Using Pacl With Access-Group Mode - Cisco Catalyst 4500 Series Configuration Manual
Release ios xe 3.3.0sg and ios 15.1(1)sg
Hide thumbs
Also See for Catalyst 4500 Series:
- Software configuration manual (2086 pages) ,
- Administration manual (1814 pages) ,
- Configuration manual (1254 pages)
Table of Contents
Advertisement
Configuring PACLs
To apply IPv4 or MAC ACLs on a Layer 2 interface, perform this task:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# interface interface
Step 3
Switch(config-if)# [no] {ip | mac}
access-group {name | number} {in | out}
Step 4
Switch(config)# show running-config
To apply IPv6 ACLs on a Layer 2 interface, perform this task:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# interface interface
Step 3
Switch(config-if)# [no] ipv6 traffic-filter
name {in | out}
Step 4
Switch(config)# show running-config
The following example shows how to configure the Extended Named IP ACL simple-ip-acl to permit all
TCP traffic and implicitly deny all other IP traffic:
Switch(config)# interface Gi3/1
Switch(config-if)# ip access-list extended simple-ip-acl
Switch(config-ext-nacl)# permit tcp any any
Switch(config-ext-nacl)# end
The following example shows how to configure the Extended Named MACL simple-mac-acl to permit
source host 000.000.011 to any destination host:
Switch(config)# interface Gi3/1
Switch(config-if)# mac access-list extended simple-mac-acl
Switch(config-ext-macl)# permit host 000.000.011 any
Switch(config-ext-macl)# end
Using PACL with Access-Group Mode
You can use the access group mode to change the way PACLs interact with other ACLs. For example, if
a Layer 2 interface belongs to VLAN100, VACL (VLAN filter) V1 is applied on VLAN100, and PACL
P1 is applied on the Layer 2 interface. In this situation, you must specify how P1 and V1 impact the
traffic with the Layer 2 interface on VLAN100. In a per-interface method, you can use the access-group
mode command to specify one of the following desired modes:
•
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
51-30
prefer port mode
If PACL is configured on a Layer 2 interface, then PACL takes effect and
—
overwrites the effect of other ACLs (Router ACL and VACL). If no PACL feature is configured on
the Layer 2 interface, other features applicable to the interface are merged and applied on the
interface. it is the default access group mode.
Chapter 51
Purpose
Enters global configuration mode.
Enters interface configuration mode.
Applies numbered or named ACL to the Layer 2 interface.
The no form deletes the IP or MAC ACL from the Layer 2
interface.
Displays the access list configuration.
Purpose
Enters global configuration mode.
Enters interface configuration mode.
Applied the specified IPv6 ACL to the Layer 2 interface. The
no form deletes the IPv6 ACL from the Layer 2 interface.
Displays the access list configuration.
Configuring Network Security with ACLs
OL-25340-01
- Quick Links:
- Resetting a Switch to Factory Default...
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
