Cisco WS-C6506 Software Manual page 466

Configuring Port-Based ACLs
PACL Interaction with VACLs and Cisco IOS ACLs
This section describes the guidelines for the PACL interaction with the VACLs and Cisco IOS ACLs:
•
•
EtherChannel and PACL Interactions
This section describes the guidelines for the EtherChannel and PACL interactions:
•
•
•
•
Dynamic ACLs (Applies to Merge-Mode Only)
The dynamic ACLs are VLAN based and are used by two features: CBAC and IGMP. The merge mode
does not support the merging of the dynamic ACLs with the PACLs. In merge mode, the following
configurations are not allowed:
•
•
Trunking Mode (Applies to Merge-Mode Only)
The PACLs in merge mode are incompatible with the trunking ports. The trunking mode on a port must
be set to off to allow it to be configured in merge mode. Conversely, a port in merge mode cannot be
changed to trunking mode.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
15-70
The PACLs override both the VACLs and Cisco IOS ACLs when the port is configured in port-based
mode. The one exception to this rule is when the packets are forwarded in the software by the MSFC.
The packets get the ingress Cisco IOS ACL applied regardless of the PACL mode. Two examples
where the packets are forwarded in the software are as follows:
The packets that are egress bridged (due to logging or features such as NAT)
–
The packets with IP options
–
The MSFC reapplies the ingress and egress Cisco IOS ACLs on any packet it sees. The PACL
override model for the Layer 3 hardware- and software-forwarded packets is slightly different for
Cisco IOS ACLs.
If a PACL is configured to permit capture and a VACL is configured to deny the same packet, the
result of the merge would be a misconfiguration. In this situation, the PACL is placed in the "merge
disabled" state.
The ports with different PACL configurations cannot form a port channel; the ports must have the
same PACL mode (port-based, VLAN-based, or merge) and the same ACL name to form a port
channel.
If you change one port in an EtherChannel from a port-based ACL to a VLAN-based ACL, all ports
in the channel are changed to VLAN-based ACL mode.
Changing the configuration on one port affects all the ports in the channel. When an ACL is mapped
to a port belonging to a channel, it is mapped to all ports in the channel including the logical port
that is associated with the channel. The mapping to all physical ports is retained in the hardware and
NVRAM even after the port channel is broken; only the mapping to the logical port is removed.
If a new PACL is applied to one of the ports in an EtherChannel, all the ports in the channel are
configured to use the new ACL map.
Attempting to apply a PACL on a port where its corresponding VLAN has a dynamic ACL mapped.
Attempting to apply a dynamic ACL on a VLAN where one of its constituent ports has a PACL
installed. The dynamic ACL will be mapped successfully, but the port in conflict is placed in "merge
disable" mode. The port is reactivated after the dynamic ACL is removed.
Chapter 15 Configuring Access Control
OL-8978-04