Pacl Configuration Guidelines; Configuring Ip And Mac Acls On A Layer 2 Interface - Cisco 4500M Software Manual
Software guide
Hide thumbs
Also See for 4500M:
- Command reference manual (578 pages) ,
- Hardware installation and maintenance manual (143 pages) ,
- Upgrade manual (24 pages)
Table of Contents
Advertisement
Chapter 35
Configuring Network Security with ACLs
PACL Configuration Guidelines
Consider the following guidelines when configuring PACLs:
•
•
•
•
•
•
Configuring IP and MAC ACLs on a Layer 2 Interface
Only IP or MAC ACLs can be applied to Layer 2 physical interfaces. Standard (numbered, named) and
Extended (numbered, named) IP ACLs, and Extended Named MAC ACLs are also supported.
To apply IP or MAC ACLs on a Layer 2 interface, perform this task:
Command
Step 1
Switch# configure t
Step 2
Switch(config)# interface
interface
Step 3
Switch(config-if)# [no] {ip | mac
} access-group {name | number|
in| out}
Step 4
Switch(config)# show
running-config
OL-6696-01
There can be at most one IP access list and MAC access list applied to the same Layer 2 interface
per direction.
The IP access list filters only IP packets, whereas the MAC access list filters only non-IP packets.
The number of ACLs and ACEs that can be configured as part of a PACL are bounded by the
hardware resources on the switch. Those hardware resources are shared by various ACL features
(for example, RACL, VACL) that are configured on the system. If there are insufficient hardware
resources to program PACL in hardware, the actions for input and output PACLs differ:
For input PACLs, some packets are sent to CPU for software forwarding.
–
For output PACLs, the PACL is disabled on the port.
–
These restrictions pertain to output PACLs only:
–
If there are insufficient hardware resources to program the PACL, the output PACL is not
applied to the port, and you receive a warning message.
–
If an output PACL is configured on a Layer 2 port, then neither a VACL nor a Router ACL can
be configured on the VLANs to which the Layer 2 port belongs.
If any VACL or Router ACL is configured on the VLANs to which the Layer 2 port belongs, the
output PACL cannot be configured on the Layer 2 port. That is, PACLs and VLAN-based ACLs
(VACL and Router ACL) are mutually exclusive on Layer 2 ports.
The input IP ACL logging option is supported, although logging is not supported for output IP
ACLs, and MAC ACLs.
The access group mode can change the way PACLs interact with other ACLs. To maintain consistent
behavior across Cisco platforms, use the default access group mode.
Purpose
Enters global configuration mode.
Enters interface config mode.
Applies numbered or named ACL to the Layer 2 interface. The NO prefix
deletes the IP or MAC ACL from the Layer 2 interface.
Displays the access list configuration.
Software Configuration Guide—Release 12.2(25)EW
Configuring PACLs
35-23
Advertisement
Table of Contents
