Cisco Catalyst X4232 Installation And Configuration Note page 65

If the ACL is applied on an interface in the outbound direction, the switch router performs one of the
following operations:
•
•
If the comparison succeeds, the switch router will transmit the packet out of the interface. If the
comparison fails, the packet will be dropped.
An ICMP Host Unreachable message is not sent by the Catalyst 4000 Layer 3 Services
Note
module when a packet is discarded due to a deny ACL.
IPX ACLs
The following styles of ACLs for IPX are supported:
•
•
To control access to IPX networks, you must create ACLs. Once you have created the ACLs you can
then apply them to individual interfaces using filters, as described in the "Applying the IPX ACL to an
Interface" section on page 66.
You can create ACLs using numbers or names; names are alphanumeric strings. If you use all numbers
to identify your ACLs, you are limited to 100 ACLs per filter type. If you use alphanumeric names to
identify your ACLs, you can have an unlimited number of ACLs.
Named IPX ACLs allow you to maintain security by using a separate and easily identifiable ACL for
each user or interface. Also, named IPX ACLs restrict traffic based on the source network number. You
can further restrict traffic by specifying a destination address and a source and destination address mask.
Standard IPX ACLs use numbers (from 800 to 899) or alphanumeric strings to identify them.
In the Catalyst 4000 Layer 3 Services module, ACLs are applied to the Gigabit Ethernet interface. Only
generic filters for inbound and outbound packets based on the contents of the IPX network header are
supported.
In the Catalyst 4000 Layer 3 Services module, the processing performance does not
Note
depend on the number of ACEs in the ACL.
User Guidelines
Follow these guidelines when you configure IPX network access control:
•
•
•
•
•
78-10164-03
If a standard ACL is applied, the switch router compares the source IP address with the ACL.
If an extended ACL is applied, the switch router compares the 5 tuple against the ACL.
Standard IPX ACLs
Named IPX ACLs
You can program ACL entries into TCAM.
You do not have to enter a deny everything statement at the end of your ACL; it is implicit.
You can enter ACL entries in any order without any impact on performance. This is true for all
TCAM-based support for access lists.
For every eight TCAM entries, the switch router uses one entry for TCAM management purposes.
You must have unique ACL names across all protocols.
Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module
Configuring Access Control Lists
65