Filter
Top Products
33-23
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 33 Configuring Network Security with ACLs
Configuring PACLs
PACL Configuration Guidelines
Consider the following guidelines when configuring PACLs:
• There can be at most one IP access list and MAC access list applied to the same Layer 2 interface
per direction.
• The IP access list filters only IP packets, whereas the MAC access list filters only non-IP packets.
• The number of ACLs and ACEs that can be configured as part of a PACL are bounded by the
hardware resources on the switch. Those hardware resources are shared by various ACL features
(for example, RACL, VACL) that are configured on the system. If there are insufficient hardware
resources to program PACL in hardware, the actions for input and output PACLs differ:
–
For input PACLs, some packets are sent to CPU for software forwarding.
–
For output PACLs, the PACL is disabled on the port.
• These restrictions pertain to output PACLs only:
–
If there are insufficient hardware resources to program the PACL, the output PACL is not
applied to the port, and you receive a warning message.
–
If an output PACL is configured on a Layer 2 port, then neither a VACL nor a Router ACL can
be configured on the VLANs to which the Layer 2 port belongs.
If any VACL or Router ACL is configured on the VLANs to which the Layer 2 port belongs, the
output PACL cannot be configured on the Layer 2 port. That is, PACLs and VLAN-based ACLs
(VACL and Router ACL) are mutually exclusive on Layer 2 ports.
• The input IP ACL logging option is supported, although logging is not supported for output IP
ACLs, and MAC ACLs.
• The access group mode can change the way PACLs interact with other ACLs. To maintain consistent
behavior across Cisco platforms, use the default access group mode.
Configuring IP and MAC ACLs on a Layer 2 Interface
Only IP or MAC ACLs can be applied to Layer 2 physical interfaces. Standard (numbered, named) and
Extended (numbered, named) IP ACLs, and Extended Named MAC ACLs are also supported.
To apply IP or MAC ACLs on a Layer 2 interface, perform this task:
Command Purpose
Step 1
Switch# configure t
Enters global configuration mode.
Step 2
Switch(config)# interface
interface
Enters interface config mode.
Step 3
Switch(config-if)# [no]
{ip | mac
} access-group {name | number|
in| out}
Applies numbered or named ACL to the Layer 2 interface. The NO prefix
deletes the IP or MAC ACL from the Layer 2 interface.
Step 4
Switch(config)# show
running-config
Displays the access list configuration.