Chapter 23
Configuring Network Security
•
•
•
Guidelines and Restrictions for Using Layer 4 Operators in ACLs
These sections describe guidelines and restrictions when configuring ACLs that include Layer 4 port
operations:
•
•
Determining Layer 4 Operation Usage
You can specify these types of operations:
•
•
•
•
•
We recommend that you do not specify more than nine different operations on the same ACL. If you
exceed this number, each new operation might cause the affected ACE to be translated into more than
one ACE.
Use the following two guidelines to determine Layer 4 operation usage:
•
•
78-14064-04
Flows that require logging are processed in software without impacting nonlogged flow processing
in hardware.
The forwarding rate for software-processed flows is substantially less than for hardware-processed
flows.
When you enter the show ip access-list command, the match count displayed does not include
packets processed in hardware.
Determining Layer 4 Operation Usage, page 23-3
Determining Logical Operation Unit Usage, page 23-4
gt (greater than)
lt (less than)
neq (not equal)
eq (equal)
range (inclusive range)
Layer 4 operations are considered different if the operator or the operand differ. For example, in this
ACL there are three different Layer 4 operations ("gt 10" and "gt 11" are considered two different
Layer 4 operations):
... gt 10 permit
... lt 9 deny
... gt 11 deny
Note
There is no limit to the use of "eq" operators as the "eq" operator does not use a logical
operator unit (LOU) or a Layer 4 operation bit. See the
Unit Usage" section on page 23-4
Layer 4 operations are considered different if the same operator/operand couple applies once to a
source port and once to a destination port. For example, in this ACL there are two different Layer 4
operations because one ACE applies to the source port and one applies to the destination port.
... Src gt 10 ...
... Dst gt 10
Guidelines and Restrictions for Using Layer 4 Operators in ACLs
for a description of LOUs.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
"Determining Logical Operation
23-3