EasyManuals Logo

Cisco Catalyst 4500 Series Software Configuration Guide

Cisco Catalyst 4500 Series
2086 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #1639 background imageLoading...
Page #1639 background image
62-15
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Layer 4 Operators in ACLs
Examples
The following access lists are processed completely in hardware:
access-list 104 permit tcp any any established
access-list 105 permit tcp any any rst ack
access-list 107 permit tcp any syn fin rst
Access lists 104 and 105 are identical; established is shorthand for rst and ack.
Access list 101, is processed completely in software:
access-list 101 permit tcp any any syn
Because four source and two destination operations exist, access list 106 is processed in
hardware:
access-list 106 permit tcp any range 100 120 any range 120 140
access-list 106 permit tcp any range 140 160 any range 180 200
access-list 106 permit tcp any range 200 220
access-list 106 deny tcp any range 220 240
In the following code, the Layer 4 operations for the third ACE trigger an attempt to translate
dst lt 1023 into multiple ACEs in hardware, because three source and three destination
operations exist. If the translation attempt fails, the third ACE is processed in software.
access-list 102 permit tcp any lt 80 any gt 100
access-list 102 permit tcp any range 100 120 any range 120 1024
access-list 102 permit tcp any gt 1024 any lt 1023
Similarly, for access list 103, the third ACE triggers an attempt to translate dst gt 1023 into
multiple ACEs in hardware. If the attempt fails, the third ACE is processed in software.
Although the operations for source and destination ports look similar, they are considered
different Layer 4 operations.
access-list 103 permit tcp any lt 80 any lt 80
access-list 103 permit tcp any range 100 120 any range 100 120
access-list 103 permit tcp any gt 1024 any gt 1023
Note Remember that source port lt 80 and destination port lt 80 are considered different
operations.
Step 6
end
Example
Switch(config-ext-nacl)# end
(Optional) Exits the configuration mode and returns to
privileged EXEC mode.
Step 7
show ip access-lists access-list-name
Example
Switch# show ip access-lists kmd1
(Optional) Displays the contents of the IP access list.
Review the output to confirm that the access list includes the
new entry.
Command Purpose

Table of Contents

Other manuals for Cisco Catalyst 4500 Series

Preview: Manual
Manual19 pages
Preview: Command Reference Guide
Command Reference Guide1230 pages
Preview: System Message Guide
System Message Guide150 pages
Preview: Configuration Guide
Configuration Guide1610 pages
Preview: Administration Guide
Administration Guide1814 pages
Preview: Message Guide
Message Guide146 pages
Preview: Installation Guide
Installation Guide194 pages
Preview: Datasheet
Datasheet11 pages
Preview: Overview
Overview46 pages
Preview: Quick Reference Guide
Quick Reference Guide59 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco Catalyst 4500 Series and is the answer not in the manual?

Cisco Catalyst 4500 Series Specifications

General IconGeneral
SeriesCatalyst 4500 Series
CategorySwitch
Layer SupportLayer 2, Layer 3
Form FactorModular chassis
StackableNo
Chassis Slots3, 6, 7, 10
Power Supply OptionsAC, DC
RedundancyPower supply, Supervisor engine
Network ManagementCisco IOS Software CLI, SNMP, Cisco Prime Infrastructure
FeaturesSecurity, QoS
Port DensityUp to 384 ports per chassis
Security Features802.1X, ACLs, DHCP Snooping, Dynamic ARP Inspection, IP Source Guard
Supervisor Engine8-E

Related product manuals