19-6
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter 19 Configuring Network Security with ACLs
Configuring Router ACLs
These factors can cause packets to be sent to the CPU:
•
Using the log keyword
•
Enabling ICMP unreachables
•
Hardware reaching its capacity to store ACL configurations
If ACLs cause large numbers of packets to be sent to the CPU, the switch performance can be negatively
affected.
When you enter the show ip access-lists privileged EXEC command, the match count displayed does
not account for packets that are access controlled in hardware. Use the show access-lists hardware
counters privileged EXEC command to obtain some basic hardware ACL statistics for switched and
routed packets.
Router ACLs function as follows:
•
The hardware controls permit and deny actions of standard and extended ACLs (input and output)
for security access control.
•
If log has not been specified, the flows that match a deny statement in a security ACL are dropped
by the hardware if ip unreachables is disabled. The flows matching a permit statement are switched
in hardware.
•
Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the
CPU only for logging. If the ACE is a permit statement, the packet is still switched and routed
in hardware.
Unsupported Features
The Catalyst 3550 switch does not support these IOS router ACL-related features:
•
Non-IP protocol ACLs (see
Table 19-1 on page 19-7
).
•
Bridge-group ACLs.
•
IP accounting.
•
Inbound and outbound rate limiting (except with QoS ACLs).
•
IP packets with a header length of less than five are not access controlled (results in an ICMP
parameter error).
•
Reflexive ACLs.
•
Dynamic ACLs (except for certain specialized dynamic ACLs used by the switch clustering
feature).
Creating Standard and Extended IP ACLs
This section summarizes how to create router IP ACLs. An ACL is a sequential collection of permit and
deny conditions. The switch tests packets against the conditions in an access list one by one. The first
match determines whether the switch accepts or rejects the packet. Because the switch stops testing
conditions after the first match, the order of the conditions is critical. If no conditions match, the switch
denies the packet.