Chapter 51
Configuring Network Security with ACLs
Input
Input
Input
Input
Input
Input
Output
Output
Output
Output
Output
Output
Where up to 16 operations are supported, the seventeenth will trigger an expansion.
Note
If you exceed the number of available Layer 4 operations, each new operation might cause the affected
ACE to be translated into multiple ACEs in the hardware. If this translation fails, packets are sent to the
CPU for software processing.
Configuration Guidelines for Layer 4 Operations
When using Layer 4 operators, consider these guidelines:
•
Note
•
Access lists 101 and 102 use the following Layer 4 operations:
OL-25340-01
IPv4
IPv6 Compressed
IPv6 Uncompressed
IPv4
IPv6 Compressed
IPv6 Uncompressed
IPv4
IPv6 Compressed
IPv6 Uncompressed
IPv4
IPv6 Compressed
IPv6 Uncompressed
Layer 4 operations are considered different if the operator or operand differ. For example, the
following ACL contains three different Layer 4 operations because gt 10 and gt 11 are considered
two different Layer 4 operations:
... gt 10 permit
... lt 9 deny
... gt 11 deny
The eq operator can be used an unlimited number of times because eq does not use a Layer 4
operation in hardware.
Layer 4 operations are considered different if the same operator/operand couple applies once to a
source port and once to a destination port, as in the following example:
... Src gt 10....
... Dst gt 10
A more detailed example follows:
access-list 101
... (dst port) gt 10 permit
... (dst port) lt 9 deny
... (dst port) gt 11 deny
... (dst port) neq 6 permit
... (src port) neq 6 deny
... (dst port) gt 10 deny
access-list 102
... (dst port) gt 20 deny
... (src port) lt 9 deny
... (src port) range 11 13 deny
... (dst port) neq 6 permit
Security
16
Security
16
Security
7
QoS
5
QoS
12
QoS
8
Security
17
Security
17
Security
8
QoS
5
QoS
12
QoS
8
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Layer 4 Operators in ACLs
51-11