hit counter script

Unsupported Features; Creating Standard And Extended Ip Acls - Cisco WS-C3550-12G Software Configuration Manual

Multilayer switch
Hide thumbs Also See for WS-C3550-12G:
Table of Contents

Advertisement

Configuring Router ACLs
These factors can cause packets to be sent to the CPU:
If ACLs cause large numbers of packets to be sent to the CPU, the switch performance can be negatively
affected.
When you enter the show ip access-lists privileged EXEC command, the match count displayed does
not account for packets that are access controlled in hardware. Use the show access-lists hardware
counters privileged EXEC command to obtain some basic hardware ACL statistics for switched and
routed packets.
Router ACLs function as follows:

Unsupported Features

The Catalyst 3550 switch does not support these IOS router ACL-related features:

Creating Standard and Extended IP ACLs

This section summarizes how to create router IP ACLs. An ACL is a sequential collection of permit and
deny conditions. The switch tests packets against the conditions in an access list one by one. The first
match determines whether the switch accepts or rejects the packet. Because the switch stops testing
conditions after the first match, the order of the conditions is critical. If no conditions match, the switch
denies the packet.
Catalyst 3550 Multilayer Switch Software Configuration Guide
19-6
Using the log keyword
Enabling ICMP unreachables
Hardware reaching its capacity to store ACL configurations
The hardware controls permit and deny actions of standard and extended ACLs (input and output)
for security access control.
If log has not been specified, the flows that match a deny statement in a security ACL are dropped
by the hardware if ip unreachables is disabled. The flows matching a permit statement are switched
in hardware.
Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the
CPU only for logging. If the ACE is a permit statement, the packet is still switched and routed
in hardware.
Non-IP protocol ACLs (see
Bridge-group ACLs.
IP accounting.
Inbound and outbound rate limiting (except with QoS ACLs).
IP packets with a header length of less than five are not access controlled (results in an ICMP
parameter error).
Reflexive ACLs.
Dynamic ACLs (except for certain specialized dynamic ACLs used by the switch clustering
feature).
Table 19-1 on page
19-7).
Chapter 19
Configuring Network Security with ACLs
78-11194-03

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

Catalyst 3550

Table of Contents