19-37
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter 19 Configuring Network Security with ACLs
Using VLAN Maps with Router ACLs
•
Avoid including Layer 4 information in an ACL; adding this information complicates the merging
process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source
and destination) and not on the full flow (source IP address, destination IP address, protocol, and
protocol ports). It is also helpful to use don’t care bits in the IP address, whenever possible.
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP
ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. This gives priority to
the filtering of traffic based on IP addresses.
Determining if the ACL Configuration Fits in Hardware
As previously stated, ACL processing in the Catalyst 3550 switch is mostly accomplished in hardware.
However, if the hardware reaches its capacity to store ACL configurations, the switch software attempts
to fit a simpler configuration into the hardware. This simpler configuration does not do all the filtering
that has been configured, but instead sends some or all packets to the CPU to be filtered by software. In
this way, all configured filtering will be accomplished, but performance is greatly decreased when the
filtering is done in software.
For example, if the combination of an input router ACL applied to a VLAN interface and a VLAN map
applied to the same VLAN does not fit into the hardware, these results might occur:
•
If the VLAN map alone fits in hardware, the software sets up the hardware to send to the CPU all
packets that need to be routed for filtering and possible routing (if the packet passes the filter).
Packets that only require bridging within the input VLAN are still handled entirely by hardware and
not sent to the CPU.
•
If the VLAN map does not fit in the hardware, all packets on that VLAN must be both filtered and
forwarded by software.
Any problem in fitting the configuration into hardware is logged, but it is possible that not everyone who
configures the switch can see the log messages as they occur. You can use the show fm privileged EXEC
commands to determine if any interface configuration or VLAN configuration did not fit into hardware.
Beginning in privileged EXEC mode, follow these steps to see if a configuration fits into hardware:
This example shows how to display detailed feature manager information on a specified interface:
Switch# show fm interface gigabitethernet0/12
Input Label: 0 (default)
Output Label: 0 (default)
Priority: normal
Command
Purpose
Step 1
show fm vlan vlan-id
or
show fm interface interface-id
Display feature manager information for the interface or the VLAN.
Determine what label was used in the hardware for the interface or
VLAN configuration.
Step 2
show fm label name
Display which of the configured ACL features fit into hardware.