Table of Contents
Advertisement
Configuring Access Control Lists
It is important to note that the Catalyst 4000 family switch does not have knowledge of, or control over,
the Catalyst 4000 Layer 3 Services module configuration (just as the Catalyst switch does not have
knowledge of, or control over, external router configurations). Consequently, the autostate feature will
not work on Catalyst 4000 Layer 3 Services module interfaces if the module is not properly configured.
For example, consider the following Catalyst 4000 Layer 3 Services module trunk configuration:
interface GigabitEthernet3.200
The Gigabit Ethernet 3.200 interface will not be affected by the autostate feature if any of the following
configuration errors have been made:
•
•
•
Configuring Access Control Lists
This section describes the access control list (ACL) features supported on the Catalyst 4000 Layer 3
Services module.
Understanding ACLs
You can filter packet flow into or out of theCatalyst 4000 Layer 3 Services module interfaces using
ACLs. ACLs, which are sometimes called filters, allow you to restrict network use by certain users or
devices. They are created for each protocol and are applied on the interface for either inbound or
outbound traffic. They can be configured for all routed network protocols (IP or IPX) to filter packets
for the protocol as they pass through a router. Only one ACL filter can be applied per direction per
protocol per (sub)interface.
When you create ACLs, define criteria to apply to each packet processed by the switch router; the switch
router decides whether to forward or block the packet based on whether or not the packet matches the
criteria in your list. Packets that do not match criteria in your list are automatically blocked by the
implicit "deny all traffic" criteria statement at the end of every ACL.
Traffic that is switched by interface modules do not support ACL logging. ACL logging is supported
for all traffic that goes to the CPU.
Note
The enhanced Gigabit Ethernet interface module supports TCAM sizes of 32K (32-bit)
entries. The combined size of the protocol regions and access lists should not exceed your
TCAM space. The default size of the ACL in a 32K TCAM is 512 (128-bit) entries. Before
you configure the access-list region in TCAM, make sure that TCAM has enough space to
accommodate the access-list region. You can change the ACL CAM size when you are
using SDM commands. If you are planning to support bigger ACLs, you must reclaim
CAM space from other areas, such as IPX, IP, or bridging.
Keep the following restrictions in mind: When you are configuring ACLs on the Catalyst 4000 Layer 3
Services module,
Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module
60
encap dot1Q 200
.
.
VLAN 200 is not configured on the switch supervisor engine
Trunking is not configured on the corresponding Gigabit Ethernet switch port
Trunking is configured, but VLAN 200 is not an allowed VLAN on that trunk
78-10164-03
Advertisement
Table of Contents
