16-11
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
78-13315-02
Chapter 16 Configuring Access Control
Using Cisco IOS ACLs in your Network
•
NAT, page 16-12
•
Unicast RPF Check, page 16-12
•
Bridge-Groups, page 16-12
Security Cisco IOS ACLs
The IP and IPX security Cisco IOS ACLs with PFC are as follows:
•
The flows that match a “deny” statement in a security ACL are dropped by the hardware if
“ip unreachables” is disabled. The flows matching a “permit” statement are switched in the
hardware.
•
Permit and deny actions of standard and extended ACLs (input and output) for security access
control are handled in the hardware.
•
IP accounting for an ACL access violation on a given interface is supported by forwarding all denied
packets for that interface to the software, without impacting other flows.
•
Dynamic (lock and key) ACL flows are supported in the hardware; however, idle timeout is not
supported.
•
IPX standard input and output ACLs are supported in the hardware when the ACL parameters are
IPX source network, destination network, and/or destination node. If the ACL contains any other
parameters, it is handled in the software.
•
IPX extended input and output ACLs are supported in the hardware when the ACL parameters are
IPX source network, destination network, destination node, and/or protocol type.
•
ACL flows requiring logging are handled in the software without impacting non-log flow
forwarding in the hardware.
Reflexive ACLs
Up to 512 simultaneous reflexive sessions are supported in the hardware. Note that when reflexive
ACLs are applied, the flow mask is changed to VLAN-full flow.
TCP Intercept
The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks,
which are a type of denial-of-service attack. The TCP intercept feature helps prevent SYN-flooding
attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept
software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended
access list. The software establishes a connection with the client on behalf of the destination server, and
if successful, establishes the connection with the server on behalf of the client and binds the two
half-connections together transparently. This process ensures that connection attempts from unreachable
hosts never reach the server. The software continues to intercept and forward packets throughout the
duration of the connection.