Cisco Systems EA6500 Manual De Usuario
23-2
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
78-14099-04
Chapter 23 Configuring Network Security
Hardware and Software ACL Support
With the ip unreachables command enabled (which is the default), a Supervisor Engine 2 drops
most of the denied packets in hardware and sends only a small number of packets to the MSFC2 to
be dropped (10 packets per second, maximum) , which generates ICMP-unreachable messages.
most of the denied packets in hardware and sends only a small number of packets to the MSFC2 to
be dropped (10 packets per second, maximum) , which generates ICMP-unreachable messages.
With the ip unreachables command enabled, a Supervisor Engine 1 sends all the denied packets to
the MSFC to be dropped, which generates ICMP-unreachable messages. With a Supervisor
Engine 1, to drop access list-denied packets in hardware, you must disable ICMP-unreachable
messages using the no ip unreachables interface configuration command.
the MSFC to be dropped, which generates ICMP-unreachable messages. With a Supervisor
Engine 1, to drop access list-denied packets in hardware, you must disable ICMP-unreachable
messages using the no ip unreachables interface configuration command.
To eliminate the load imposed on the MSFC CPU by the task of dropping denied packets and
generating ICMP-unreachable messages, do the following:
generating ICMP-unreachable messages, do the following:
–
With Supervisor Engine 1, enter the no ip unreachables interface configuration command.
–
With Supervisor Engine 2, enter the no ip unreachables and the no ip redirects interface
configuration commands. (CSCdr33918)
configuration commands. (CSCdr33918)
•
ICMP unreachable messages are not sent if a packet is denied by a VACL.
Hardware and Software ACL Support
Access control lists (ACLs) can be processed in hardware by the Policy Feature Card (PFC or PFC2),
the Distributed Forwarding Card (DFC), or in software by the Multilayer Switch Feature Card (MSFC
or MSFC2). The following behavior describes software and hardware handling of ACLs:
the Distributed Forwarding Card (DFC), or in software by the Multilayer Switch Feature Card (MSFC
or MSFC2). The following behavior describes software and hardware handling of ACLs:
•
ACL flows that match a “deny” statement in standard and extended ACLs (input and output) are
dropped in hardware if “ip unreachables” is disabled.
dropped in hardware if “ip unreachables” is disabled.
•
ACL flows that match a “permit” statement in standard and extended ACLs (input and output) are
processed in hardware.
processed in hardware.
•
VLAN ACL (VACL) flows are processed in hardware. If a field specified in a VACL is not supported
by hardware processing that field is ignored (for example, the log keyword in an ACL) or the whole
configuration is rejected (for example, a VACL containing unsupported IPX ACL parameters).
by hardware processing that field is ignored (for example, the log keyword in an ACL) or the whole
configuration is rejected (for example, a VACL containing unsupported IPX ACL parameters).
•
VACL logging is processed in software.
•
Dynamic ACL flows are processed in the hardware; however, idle timeout is processed in software.
•
IP accounting for an ACL access violation on a given port is supported by forwarding all denied
packets for that port to the MSFC for software processing without impacting other flows.
packets for that port to the MSFC for software processing without impacting other flows.
•
Extended name-based MAC address ACLs are supported in hardware.
•
The following ACL types are processed in software:
–
Standard XNS access list
–
Extended XNS access list
–
DECnet access list
–
Internetwork Packet Exchange (IPX) access lists
–
Extended MAC address access list
–
Protocol type-code access list
Note
IP packets with a header length of less than five will not be access controlled.