Cisco Systems 4500 Manual

A SERVICE OF

next previous

47-39

Software Configuration Guide—Release 15.0(2)SG

OL-23818-01

Chapter 47 Configuring Network Security with ACLs

Configuring PACLs

Using PACL with Access-Group Mode

You can use the access group mode to change the way PACLs interact with other ACLs. For example, if

a Layer 2 interface belongs to VLAN100, VACL (VLAN filter) V1 is applied on VLAN100, and PACL

P1 is applied on the Layer 2 interface. In this situation, you must specify how P1 and V1 impact the

traffic with the Layer 2 interface on VLAN100. In a per-interface method, you can use the access-group

mode command to specify one of the following desired modes:

• prefer port mode—If PACL is configured on a Layer 2 interface, then PACL takes effect and

overwrites the effect of other ACLs (Router ACL and VACL). If no PACL feature is configured on

the Layer 2 interface, other features applicable to the interface are merged and applied on the

interface. it is the default access group mode.

• prefer VLAN mode—VLAN-based ACL features take effect on the port if they have been applied on

the port and no PACLs are in effect. If no VLAN-based ACL features are applicable to the Layer 2

interface, then the PACL feature already on the interface is applied.

• merge mode—Merges applicable ACL features before they are programmed into the hardware.

Note Output PACLs are mutually exclusive with VACL and Router ACLs on Supervisor Engine II+. Access

group mode does not change the behavior of output traffic filtering.

Configuring Access-group Mode on Layer 2 Interface

To configure an access mode on a Layer 2 interface, perform this task:

This example shows how to merge and apply features other than PACL on the interface:

Switch# configure terminal

Switch(config)# interface fast 6/1

Switch(config-if)# access-group mode prefer port

This example shows how to merge applicable ACL features before they are programmed into hardware:

Switch# configure terminal

Switch(config)# interface fast 6/1

Switch(config-if)# access-group mode merge

Command Purpose

Step 1

Switch# configure terminal

Enters global configuration mode.

Step 2

Switch(config)# interface interface

Enters interface configuration mode.

Step 3

Switch(config-if)# [no] access-group mode

{prefer {port | vlan} | merge}

Applies numbered or named ACL to the Layer 2 interface.

The no form deletes the IP or MAC ACL from the Layer 2

interface.

Step 4

Switch(config)# show running-config

Displays the access list configuration.