Using Cisco IOS ACLs in your Network
The hardware support for TCP intercept on a PFC2 is as follows:
1.
2.
3.
Policy Routing
The policy routing-required flows are handled in the hardware or the software depending on the route
map. If the route map contains only a match IP address clause, and the set clause contains the next hop
and the next hop is reachable, then the packet is forwarded in the hardware. When a route map contains
multiple match clauses, all conditions that are imposed by these match clauses must be met before a
packet is policy routed. However, for the route maps that contain both a match IP address clause and
match length clause, all traffic matching the ACL in the match IP address clause is forwarded to the
software regardless of the match length criteria. For the route maps that contain only match length
clauses, all packets that are received on the interface are forwarded to the software.
Note
The mls ip pbr command is not required (and not supported) on the PFC2 or PFC3A/PFC3B/PFC3BXL.
WCCP
WCCP is not supported with Supervisor Engine 720 or Supervisor Engine 32 in software releases 8.1(x)
Note
through 8.4(x).
The HTTP requests that are subject to WCCP redirection are handled in the software; the HTTP replies
from the server and the cache engine are handled in the hardware.
NAT
The NAT-required flows are handled in the software without impacting the non-NAT flow forwarding in
the hardware.
Unicast RPF Check
Unicast RPF is supported in the hardware on the PFC2 and PFC3A/PFC3B/PFC3BXL. For the
ACL-based RPF checks, the traffic that is denied by the unicast RPF ACL is forwarded to the MSFC2
or MSFC3 for RPF validation.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
15-16
Once you configure TCP intercept, all TCP SYN packets that match the ACEs with a permit clause
in the TCP intercept ACL, and which are permitted by the security ACL, are sent to the software to
apply the TCP intercept functionality. This process occurs even if the security ACL does not have
the SYN flag specified.
If a connection is established successfully, the following applies:
If the TCP intercept is using intercept mode with timeout, all traffic belonging to the given
a.
connection/flow is handled in the software.
For the other modes of TCP intercept, once the connection is successfully established, the
b.
software installs a hardware shortcut to switch the rest of the flow in the hardware.
If a connection is not established successfully, no other traffic can belong to that flow.
Chapter 15
Configuring Access Control
OL-8978-04