Cisco Systems WSC4500X16SFP Manual

A SERVICE OF

next previous

33-24

Software Configuration Guide—Release 12.2(25)SG

OL-7659-03

Chapter 33 Configuring Network Security with ACLs

Configuring PACLs

The following example shows how to configure the Extended Named IP ACL simple-ip-acl to permit all

TCP traffic and implicitly deny all other IP traffic:

Switch(config)# ip access-list extended simple-ip-acl

Switch(config-ext-nacl)# permit tcp any any

Switch(config-ext-nacl)# end

The following example shows how to configure the Extended Named MACL simple-mac-acl to permit

source host 000.000.011 to any destination host:

Switch(config)# mac access-list extended simple-mac-acl

Switch(config-ext-macl)# permit host 000.000.011 any

Switch(config-ext-macl)# end

Using PACL with Access-Group Mode

You can use the access group mode to change the way PACLs interact with other ACLs. For example, if

a Layer 2 interface belongs to VLAN100, VACL (VLAN filter) V1 is applied on VLAN100, and PACL

P1 is applied on the Layer 2 interface. In this situation, you must specify how P1 and V1 impact the

traffic with the Layer 2 interface on VLAN100. In a per-interface fashion, the access-group mode

command can be used to specify one of the desired behaviors that are defined below.

The following modes are defined:

• prefer port mode—If PACL is configured on a Layer 2 interface, then PACL takes effect and

overwrites the effect of other ACLs (Router ACL and VACL). If no PACL feature is configured on

the Layer 2 interface, other features applicable to the interface are merged and applied on the

interface. This is the default access group mode.

• prefer vlan mode—VLAN-based ACL features take effect on the port provided they have been

applied on the port and no PACLs are in effect. If no VLAN-based ACL features are applicable to

the Layer 2 interface, then the PACL feature already on the interface is applied.

• merge mode—Merges applicable ACL features before they are programmed into the hardware.

Note Because output PACLs are mutually exclusive with VACL and Router ACLs, the access group mode does

not change the behavior of output traffic filtering.

Configuring Access-group Mode on Layer 2 Interface

To configure an access mode on a Layer 2 interface, perform this task:

Command Purpose

Step 1

Switch# configure t

Enters global configuration mode.

Step 2

Switch(config)# interface

interface

Enters interface config mode.

Step 3

Switch(config-if)# [no]

access-group mode

{prefer {port | vlan} | merge}

Applies numbered or named ACL to the Layer 2 interface. The no prefix

deletes the IP or MAC ACL from the Layer 2 interface.

Step 4

Switch(config)# show

running-config

Displays the access list configuration.