Run mode does not support committing the changes to the running configuration.
- Dry Run is not supported for ACLs used in QoS policies.
- Dry Run is not supported for ACLs having hardware statistics enabled.
- You can access the switch using another Telnet session while a Dry Run session is in progress.
Information About Dry Run Support
In other releases, when a new feature is applied on an interface configured along with other features, and if the new feature does not fit in the TCAM, then existing features are also affected and removed from the TCAM. To incrementally update the feature and see whether the feature fits into the TCAM without installing it, the switch provides a Dry Run support, where applications can send regular requests to test whether the request can be programmed successfully or not. The switch receives the dry run request and calculates the total TCAM resources required for the request and compares those resources against the available free resources. If the request fits in successfully, then the switch returns a success, else the switch returns a failure. The Dry Run support helps applications make intelligent decisions.
How to Configure Dry Run Support for ACLs
To configure the Dry Run support, perform this task:
|
|
|
|
|---|---|---|
Router(dry-run-config)# {default | exit | ip | no | validate} |
||
Router(dry-run-config)# ip access-list {extended | standard} acl_name |
The following example configures the dry run support for a session with an existing ACL RACL10K:
Hardware ACL Statistics
- Restrictions for Hardware ACL Statistics
- Information About Hardware ACL Statistics
- How to Configure Hardware ACL Statistics
Restrictions for Hardware ACL Statistics
- Hardware ACL statistics are supported for IPv4 and IPv6 RACLs in both ingress and egress directions.
- In IPv4, hardware ACL statistics are supported for both numbered and named ACLs.
- The hardware statistics is retrieved by polling the hardware once every 60 seconds.
- The hardware statistics is lost after SSO (Stateful Switchover).
- The hardware statistics is maintained on an ACL basis. If there are multiple interfaces using the same ACL, the statistics will be aggregated.
- Hardware statistics is disabled when ODM (Order Dependent Merge) optimizations are enabled.
Information About Hardware ACL Statistics
Using the hardware ACL statistics, the hardware counters for a given ACL are gathered, aggregated, and displayed in the IOS access-list output.
The ACE hit count is retrieved from the hardware and can be viewed using the following commands:
show ip access-list and show ipv6 access-list
Hardware statistics is disabled by default. To enable or disable hardware statistics, enter the command for hardware statistics.
How to Configure Hardware ACL Statistics
The following example enables hardware statistics for ACL racl1:
The following example displays the hardware statistics for ACL racl1:
The hardware statistics for each ACE is seen after the acl hw hit count string and indicates the number of packets switched in hardware.
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Feedback