EasyManuals Logo

Cisco Catalyst 4500 Series Software Configuration Guide

Cisco Catalyst 4500 Series
2086 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #1637 background imageLoading...
Page #1637 background image
62-13
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Layer 4 Operators in ACLs
–
Layer 4 operation 7 stores lt 9 deny from ACL 102
–
Layer 4 operation 8 stores range 11 13 deny from ACL 102
Using ACLs to Filter TCP Flags and How ACL Processing Impacts CPU
You can use IPv4 or IPv6 ACLs to filter TCP flags. You do this by configuring ACEs that make up an
access list to allow matching on a flag that is set.
You use a combination of flags on which to filter; these combinations are processed in hardware. Only
the following combinations are supported (applicable to IPv4 and IPv6 ACLs) and the flags must be used
in the specified combination:
• rst and ack—equivalent to the keyword established.
–
rst—The reset flag indicates that the receiver should delete the connection without further
interaction.
–
ack—The acknowledge flag indicates that the acknowledgment field of a segment specifies the
next sequence number the sender of this segment is expecting to receive.
• syn and fin and rst
–
syn—The synchronize flag is used to establish connections.
–
fin— The finish flag is used to clear connections.
–
rst—See above
• psh—The push flag indicates the data in the call should be immediately pushed through to the
receiving user.
• urg—The urgent flag indicates that the urgent field is meaningful and must be added to the segment
sequence number
Note Match-all is not supported. Match-any is supported only when used in the following
combinations of positive flags: "rst and ack" (must be combined), "sync and fin and rst"
(must be combined), "psh" and "urg".
ACL processing can impact the CPU in two ways:
• For some packets, when the hardware runs out of resources, the software must perform the ACL
matches:
–
The TCP flag combinations rst ack, syn fin rst, urg and psh are processed in hardware. Other
TCP flag combinations are supported in software.
–
If the total number of Layer 4 operations in an ACL is less than six, you can distribute the
operations in any way you choose.
To create an ACL (IPv4 or IPv6) to filter TCP tags, perform the following task:

Table of Contents

Other manuals for Cisco Catalyst 4500 Series

Preview: Manual
Manual19 pages
Preview: Command Reference Guide
Command Reference Guide1230 pages
Preview: System Message Guide
System Message Guide150 pages
Preview: Configuration Guide
Configuration Guide1610 pages
Preview: Administration Guide
Administration Guide1814 pages
Preview: Message Guide
Message Guide146 pages
Preview: Installation Guide
Installation Guide194 pages
Preview: Datasheet
Datasheet11 pages
Preview: Overview
Overview46 pages
Preview: Quick Reference Guide
Quick Reference Guide59 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco Catalyst 4500 Series and is the answer not in the manual?

Cisco Catalyst 4500 Series Specifications

General IconGeneral
SeriesCatalyst 4500 Series
CategorySwitch
Layer SupportLayer 2, Layer 3
Form FactorModular chassis
StackableNo
Chassis Slots3, 6, 7, 10
Power Supply OptionsAC, DC
RedundancyPower supply, Supervisor engine
Network ManagementCisco IOS Software CLI, SNMP, Cisco Prime Infrastructure
FeaturesSecurity, QoS
Port DensityUp to 384 ports per chassis
Security Features802.1X, ACLs, DHCP Snooping, Dynamic ARP Inspection, IP Source Guard
Supervisor Engine8-E

Related product manuals