15-10
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 15 Configuring Access Control
Using Cisco IOS ACLs in your Network
Note In the systems with redundant MSFCs, the ACL configurations for Cisco IOS ACLs and VACLs must be
the same on both MSFCs.
Caution For PFC: By default, the MSFC sends Internet Control Message Protocol (ICMP) unreachables when a
packet is denied by an access group. These access-group denied packets are not dropped in the hardware
but are bridged to the MSFC so that the MSFC can generate the ICMP-unreachable message. To drop
the access-group denied packets in the hardware, you must disable the ICMP unreachables using the no
ip unreachables interface configuration command. The ip unreachables command is enabled by
default.
For PFC2 and PFC3A/PFC3B/PFC3BXL: If the IP unreachables or IP redirect is enabled on an interface,
the deny is performed in the hardware although a small number of packets are sent to the
MSFC2/MSFC3 to generate the appropriate ICMP-unreachable messages.
These sections describe the hardware and software handling of the ACLs with PFC, PFC2, and
PFC3A/PFC3B/PFC3BXL:
• Hardware and Software Handling of Cisco IOS ACLs with PFC, page 15-10
• Hardware and Software Handling of Cisco IOS ACLs with PFC2 and PFC3A/PFC3B/PFC3BXL,
page 15-13
Hardware and Software Handling of Cisco IOS ACLs with PFC
This section describes how Cisco IOS ACLs with the PFC are handled by the hardware and the software.
Note For information on Cisco IOS ACLs with PFC2 and PFC3A/PFC3B/PFC3BXL, see the “Hardware and
Software Handling of Cisco IOS ACLs with PFC2 and PFC3A/PFC3B/PFC3BXL” section on
page 15-13.
ACL feature processing requires forwarding of some flows by the software. The forwarding rate for the
software-forwarded flows is substantially less than for the hardware-forwarded flows. The flows that
require logging, as specified by the ACL, are handled in the software without impacting the non-log flow
forwarding in the hardware.
Note When you enter the show ip access-list command, the match count that is displayed does not account
for the packets that are access controlled in the hardware.
Note IPX Cisco IOS ACLs with the source host node number specified cannot be enforced on the switch in
the hardware; the MSFC has to process the ACL in the software. This process significantly degrades
system performance.
To Next Page
Loading...
Need help?
General