Cisco Cisco IOS Software Release 12.0(13)S7
Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2008 Cisco Systems, Inc. All rights reserved.
Access Control List Enhancements on the
Cisco 12000 Series Router
Cisco 12000 Series Router
Part Number OL-15425-01, May 30, 2008
The Cisco 12000 series router filters IP packets using access control lists (ACLs) as a fundamental
security feature. This document describes the following ACL enhancements for IPv4 traffic. These
enhancements optimize the use of ACLs to control packet transmission and restrict network use by
certain users or devices:
security feature. This document describes the following ACL enhancements for IPv4 traffic. These
enhancements optimize the use of ACLs to control packet transmission and restrict network use by
certain users or devices:
•
Named ACLs—Allow you to identify ACLs for IPv4 traffic with a name and a number, and provide
the following benefits:
the following benefits:
–
Support access list entry (ACE) sequence-numbering, which allows you to apply sequence
numbers to permit or deny statements and reorder, add, or remove these statements from a
named IP access list. This feature eases your revisions to IP access lists. Earlier than this
feature, you could only add, permit, or deny ACEs to the end of an access list. Adding an ACE
in locations other than at the end of an access list required that you reconfigure the entire access
list.)
numbers to permit or deny statements and reorder, add, or remove these statements from a
named IP access list. This feature eases your revisions to IP access lists. Earlier than this
feature, you could only add, permit, or deny ACEs to the end of an access list. Adding an ACE
in locations other than at the end of an access list required that you reconfigure the entire access
list.)
–
Avoid the limitation on the maximum number of supported ACLs that exists for numbered
ACLs.
ACLs.
•
Time-based access control entries (ACEs)—Allow you to control the time during which
IPv4 packets are permitted or denied access from specific network resources.
IPv4 packets are permitted or denied access from specific network resources.
•
Time-to-Live (TTL) access control entries—ACEs that specify a TTL value allow you to mitigate
Denial of Service (DoS) attacks on the router from a variety of spoofed packets by permitting or
denying IPv4 packets based on the TTL value in the packet header.
Denial of Service (DoS) attacks on the router from a variety of spoofed packets by permitting or
denying IPv4 packets based on the TTL value in the packet header.
These ACL enhancements are supported:
•
On the interfaces and subinterfaces of line cards with distributed switch engines (IP Services
Engine/Engine 3 and Engine 5). Distributed switch engines perform high-speed switching of
IP packets for all ports on a line card without using resources from the central switch engine of the
route processor (RP).
Engine/Engine 3 and Engine 5). Distributed switch engines perform high-speed switching of
IP packets for all ports on a line card without using resources from the central switch engine of the
route processor (RP).
•
As IP receive ACLs to filter IPv4 packets traveling to the RP (only on engine 3 and engine 5) as
described in
described in
IP Receive ACL.