EasyManua.ls Logo

Cisco Catalyst 4500 Series - How ACL Processing Impacts CPU

Cisco Catalyst 4500 Series
1814 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
54-12
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 54 Configuring Network Security with ACLs
Layer 4 Operators in ACLs
A more detailed example follows:
access-list 101
... (dst port) gt 10 permit
... (dst port) lt 9 deny
... (dst port) gt 11 deny
... (dst port) neq 6 permit
... (src port) neq 6 deny
... (dst port) gt 10 deny
access-list 102
... (dst port) gt 20 deny
... (src port) lt 9 deny
... (src port) range 11 13 deny
... (dst port) neq 6 permit
Access lists 101 and 102 use the following Layer 4 operations:
Access list 101 Layer 4 operations: 5
gt 10 permit and gt 10 deny both use the same operation because they are identical and both
operate on the destination port.
Access list 102 Layer 4 operations: 4
Total Layer 4 operations: 8 (due to sharing between the two access lists)
neq6 permit is shared between the two ACLs because they are identical and both operate on the
same destination port.
A description of the Layer 4 operations usage is as follows:
Layer 4 operation 1 stores gt 10 permit and gt 10 deny from ACL 101
Layer 4 operation 2 stores lt 9 deny from ACL 101
Layer 4 operation 3 stores gt 11 deny from ACL 101
Layer 4 operation 4 stores neg 6 permit from ACL 101 and 102
Layer 4 operation 5 stores neg 6 deny from ACL 101
Layer 4 operation 6 stores gt 20 deny from ACL 102
Layer 4 operation 7 stores lt 9 deny from ACL 102
Layer 4 operation 8 stores range 11 13 deny from ACL 102
How ACL Processing Impacts CPU
ACL processing can impact the CPU in two ways:
For some packets, when the hardware runs out of resources, the software must perform the ACL
matches:
The TCP flag combinations rst ack, syn fin rst, urg and psh are processed in hardware. rst ack
is equivalent to the keyword established. Other TCP flag combinations are supported in
software.
Note Match-all is not supported. Match-any is supported only when used in the following
combinations of positive flags: "rst and ack" (must be combined), "sync and fin and rst"
(must be combined), "psh" and "urg".

Table of Contents

Other manuals for Cisco Catalyst 4500 Series

Preview: Manual
Manual19 pages
Preview: Software Configuration Guide
Software Configuration Guide2086 pages
Preview: Configuration Guide
Configuration Guide1610 pages
Preview: Command Reference Guide
Command Reference Guide1230 pages
Preview: System Message Guide
System Message Guide150 pages
Preview: Message Guide
Message Guide146 pages
Preview: Quick Reference Guide
Quick Reference Guide59 pages
Preview: Datasheet
Datasheet11 pages
Preview: Installation Guide
Installation Guide194 pages
Preview: Overview
Overview46 pages

Related product manuals