-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Note ● For complete syntax and usage information for the commands used in this chapter, see these publications:
http://www.cisco.com/en/US/products/ps11846/prod_command_reference_list.html
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
PACLs filter incoming traffic on Layer 2 interfaces, using Layer 3 information, Layer 4 header information, or non-IP Layer 2 information.
The PACL feature uses standard or extended IP ACLs or named MAC-extended ACLs that you want to apply to the port.
Port ACLs perform access control on all traffic entering the specified Layer 2 port.
PACLs and VACLs can provide access control based on the Layer 3 addresses (for IP protocols) or Layer 2 MAC addresses (for non-IP protocols).
The port ACL (PACL) feature provides the ability to perform access control on specific Layer 2 ports. A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs are applied only on the ingress traffic. The port ACL feature is supported only in hardware (port ACLs are not applied to any packets routed in software).
When you create a port ACL, an entry is created in the ACL TCAM. You can use the show tcam counts command to see how much TCAM space is available.
The PACL feature does not affect Layer 2 control packets received on the port.
You can use the access-group mode command to change the way that PACLs interact with other ACLs.
PACLs use the following modes:
You configure the access-group mode command on each interface. The default is merge mode.
Note A PACL can be configured on a trunk port only after prefer port mode has been selected. Trunk ports do not support merge mode.
To illustrate access group mode, assume a physical port belongs to VLAN100, and the following ACLs are configured:
In this situation, the following ACL interactions occur:
Note The CLI syntax for creating a PACL is identical to the syntax for creating a Cisco IOS ACL. An instance of an ACL that is mapped to a Layer 2 port is called a PACL. An instance of an ACL that is mapped to a Layer 3 interface is called a Cisco IOS ACL. The same ACL can be mapped to both a Layer 2 port and a Layer 3 interface.
The PACL feature supports MAC ACLs, IPv4, and IPv6 ACLs. The PACL feature does not support ACLs for ARP or Multiprotocol Label Switching (MPLS) traffic.
This section describes the guidelines for the EtherChannel and PACL interactions:
Dynamic ACLs are VLAN-based and are used by two features: CBAC and GWIP. The merge mode does not support the merging of the dynamic ACLs with the PACLs. In merge mode, the following configurations are not allowed:
To configure a PACL on a trunk port, you must first configure port prefer mode. The configuration commands to apply a PACL on a trunk or dynamic port will not be available until you configure the port in port prefer mode by entering the access-group mode prefer port interface command. Trunk ports do not support merge mode.
If you reconfigure a port from Layer 2 to Layer 3, any PACL configured on the port becomes inactive but remains in the configuration. If you subsequently configure the port as Layer 2, any PACL configured on the port becomes active again.
You can enter port configuration commands that alter the port-VLAN association, which triggers an ACL remerge.
Unmapping and then mapping a PACL, VACL, or Cisco IOS ACL automatically triggers a remerge.
In merge mode, online insertion or removal of a switching module also triggers a remerge, if ports on the module have PACLs configured.
This section describes the guidelines for the PACL interaction with the VACLs and Cisco IOS ACLs.
For an incoming packet on a physical port, the PACL is applied first. If the packet is permitted by the PACL, the VACL on the ingress VLAN is applied next. If the packet is Layer 3 forwarded and is permitted by the VACL, it is filtered by the Cisco IOS ACL on the same VLAN. The same process happens in reverse in the egress direction. However, there is currently no hardware support for output PACLs.
The PACLs override both the VACLs and Cisco IOS ACLs when the port is configured in prefer port mode. The one exception to this rule is when the packets are forwarded in the software by the route processor (RP). The RP applies the ingress Cisco IOS ACL regardless of the PACL mode. Two examples where the packets are forwarded in the software are as follows:
Figure 73-1 shows a PACL and a VACL applied to bridged packets. In merge mode, the ACLs are applied in the following order:
Figure 73-1 Applying ACLs on Bridged Packets
In prefer port mode, only the PACL is applied to the ingress packets (the input VACL is not applied).
Figure 73-2 shows how ACLs are applied on routed and Layer 3-switched packets. In merge mode, the ACLs are applied in the following order:
In prefer port mode, only the PACL is applied to the ingress packets (the input VACL and Cisco IOS ACL are not applied).
Figure 73-2 Applying ACLs on Routed Packets
Figure 73-3 shows how ACLs are applied on packets that need multicast expansion. For packets that need multicast expansion, the ACLs are applied in the following order:
1. Packets that need multicast expansion:
2. Packets after multicast expansion:
3. Packets originating from router:
In prefer port mode, only the PACL is applied to the ingress packets (the input VACL and Cisco IOS ACL are not applied).
Figure 73-3 Applying ACLs on Multicast Packets
IP and MAC ACLs can be applied to Layer 2 physical interfaces. Standard (numbered, named) and Extended (numbered, named) IP ACLs, and Extended Named MAC ACLs are supported.
To apply IP or MAC ACLs on a Layer 2 interface, perform this task:
|
|
|
---|---|---|
|
||
|
||
|
||
|
This example shows how to configure the Extended Named IP ACL simple-ip-acl to permit all TCP traffic and implicitly deny all other IP traffic:
This example shows how to configure the Extended Named MAC ACL simple-mac-acl to permit source host 000.000.011 to any destination host:
To configure the access mode on a Layer 2 interface, perform this task:
This example shows how to configure an interface to use prefer port mode:
This example shows how to configure an interface to use merge mode:
To apply IP and MAC ACLs to a Layer 2 interface, perform one of these tasks:
|
|
---|---|
|
|
|
This example applies the extended named IP ACL simple-ip-acl to interface GigabitEthernet 6/1 ingress traffic:
This example applies the extended named MAC ACL simple-mac-acl to interface GigabitEthernet 6/1 ingress traffic:
To apply IP and MAC ACLs to a port channel logical interface, perform this task:
|
|
---|---|
|
|
|
|
|
This example applies the extended named IP ACL simple-ip-acl to port channel 3 ingress traffic:
To display information about an ACL configuration on Layer 2 interfaces, perform one of these tasks:
|
|
---|---|
|
|
|
|
|
This example shows that the IP access group simple-ip-acl is configured on the inbound direction of interface fa6/1:
This example shows that MAC access group simple-mac-acl is configured on the inbound direction of interface Gigabit Ethernet 6/1:
This example shows that access group merge is configured on interface Gigabit Ethernet 6/1:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum