Pacl Configuration Guidelines - Cisco WS-C6506 Software Manual

Chapter 15 Configuring Access Control
The PACLs have three modes of operation that are configurable on a per-port basis:
•
•
•
A PACL can be configured on a trunking port except when the port is in merge mode. This restriction
occurs because the trunking ports can have multiple VLANs with each VLAN having its own ACL. It
would be incorrect to apply a VACL that is meant for VLAN x to a packet that is tagged with VLAN y.
Because the PFC3A cannot perform a lookup based on a port-VLAN pair, you cannot map a PACL to a
port in merge mode.
The CLI syntax for creating a PACL is identical to that of a VACL. An instance of an ACL that is mapped
Note
to a port is called a PACL. An instance of an ACL that is mapped to a VLAN is called a VACL. The same
ACL can be mapped to both a port and a VLAN. Like the VACLs, the PACLs are supported for all
protocol types.

PACL Configuration Guidelines

These sections describe the guidelines for configuring the PACLs:
•
•
•
•
•
•
•
•
OL-8978-04
Port-based—The PACL overrides the existing VACL and Cisco IOS ACL. With this mode, the
features such as context-based access control (CBAC) and network address translation (NAT) are
not functional on the physical port.
VLAN-based—The VACL and the Cisco IOS ACL override the PACL.
Merge—With this mode, the ingress PACL, VACL, and Cisco IOS ACL are merged together
following the logical serial model in
PACL Interaction with VACLs and Cisco IOS ACLs, page 15-70
EtherChannel and PACL Interactions, page 15-70
Dynamic ACLs (Applies to Merge-Mode Only), page 15-70
Trunking Mode (Applies to Merge-Mode Only), page 15-70
Auxiliary VLANs (Applies to Merge-Mode Only), page 15-71
Private VLANs (Applies to Merge-Mode Only), page 15-71
Port-VLAN Association Changes (Applies to Merge-Mode Only), page 15-71
Online Insertion and Removal, page 15-72
Figure 15-9.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring Port-Based ACLs
15-69