47-18
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 47 Configuring Network Security with ACLs
Layer 4 Operators in ACLs
Note The eq operator can be used an unlimited number of times because eq does not use a Layer 4
operation in hardware.
• Layer 4 operations are considered different if the same operator/operand couple applies once to a
source port and once to a destination port, as in the following example:
... Src gt 10....
... Dst gt 10
A more detailed example follows:
access-list 101
... (dst port) gt 10 permit
... (dst port) lt 9 deny
... (dst port) gt 11 deny
... (dst port) neq 6 permit
... (src port) neq 6 deny
... (dst port) gt 10 deny
access-list 102
... (dst port) gt 20 deny
... (src port) lt 9 deny
... (src port) range 11 13 deny
... (dst port) neq 6 permit
Access lists 101 and 102 use the following Layer 4 operations:
• Access list 101 Layer 4 operations: 5
–
gt 10 permit and gt 10 deny both use the same operation because they are identical and both
operate on the destination port.
• Access list 102 Layer 4 operations: 4
• Total Layer 4 operations: 8 (due to sharing between the two access lists)
–
neq6 permit is shared between the two ACLs because they are identical and both operate on the
same destination port.
• A description of the Layer 4 operations usage is as follows:
–
Layer 4 operation 1 stores gt 10 permit and gt 10 deny from ACL 101
–
Layer 4 operation 2 stores lt 9 deny from ACL 101
–
Layer 4 operation 3 stores gt 11 deny from ACL 101
–
Layer 4 operation 4 stores neg 6 permit from ACL 101 and 102
–
Layer 4 operation 5 stores neg 6 deny from ACL 101
–
Layer 4 operation 6 stores gt 20 deny from ACL 102
–
Layer 4 operation 7 stores lt 9 deny from ACL 102
–
Layer 4 operation 8 stores range 11 13 deny from ACL 102
How ACL Processing Impacts CPU
ACL processing can impact the CPU in two ways:
