Access control lists, Packet statistics and pxf counters – Cisco 10008 User Manual
Page 26
26
Cisco 10008 Router Performance Routing Engine 3 Installation
OL-8544-01
Analyzing and Troubleshooting Packets
Access Control Lists
The Cisco 10008 router provides traffic filtering capabilities using Access Control Lists (ACLs). Access
lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router's
interfaces. Using ACLs, you can do such things as restrict the contents of routing updates, provide traffic
flow control, and provide security for your network.
The Cisco 10008 router supports the following ACL types and features:
•
Standard and extended ACLs
•
Named and numbered ACLs
•
Per-user ACLs
•
Time-based ACLs
The access-list command is used to configure an ACL. For example, the following configuration creates
ACL 108:
access-list 108 permit udp any host 10.68.1.10 range 0 5000 log
access-list 108 permit udp host 10.1.1.10 range 0 5000 any log
After creating an ACL, it is applied to an interface using the ip access-group command. The router
executes the ACL from top to bottom, denying or permitting packets as directed by the access-list entries
(ACEs). When the log keyword is specified in an ACE, the router sends packet information to the
console.
The last line of an ACL is an implicit deny statement that appears to the router as:
deny any any
This statement causes the router to deny any packets remaining after processing the ACEs of the access
list. The implicit deny statement does not include the log keyword; therefore, the router does not send
packet information to the console for those packets denied by the implicit deny statement.
For example, the router processes the following ACL from top to bottom as follows:
access-list 108 permit udp any host 10.68.1.10 range 0 5000 log
access-list 108 permit udp host 10.1.1.10 range 0 5000 any log
•
Statement 1—Allows any UDP packet to access host 10.68.1.10 if the UDP destination port of the
packet is between 0 and 5000. The router logs packet information to the console if a match is made.
•
Statement 2—Allows any UDP packet from host 10.1.1.10 with a source port between 0 and 5000
to be permitted. The router logs packet information to the console if a match is made.
•
Implicit Deny—Denies all remaining packets and does not log the packet information to the console.
Packet Statistics and PXF Counters
The Cisco 10008 router PRE3 provides high performance Layer 3 processing using its PXF engine and
Route Processor (RP). As the PXF engine processes packets, counters such as the following reflect the
internal operation of the PRE3:
•
IP Forwarding Counter, page 27
•
ICMP Created Counters, page 27
•