34-22
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
OL-12247-04
Chapter 34 Configuring Network Security with ACLs
Configuring IPv4 ACLs
Hardware and Software Treatment of IP ACLs
ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to
the CPU for software processing. If the hardware reaches its capacity to store ACL configurations,
packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is
substantially less than for hardware-forwarded traffic.
Note
If an ACL configuration cannot be implemented in hardware due to an out-of-resource condition on a
switch or stack member, then only the traffic in that VLAN arriving on that switch is affected (forwarded
in software). Software forwarding of packets might adversely impact the performance of the switch or
switch stack, depending on the number of CPU cycles that this consumes.
For router ACLs, other factors can cause packets to be sent to the CPU:
•
Using the
log
keyword
•
Generating ICMP unreachable messages
When traffic flows are both logged and forwarded, forwarding is done by hardware, but logging must be
done by software. Because of the difference in packet handling capacity between hardware and software,
if the sum of all flows being logged (both permitted flows and denied flows) is of great enough
bandwidth, not all of the packets that are forwarded can be logged.
If router ACL configuration cannot be applied in hardware, packets arriving in a VLAN that must be
routed are routed in software, but are bridged in hardware. If ACLs cause large numbers of packets to
be sent to the CPU, the switch performance can be negatively affected.
When you enter the
show ip access-lists
privileged EXEC command, the match count displayed does
not account for packets that are access controlled in hardware. Use the
show access-lists hardware
counters
privileged EXEC command to obtain some basic hardware ACL statistics for switched and
routed packets.
Router ACLs function as follows:
•
The hardware controls permit and deny actions of standard and extended ACLs (input and output)
for security access control.
•
If
log
has not been specified, the flows that match a
deny
statement in a security ACL are dropped
by the hardware if
ip unreachables
is disabled. The flows matching a
permit
statement are switched
in hardware.
•
Adding the
log
keyword to an ACE in a router ACL causes a copy of the packet to be sent to the
CPU for logging only. If the ACE is a
permit
statement, the packet is still switched and routed
in hardware.
Troubleshooting ACLs
If this ACL manager message appears and [chars] is the access-list name,
ACLMGR-2-NOVMR: Cannot generate hardware representation of access list [chars]
The switch has insufficient resources to create a hardware representation of the ACL. The resources
include hardware memory and label space but not CPU memory. A lack of available logical operation
units or specialized hardware resources causes this problem. Logical operation units are needed for a
TCP flag match or a test other than
eq
(
ne
,
gt
,
lt
, or
range
) on TCP, UDP, or SCTP port numbers.