EasyManuals Logo

Cisco Catalyst 4500 Series Administration Guide

Cisco Catalyst 4500 Series
1814 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #1418 background imageLoading...
Page #1418 background image
54-12
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 54 Configuring Network Security with ACLs
Layer 4 Operators in ACLs
A more detailed example follows:
access-list 101
... (dst port) gt 10 permit
... (dst port) lt 9 deny
... (dst port) gt 11 deny
... (dst port) neq 6 permit
... (src port) neq 6 deny
... (dst port) gt 10 deny
access-list 102
... (dst port) gt 20 deny
... (src port) lt 9 deny
... (src port) range 11 13 deny
... (dst port) neq 6 permit
Access lists 101 and 102 use the following Layer 4 operations:
• Access list 101 Layer 4 operations: 5
–
gt 10 permit and gt 10 deny both use the same operation because they are identical and both
operate on the destination port.
• Access list 102 Layer 4 operations: 4
• Total Layer 4 operations: 8 (due to sharing between the two access lists)
–
neq6 permit is shared between the two ACLs because they are identical and both operate on the
same destination port.
• A description of the Layer 4 operations usage is as follows:
–
Layer 4 operation 1 stores gt 10 permit and gt 10 deny from ACL 101
–
Layer 4 operation 2 stores lt 9 deny from ACL 101
–
Layer 4 operation 3 stores gt 11 deny from ACL 101
–
Layer 4 operation 4 stores neg 6 permit from ACL 101 and 102
–
Layer 4 operation 5 stores neg 6 deny from ACL 101
–
Layer 4 operation 6 stores gt 20 deny from ACL 102
–
Layer 4 operation 7 stores lt 9 deny from ACL 102
–
Layer 4 operation 8 stores range 11 13 deny from ACL 102
How ACL Processing Impacts CPU
ACL processing can impact the CPU in two ways:
• For some packets, when the hardware runs out of resources, the software must perform the ACL
matches:
–
The TCP flag combinations rst ack, syn fin rst, urg and psh are processed in hardware. rst ack
is equivalent to the keyword established. Other TCP flag combinations are supported in
software.
Note Match-all is not supported. Match-any is supported only when used in the following
combinations of positive flags: "rst and ack" (must be combined), "sync and fin and rst"
(must be combined), "psh" and "urg".

Table of Contents

Other manuals for Cisco Catalyst 4500 Series

Preview: Manual
Manual19 pages
Preview: Command Reference Guide
Command Reference Guide1230 pages
Preview: System Message Guide
System Message Guide150 pages
Preview: Configuration Guide
Configuration Guide1610 pages
Preview: Software Configuration Guide
Software Configuration Guide2086 pages
Preview: Message Guide
Message Guide146 pages
Preview: Installation Guide
Installation Guide194 pages
Preview: Datasheet
Datasheet11 pages
Preview: Overview
Overview46 pages
Preview: Quick Reference Guide
Quick Reference Guide59 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco Catalyst 4500 Series and is the answer not in the manual?

Cisco Catalyst 4500 Series Specifications

General IconGeneral
SeriesCatalyst 4500 Series
CategorySwitch
Layer SupportLayer 2, Layer 3
Form FactorModular chassis
StackableNo
Chassis Slots3, 6, 7, 10
Power Supply OptionsAC, DC
RedundancyPower supply, Supervisor engine
Network ManagementCisco IOS Software CLI, SNMP, Cisco Prime Infrastructure
FeaturesSecurity, QoS
Port DensityUp to 384 ports per chassis
Security Features802.1X, ACLs, DHCP Snooping, Dynamic ARP Inspection, IP Source Guard
Supervisor Engine8-E

Related product manuals