62-6
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Hardware and Software ACL Support
Figure 62-2 Using VLAN Maps to Control Traffic
Hardware and Software ACL Support
This section describes how to determine whether ACLs are processed in hardware or in software:
• Flows that match a deny statement in standard and extended ACLs are dropped in hardware if ICMP
unreachable messages are disabled.
• Flows that match a permit statement in standard ACLs are processed in hardware.
• The following ACL types are not supported in software:
–
Standard Xerox Network Systems (XNS) Protocol access list
–
Extended XNS access list
–
DECnet access list
–
Protocol type-code access list
–
Standard Internet Packet Exchange (IPX) access list
–
Extended IPX access list
Note Packets that require logging are processed in software. A copy of the packets is sent to the CPU for
logging while the actual packets are forwarded in hardware so that non-logged packet processing is not
impacted.
By default, the Catalyst 4500 Series Switch sends ICMP unreachable messages when a packet is denied
by an access list; these packets are not dropped in hardware but are forwarded to the switch so that it can
generate the ICMP unreachable message.
To drop access list denied packets in hardware on the input interface, you must disable ICMP
unreachable messages using the no ip unreachables interface configuration command. The
ip unreachables command is enabled by default.
Note Cisco IOS Release 12.2(40)SG does not support disabling IP unreachables on interfaces routing IPv6
traffic.
Note If you set the no ip unreachable command on all Layer 3 interfaces, output ACL denied packets do not
come to the CPU.
Si
Host B
(VLAN 10)
Host A
(VLAN 10)
94153
= VLAN map denying specific type
of traffic from Host A
= Packet
Catalyst 4500 series switch
To Next Page
Loading...
Need help?
General
