The following is an example of a remark that describes function of the subsequent deny statement:
ip access-list extended telnetting
remark Do not allow host1 subnet to telnet out
deny tcp host 172.16.2.88 any eq telnet
Hardware and Software Treatment of IP ACLs
ACL processing is performed in hardware. If the hardware reaches its capacity to store ACL configurations,
all packets on that interface are dropped.
If an ACL configuration cannot be implemented in hardware due to an out-of-resource condition on a
switch or stack member, then only the traffic in that VLAN arriving on that switch is affected.
Note
For router ACLs, other factors can cause packets to be sent to the CPU:
•
Using the log keyword
•
Generating ICMP unreachable messages
When traffic flows are both logged and forwarded, forwarding is done by hardware, but logging must be done
by software. Because of the difference in packet handling capacity between hardware and software, if the sum
of all flows being logged (both permitted flows and denied flows) is of great enough bandwidth, not all of the
packets that are forwarded can be logged.
When you enter the show ip access-lists privileged EXEC command, the match count displayed does not
account for packets that are access controlled in hardware. Use the show platform acl counters hardware
privileged EXEC command to obtain some basic hardware ACL statistics for switched and routed packets.
Router ACLs function as follows:
•
The hardware controls permit and deny actions of standard and extended ACLs (input and output) for
security access control.
•
If log has not been specified, the flows that match a deny statement in a security ACL are dropped by
the hardware if ip unreachables is disabled. The flows matching a permit statement are switched in
hardware.
•
Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the CPU
for logging only. If the ACE is a permit statement, the packet is still switched and routed in hardware.
Time Ranges for ACLs
You can selectively apply extended ACLs based on the time of day and the week by using the time-range
global configuration command. First, define a time-range name and set the times and the dates or the days of
the week in the time range. Then enter the time-range name when applying an ACL to set restrictions to the
access list. You can use the time range to define when the permit or deny statements in the ACL are in effect,
for example, during a specified time period or on specified days of the week. The time-range keyword and
argument are referenced in the named and numbered extended ACL task tables.
These are some benefits of using time ranges:
•
You have more control over permitting or denying a user access to resources, such as an application
(identified by an IP address/mask pair and a port number).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1180
Information About Configuring IPv4 Access Control Lists
To Next Page
Loading...
Need help?
General
